A distributed denial-of-service (DDoS) attack floods a server, service, or network with malicious internet traffic from multiple compromised sources. Unlike a single-source denial-of-service (DoS) incident, DDoS uses distributed botnets to overwhelm targets, making defense significantly more complex. For marketers and SEO practitioners, these attacks translate directly to site downtime, lost revenue, and damaged search visibility when legitimate users cannot access content.
What is DDoS?
A DDoS attack is a cyberattack where the perpetrator makes a machine or network resource unavailable by disrupting services through a flood of superfluous requests. While a basic DoS attack originates from one machine, a DDoS attack uses multiple unique IP addresses, often from thousands of hosts infected with malware to form a botnet. The attack traffic targets various layers of the OSI model, ranging from network infrastructure to application-layer processes.
Why DDoS matters
- Traffic annihilation: When sites become unavailable, organic traffic drops to zero. Cloudflare recorded a peak of 71 million requests per second in a February 2023 attack, demonstrating the scale that can overwhelm servers instantly.
- Revenue hemorrhage: E-commerce platforms lose sales during outages. Amazon Web Services faced a 2.3 Tb/s attack in February 2020, showing how even major infrastructure faces service disruption.
- SEO degradation: Extended downtime signals poor site health to search engines, potentially triggering de-indexing or ranking penalties.
- Extortion risks: Attackers often demand Bitcoin ransoms. The group Anonymous Sudan demanded $30,000 from Archive of Our Own during a July 2023 attack while disrupting the fanfiction platform.
- Data theft diversion: Sophisticated attackers use DDoS as a smokescreen for lateral breaches while security teams focus on availability.
- Legal exposure: Perpetrators face significant prison time; one attacker received 27 months for disrupting gaming platforms, and the UK Police and Justice Act 2006 carries a maximum penalty of 10 years.
How DDoS works
- Infect devices: Attackers deploy malware to compromise computers and IoT devices, creating a botnet of zombies. The Mirai botnet famously used thermostats and cameras to build its army.
- Coordinate command: The attacker sends remote instructions to each bot, directing them to target a specific IP address or domain.
- Execute flood: Bots send massive volumes of requests. Protocol attacks like SYN floods exploit TCP handshakes by sending synchronization packets without completing the three-way handshake, exhausting connection tables.
- Sustain pressure: Advanced persistent DoS (APDoS) attacks can last for weeks; the longest recorded continuous attack persisted for 38 days, generating over 50 petabits of malicious traffic.
Types of DDoS attacks
| Attack Type | OSI Layer | Mechanism | Typical Impact |
|---|---|---|---|
| Volumetric | 3/4 (Network/Transport) | Consumes bandwidth using floods of UDP, ICMP, or amplification via DNS/NTP | Site slowdown or complete unavailability due to saturated pipes |
| Protocol | 3/4 | Exploits TCP weaknesses (SYN floods) or sends malformed packets (Ping of death) | Exhausts firewall and server connection states |
| Application Layer | 7 | Overwhelms specific web functions via HTTP floods, Slowloris, or RUDY attacks | Web server crashes while network bandwidth remains available |
| Advanced Persistent | Multi-layer | Combines volumetric and application attacks with shifting targets | Extended outages lasting days or weeks |
Attack trends shift over time. In 2022, 63% of DDoS activity involved TCP-based methods including SYN, ACK, and TCP floods.
Best practices
- Deploy rate limiting: Set thresholds on requests per second to prevent resource exhaustion. This slows scrapers and brute force attempts while buying time during floods.
- Implement WAF rules: Configure Web Application Firewalls with custom rules to filter Layer 7 attacks like HTTP floods and Slowloris, which target specific application packets.
- Enable upstream scrubbing: Route traffic through DDoS mitigation services or cleaning centers that filter malicious packets before they reach your infrastructure.
- Activate SYN cookies: Enable this TCP stack feature to prevent SYN flood attacks from consuming connection resources while maintaining legitimate traffic flow.
- Monitor baseline traffic: Establish normal patterns. Alert on anomalies like unexplained spikes to single pages or traffic from suspicious geographic clusters.
- Prepare blackhole routes: Work with your ISP to implement null routing during catastrophic attacks, accepting temporary downtime over total infrastructure compromise.
- Patch IoT devices: Prevent your own hardware from joining botnets by updating firmware on cameras, routers, and smart devices.
Common mistakes
Mistake: Believing small sites are immune. Attackers regularly target niche sites for extortion or competitive damage. Fix: Implement basic rate limiting and WAF rules regardless of site size.
Mistake: Manually blocking individual IPs. You will exhaust administrative resources; DDoS attacks use thousands of distributed sources. Fix: Use automated mitigation tools that analyze traffic patterns rather than source IPs.
Mistake: Relying on hosting bandwidth alone. Volumetric attacks measuring 22.2 Tb/s have been recorded, far exceeding single-server capacity. Fix: Contract with upstream scrubbing services that absorb traffic before it reaches your network.
Mistake: Ignoring "low and slow" patterns. Application-layer attacks like Slowloris fly under volume thresholds but still exhaust server resources by maintaining open connections. Fix: Configure WAFs to detect connection duration anomalies, not just request rates.
Mistake: Treating DDoS purely as technical debt. Failure to communicate downtime to users damages trust more than the technical failure itself. Fix: Prepare crisis communication templates for marketing teams to deploy during outages.
Examples
Example scenario: A financial services portal faces a Challenge Collapsar (CC) attack during tax season. Thousands of bots request complex database queries, exhausting CPU while appearing as legitimate traffic. The site slows to a crawl, causing transaction timeouts and customer complaints.
Example scenario: An online retailer encounters a yo-yo attack on Black Friday. The attacker alternates high traffic bursts with silence, triggering auto-scaling up and down. Infrastructure costs spike while genuine customers experience checkout errors due to resource thrashing.
Example scenario: A news site covering controversial topics suffers DNS amplification. Attackers spoof the site's IP to query open DNS resolvers, generating up to 179x amplification that overwhelms the provider's bandwidth.
FAQ
What is the difference between DoS and DDoS? A DoS attack uses one machine to flood a target, while DDoS coordinates multiple distributed sources, typically a botnet. DDoS attacks achieve volume and geographic diversity that makes blocking individual sources impractical.
How can I distinguish a DDoS attack from viral traffic? Viral traffic typically shows diverse user agents, organic referral patterns, and gradual acceleration. DDoS traffic often features suspicious concentrations from single IP ranges, repetitive requests to specific endpoints, or patterns like spikes every ten minutes. Monitor for behavioral uniformity rather than just volume.
Which OSI layers do DDoS attacks target? Attacks target layers 3 (Network), 4 (Transport), and 7 (Application). Protocol attacks hit layers 3-4, while HTTP-specific attacks target layer 7.
Can DDoS attacks steal my customer data? DDoS itself does not exfiltrate data; it destroys availability. However, attackers often use DDoS as a diversion while breaching security elsewhere. Treat every DDoS event as a potential smokescreen for intrusion.
How long do attacks typically last? Simple floods may last minutes, while advanced persistent DoS (APDoS) attacks can continue for weeks. The longest recorded attack lasted 38 days.
Are DDoS attacks illegal? Yes. In the United States, they violate the Computer Fraud and Abuse Act with penalties including imprisonment. The UK specifically outlaws DDoS under the Police and Justice Act 2006. 156 countries globally have enacted cybercrime legislation covering these attacks.
