• Home
  • /Learn
  • /What Is a DDoS Attack and How Does It Work?
background image


What Is a DDoS Attack and How Does It Work?


A distributed denial of service (DDoS) is an attack on several networks to clog the bandwidth of a target system. Many companies' techniques for filtering traffic become useless when under a DDoS attack due to the influx of illegitimate requests or unauthorized users. As a result, systems and networks become inaccessible.

According to a threat analysis report, the global DDoS market is expanding at an alarming rate of 37% to 40%, with industries like retail, healthcare, Internet Service providers (ISPs), finance, gaming, etc., coming under heavy fire. 

Amid the surge in attacks, the DDoS protection market attained a valuation of US$ 1.88 billion in 2021; it will likely touch a US$ 5.14 billion valuation by 2027 at a CAGR of 18.21% over the forecast period. Read on to find out what a DDoS attack is and the safeguards against it. 

What is a DDoS attack?

DDoS is a malicious, non-intrusive cyberattack where the adversaries disrupt the regular traffic of a website or slow it down by bombarding the network, web application, or server with fake traffic. That will deny the users and customers access to the system to carry out regular operations, resulting in business loss. 

DDoS is among the top-four cybersecurity threats. Here are some recent incidents to demonstrate its destructive capabilities:

  • The e-commerce giant and cloud provider Amazon Web Service suffered a DDoS attack in February 2020. The incident response team remained occupied for many days impacting global customers.

  • The cryptocurrency exchanging firm EXMO became the victim of a DDoS attack in 2021. The organization remained nonfunctional for nearly five hours.

How do cybercriminals perform a DDoS attack?

Attackers carry out a DDoS attack through several interconnected computers and devices. These computers and devices (usually IoT and other peripheral devices) are malware-infected systems remotely controlled by attackers. Infected individual devices and machines within the network are called bots, and a network of interconnected bots is called a botnet. 

Through a botnet, hackers launch an attack from their command and control (C&C) system (which controls all the infected devices on the botnet). The attacker instructs all the bots to send multiple requests to the same IP address of the target network, website, or web server. 

Each bot floods the target system with numerous HTTP requests, potentially causing the web server or network to crash, resulting in a denial of service to the regular traffic. Since the attack occurs from multiple bots distributed across different parts of the globe, such an attack is called Distributed Denial of Service attack.

Types of DDoS attacks

There are three DDoS attack categories:

  1. Protocol attack: In this DDoS attack, the attacker tries to exhaust the resources of a web server or network system like a routing engine, load balancers, firewalls, etc. In the protocol attack, the attacker manipulates layers 3 & 4 of the OSI model. SYN flood, fragmented packet attack, Smurf DDoS, Ping of Death, etc., are examples of protocol attacks.

  2. Application layer attack: An application layer attack targets the application or websites that service the client's requests. Application layer DDoS attack targets a cloud provider's web server or apps. When the client sends an HTTP request to the server, the server fetches all the details related to that request, packs them, and responds to the client system (browser). This information fetching and packaging take place on the application layer. Since the attacker generates multiple requests from different infected devices and machines, it becomes hard for the system to respond. Thus, it fails to service the requests appropriately. HTTP flood, GET/POST flood, etc., are examples of application layer attacks.

  3. Volume-based attack: It is also known as a volumetric attack because the attacker bombards the web server or the network service with massive traffic, so the bandwidth gets exhausted. The most prominent example of a volume-based attack is the DNS amplification attack. The attacker leverages spoofed IP addresses & infected systems/bots to send requests to the DNS server. The DNS server will then send multiple requests to the target server. When this process is replicated on a large scale, the DNS responses wreak havoc on the target/victim server.

DoS vs. DDoS attack 

The DoS attack is the lighter version of DDoS, where the attacker tries to flood the system with one machine/device. Here is how they differ:


  • It stands for Denial of Service.

  • It floods the victim's PC or system with loads of data packets sent from a single machine.

  • Cybersecurity tools and techniques can effortlessly identify and block this attack because it uses a single computer, hence a single IP address.


  • It stands for Distributed Denial of Service.

  • It floods the victim's PC or system with data packets sent from multiple systems.

  • Security professionals require advanced cybersecurity tools and techniques to block DDoS attacks as it leverages a complex botnet architecture to attack the target server or network.

Why do enterprises need to worry about DDoS attacks?

  • Over the past few years, volumetric attacks have increased significantly. As per the Cloudflare report, a volumetric DDoS attack floods the target system with 500 Mbps traffic as the new norm.

  • The application layer (layer 7) attack has also increased, and enterprises should install security solutions to defend their servers.

  • Due to AI-powered bots and advanced automation systems, DDoS attacks have become more sophisticated.

  • Modern DDoS attacks are mutating by incorporating other forms of attacks within them. Ransomware-based DDoS attack is one such example.

DDoS attack mitigation techniques

Although there is no one-size-fits-all solution to prevent DDoS attacks, enterprise security professionals can use comprehensive techniques and integrate security tools to prevent such attacks.

  1. Application load balancers: These security solutions prevent common DDoS attacks (SYN floods or UDP reflection) by absorbing additional traffic or splitting them into other associated servers.

  2. Network monitoring: Security professionals should monitor the network for suspicious traffic patterns. Continuous monitoring can reveal unusual symptoms within the corporate network or the web server.

  3. Dedicated DDoS response plan: Enterprise security teams should chart an incident response plan, detailing and assigning individual members' responsibilities and courses of action. This plan should cover:

  • Maintaining business operations normally

  • Escalating protocols for smooth functioning

  • Provisioning technical support teams to look for bugs and associated attacks.

  • Maintaining a list of mission-critical systems.

4. Protecting through WAF: Developers can integrate a Web Application Firewall (WAF) into their web applications. It can monitor all HTTP/HTTPS traffic. Adding the WAF allows the development team to configure inbound and outbound network policies within the app, creating a shield against automated DDoS attacks through botnets.

5. Leveraging ML in modern security solutions: Modern DDoS mitigation tools use ML algorithms to prevent bot-based DDoS attacks that automatically spoof IP addresses and geolocation. Such ML algorithms comprehend the pattern and signature through dynamic and behavioural analysis. Machine Learning engineers, with security professionals, create intelligent code modules – training the ML model to use past attack signatures and data or employ other classification techniques – to identify DDoS attacks.

6. Secure all logical ports: Attackers can design botnets for scanning opened logical ports in servers and systems, which provide a pathway for malicious bot programs to sniff and flood the network with requests. Attackers can leverage the shortcoming of these ports to send multiple requests. So, security professionals must close or disable all unused ports.

7. Prevention through reCAPTCHA: The Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is an automated challenge system to differentiate between humans and automated bots. Website app developers can incorporate Google's CAPTCHA or reCAPTCHA to prevent the web app from application layer attacks and the server from getting bot-based requests.


DDoS attacks are increasing in frequency and sophistication. Enterprises should take comprehensive security measures to prevent DDoS attacks. Packetlabs provides expert penetration testing to help strengthen your company's security posture. Contact us for a free, no-obligation quote today.

Get a Quote