Distributed Denial-of-service Attack

What Is Distributed Denial-of-service Attack?

A distributed denial-of-service (DDoS) attack is a cyberattack in which an adversary overwhelms a target system, network, or service with a volume of traffic far exceeding its capacity to respond, rendering it unavailable to legitimate users. The "distributed" qualifier distinguishes this class from simple denial-of-service attacks: the traffic originates from a large number of geographically dispersed machines operating in coordination, making source-based blocking ineffective. DDoS attacks draw on principles from network engineering, security research, and adversarial game theory, and have been recognized as a persistent threat to internet infrastructure since the late 1990s.

Attacks are commonly categorized by the layer they target. Volumetric attacks saturate bandwidth by sending enormous quantities of UDP or ICMP packets. Protocol attacks exploit weaknesses in TCP/IP state handling, as in SYN flood attacks that exhaust server connection tables. Application-layer attacks, sometimes called Layer 7 attacks, are more surgical: they send seemingly legitimate HTTP or DNS requests at a rate the application cannot sustain, requiring fewer packets to achieve the same disruptive effect. As detailed in IEEE Spectrum's analysis of the 2016 Dyn infrastructure attack, a DDoS against a DNS provider can cascade across many dependent services simultaneously.

Botnet Infrastructure

The distributed traffic in a DDoS attack typically originates from a botnet: a network of compromised hosts whose owners are unaware of the infection. Attackers recruit hosts by distributing malware through phishing campaigns, exploit kits, or supply-chain compromises. Once infected, each bot periodically checks in with a command-and-control (C2) server for instructions, which may use centralized server infrastructure or peer-to-peer topologies to resist takedown. A 2016 study examining more than 50,000 DDoS attacks described in IEEE research on botnet characterization found that attacks were launched by 674 distinct botnets from 23 families, targeting over 9,000 victim IP addresses in 186 countries. The Mirai botnet, which powered the Dyn attack, demonstrated that Internet of Things devices with weak default credentials could be recruited at scale to produce traffic measured in hundreds of gigabits per second.

Detection and Mitigation

Defending against DDoS attacks requires identifying malicious traffic and discarding it before it reaches the target. Traffic scrubbing centers receive all inbound traffic, strip packets matching attack signatures, and forward clean traffic onward. Anycast routing spreads incoming requests across multiple geographically distributed nodes so no single point becomes a bottleneck. Rate limiting and challenge mechanisms, such as CAPTCHAs and SYN cookies, require clients to demonstrate legitimacy before consuming server resources. Machine learning approaches published in IEEE proceedings have examined classifiers that analyze flow-level features, such as packet size distributions and inter-arrival times, to distinguish attack traffic from legitimate traffic in real time. Detection is complicated by the fact that in volumetric attacks the volume itself is the problem, while in application-layer attacks individual requests may be indistinguishable from legitimate ones.

Applications

Research and countermeasures related to DDoS attacks have applications in a wide range of fields, including:

  • Internet service provider infrastructure protecting backbone routing and DNS services
  • Financial institutions defending online banking and trading platforms against availability attacks
  • Cloud hosting providers implementing scrubbing and traffic shaping services at scale
  • Critical infrastructure operators securing power grid management systems and industrial control networks
  • Content delivery networks using anycast and traffic distribution to absorb volumetric attacks

Related Topics

Loading…