What is DoS and DDoS Attack in Cybersecurity? Meaning, Examples, How It Works & How to Prevent It

What is DoS Attack in Simple Words

DoS stands for Denial of Service (DoS).
The attack is carried out from a single computer, massive traffic is sent to the target making it slow or unavailable. DoS attack are generally easy to defend.

What is DDoS Attack in Simple Words

DDoS stands for Distributed Denial of Service (DDoS).
In this attack, multiple computers (called botnet) are used simultaneously to send massive traffic to the target making it slow or unavailable. DDoS attacks are harder to mitigate and defend aginst multiple targets.

To understand a both DoS and DDoS attacks in simple terms, it involves flooding a website with a massive amount of traffic typically via bots causing the website to overload and become slow or unavailable. To put it even more simply, imagine a store being inundated (flooded) by a massive crowd exceeding its capacity; the store's staff would be unable to handle the influx (crowd or rush).

What is Botnet in Cyber Security in Simple Words

A Botnet is mainly used in DDoS attacks and not in DoS attacks, it is a network of compromised and infected computers, mobiles or other devices controlled by the attacker to send massive traffic to attack the targeted website, server or network.

• Compromised - The security of the device has been broken, so attacker can take control of the machine without the owner knowing.
   
• Infected - Malware or any virus is installed in the device without the owner's knowledge, and the attacker uses it as part of their network.

How Does a DDoS Attack Work

A DDoS attack is executed by botnet and flooding the target server or website with traffic. The process generally works as follows:
 

• The attacker identifies the target.
• The attacker determines the specific type of attack to launch against the website or network.
• The attacker infects multiple devices with malware.
• All the infected devices join a botnet, which is controlled by the attacker.
• Finally, the attacker uses the botnet to send a massive volume of traffic such as HTTP requests or network packets to the target.

As a result of this activity, target's network bandwidth, server resources or application capacity may become overwhelmed. This cause server will gradually slow down and makes the service unavailable, rendering the site inaccessible to legitimate users. 

What Happens During a DDoS Attack and How to Identify DDoS Attack

During a DDoS attack, both users and the owner may experience
 

How to Check DDoS Attack on Website

• It will continuously report "503 Service Unavailable".
• The website will become very slow or unresponsive.
• It will keep getting hits on the same page repeatedly.
• Pages will take a very long time to load or frequent connection timeouts.

How to Check DDoS Attack on Server

• The server will always report 90–100% resource utilization like High CPU, RAM or bandwidth usage.
• Even a simple request will be extremely slow or it might fail.
• Exhaustive bandwidth, network throughput will always reach its maximum capacity.
• Applications and databases stop responding, service may crashes.

How to Detect a DDoS Attack on Your Network

• Traffic will originate from unusual countries or regions (but not always).
• The highest volume of requests will always originate from a single IP address or IP ranges (botnet activity).
• Sudden SYN, UDP or ICMP packets of large volume traffic display which is not normal in regular traffic.
• Network congestion or routers, firewalls slowing down.

In simple,

Website: Very slow loading pages or failing pages
Server: High resource usage and crash
Network: Abnormal traffic patterns

How to Identify Bot Traffic (if attacker changing IPs and URLs)

We have seen above many ways by which DDoS attack can be identified and stopped but the most common is to block the IP address which makes a lot of requests to the same page in a short period of time. But what if the attacker changes the URL and the IP too?, so we do NOT rely on IP blocking anymore instead we detect bot behavior.

Attacker IP1 = Block
Attacker switches to IP2
Page URL = Keep changing

• Request Speed - Bot sends requests much faster than human clicks and repeats requests to multiple URLs in millisecond, while humans browse slowly. This is abnormal speed.
  Human = 1 request per 2–5 seconds
  Bot = 100 requests/seconds to different pages
   
• Behavior - The bot skips pages in an unnatural manner and performs repetitive actions, such as login attempts, form submissions etc.
   
• User-Agent, Cookies & Sessions - User-agents, cookies and sessions may appear genuine but they can also be spoofed sessions and cookies are either reset with every request or are missing entirely many times.
   
• Device/Browser Info - Browser and screen resolution typically remain the same, but can be spoofed.

Does DDoS Attack Stop Automatically

A DDoS attack does not stop on its own, either the attacker halts it or the website owner must mitigate it. Otherwise, the attack continues for as long as the attacker instructs the botnet to send traffic to the target. Some attacks last for just a few minutes, while others DDoS attacks can persist for hours or even several days. The duration of a DDoS attack depends entirely on the attacker intentions, their resources and objectives.
In simple terms, a DDoS attack ends only when attackers stops it or mitigated.

How to Mitigate DDoS Attacks

When we are unable to completely stop an DDOS attack, so what to do during a DDoS attack, we try to mitigate it, as outlined below. Here mitigation meaning like to reduce the damage from DDoS attack.
 

• Load Balancing & CDNs

  Distribute your website traffic across multiple servers worldwide, which mitigates the risk of DDoS attacks, handles high traffic loads and ensure system availability.
   

• Rate Limiting (Emergency Mode)

  Restrict excessive requests from single users or IP addresses that access the server within a short timeframe. This prevents a single source from overwhelming your server.
   

• Enable Anti-DDoS Services

  Always utilize a professional DDoS protection service that specializes in handling DDoS attacks, such as AWS, Cisco DDoS protection solutions, Cloudflare etc to monitor ongoing attacks.
  These services detect and mitigate attacks and are capable of automatically blocking traffic originating from botnets.
   

• Web Application Firewall (WAF) and Traffic Filtering

  Identify and block malicious IPs sending abnormal requests to the server by analyzing traffic patterns.
   

• CAPTCHA Check

  Differentiate between human and bots, if you need to perform extensive traffic checks, use CAPTCHA verification it will filter out a significant amount of bot traffic by blocking them.

How to Stop DDoS Attacks

Here, 'stop' means taking actions to halt a DDoS attack that is already happening and completely bring the system back to normal.
 

• Contact ISP or Hosting Provider

  They will assist in filtering traffic at the network level before it reaches their infrastructure, and will aid in mitigation and in preventing further damage.
   

• Switch to Backup

  In many DDoS attack cases, traffic is transferred to backup servers to ensure that the service does not stop.
   

• Emergency Blocking Rules

  Temporarily block IP ranges (botnet activity) and the specific region from which the traffic is originating, however this will also result in legitimate users being blocked.
   

• Blackholing and Sinkholing (Advanced ISP-Level Protection)

  Blackholing is a DDoS mitigation technique in which malicious traffic is redirected to a "null route" or black hole before it reaches the target server. This prevents the traffic from consuming server resources.
  And, Blackholing redirects even legitimate traffic also to a "null route" and into a black hole with malicious traffic and it is used in emergency only for mitigation measure.
  
  Sinkholing employs a similar technique, wherein suspicious traffic is redirected to a controlled destination for analysis and filtering, rather than being sent to the intended target.
  
  Both of these methods are provided by Internet Service Providers (ISPs), large hosting providers, cloud providers or network security teams when a large DDoS attack occurs.

How to Prevent DDoS Attacks

Here, "prevent" means taking measures to stop a DDoS attack before it succeeds. Effective methods to prevent DDoS attacks are given below

Always use CDNs (Content Delivery Network), Enable Rate Limiting, Web Application Firewall (WAF), Deploy Anti-DDoS Services apart from this do also:

• Network Monitoring

  Always keep an eye out for unusual traffic spikes, early detection helps you to identify potential DDoS attacks and allows you to respond before the server becomes unavailable.
   

• Keep Systems Updated

  Regularly apply patches to software, servers and the network and this will reduce vulnerabilities and help prevent the system from joining a botnet.
   

• Response Plan

  A response plan should always be ready, outlining the step-by-step actions to be taken in the event of such an attack a process that also includes the notifying to the hosting provider.

Can we Identify the Real Attacker Behind a DDoS Attack

In most cases, it is extremely difficult to identify, but not impossible.

DDoS attacks are typically launched using a botnet that are controlled by an attacker. As a result, traffic is directed toward the target from these compromised devices rather than directly from the attacker.
The attacker typically conceals themselves by using proxies and VPNs. Botnets are distributed across multiple countries and networks.

Simply understand, it is possible to determine the source of an attacker traffic but identifying who is controlling it is extremely difficult which is why forensic investigators and law enforcement agencies must get involved.

Types of DDoS Attacks

DDoS attacks are classified into three categories based on the layer or resource they target.
Each type of attack employs distinct methods to disrupt services such as consuming network bandwidth, exhausting protocol resources or targeting web applications. Understanding these attack categories enables the identification of attack patterns and facilitates the implementation of appropriate mitigation strategies.
 

• Volumetric Attacks

  The aim of volumetric attacks is to overwhelm network bandwidth with massive amounts of traffic, thereby service unavailability for legitimate users.
  
  Target - DNS servers, Internet link, ISP uplink, Edge routers, Network infrastructure bandwidth capacity (ingress/egress links)
   

• Protocol Attacks

  Protocol attacks target weaknesses within network protocols to target network devices and infrastructure such as firewalls, load balancers and servers.
  
  Target - Firewalls, Load balancers (session/connection tables), Routers, Layer 3 and Layer 4 network devices, Server TCP/IP stack
   

• Application Layer Attacks

  In Application Layer attacks, the attacker directly targets web applications by sending a massive volume of traffic that appears legitimate (normal traffic) to overwhelm website functionalities.
  
  Target - CPU & memory resources, Backend services (microservices / APIs dependency layer), Web servers (Apache, Nginx, IIS), Application servers (Node.js, Tomcat, Django, etc), Web application endpoints (Authentication endpoints, API endpoints, Search endpoints, Forms POST/GET processing), Database connection pool
   

• Multi-Vector Attacks

  Multi-Vector Attacks are not a separate fundamental category, but it is essential to include them as well. They launch attacks by combining multiple different types of attack to maximize disruption.

Real-World DDoS Attack Example

Event: GitHub DDoS Attack – February 28, 2018

What happened: GitHub, one of the largest code hosting platforms, one of the largest DDoS attacks recorded at that time.

Type of Attack: Volumetric Attack and Multi-Vector Characteristics, attack used amplification-based volumetric attack.

Target: GitHub’s web servers, Network infrastructure (Internet uplinks, edge routers) and DNS infrastructure

How it worked

• Attacker found weak vulnerable Memcached servers a type of caching server on the internet.
• An attacker tricked GitHub by sending fake requests using spoofed GitHub’s IP addresses (IP spoofing).
• As a result, Memcached servers generated massive responses to GitHub's systems, by multiplying traffic hundreds of times over (amplification).
• Due to the massive, overwhelming traffic being received on GitHub's network, the site became unreachable.
   

Impact: GitHub services slowed down or temporarily unavailable

Mitigation:

• The GitHub team quickly mitigated the attack by utilizing traffic filtering and a DoS mitigation service.
• Monitoring and rapid response

Lessons to Learn

This demonstrates that even large, well protected sites are not immune to DDoS attacks specifically multi-vector and amplification attacks, which are extremely powerful and without specialized mitigation, are exceptionally difficult to stop.

Simply, The attacker exploited Memcached servers via IP spoofing, resulting in amplified traffic being received by GitHub, which caused a network overload.

DDoS Attack Protection Tools and Services

DDoS attacks can overwhelm websites, servers and networks resulting in downtime and disruption. Therefore listed below are DDoS attack prevention tools and services that help protect against such attacks.

1. Cloudflare
2. Amazon Web Services (AWS Shield)
3. Google Cloud (Cloud Armor)
4. Microsoft Azure DDoS Protection
5. Akamai (Prolexic)
6. Imperva
7. F5 Networks
8. ModSecurity
9. Fail2Ban
10. Snort