A distributed denial-of-service (DDoS) attack uses multiple computers to launch attacks against one or more servers by using malicious programs. The attack undermines the performance or consumes network bandwidth of the servers As a result, the servers cannot provide services as expected.
Attack principle
In most cases, an attacker installs a DDoS master program on a single computer by using an unauthorized account and then installs agent programs on multiple computers. The DDoS master program communicates with a large number of agent programs in a specified period of time. When the agent programs receive a command, the agent programs initiate attacks. The master program can launch hundreds or even thousands of agent programs within seconds.
Risks of attacks
DDoS attacks may cause the following risks to your services:
Significant economic loss
When DDoS attacks occur, your origin server may be unable to provide services and users cannot access your services. This may result in huge economic loss and reputation damage.
For example, when DDoS attacks occur on an e-commerce platform, websites cannot be accessed or may be temporarily closed. As a result, users cannot purchase products.
Data leaks
Attackers may access the core data of your services.
Unfair competition
Competitors may launch DDoS attacks against your services to gain a competitive advantage.
For example, a game is under DDoS attacks and the number of players significantly reduces. As a result, the game may go offline in a few days.
Common DDoS attack types
Type | Typical attack | Description |
Malformed packet attacks | Fragment flood, smurf, stream flood, land flood, malformed IP packet, malformed TCP packet, and malformed UDP packet | A malformed packet attack occurs when malformed IP packets are sent to a system. This may cause the system to stop responding. |
Transport layer DDoS attacks | SYN flood, Ack flood, UDP flood, ICMP flood, and RST flood | SYN floods are protocol attacks that exploit a vulnerability in the TCP three-way handshake. In a normal handshake process, when a server receives a SYN request, the server saves the connection in a SYN queue. If attackers continuously send SYN requests to the server but do not respond with the expected ACK messages, server resources are consumed. When the SYN queue is full, the server stops responding to requests from users. |
Domain Name Service (DNS) attacks | DNS request flood, DNS response flood, DNS query flood (spoofed request and real requests), authoritative server attacks, and local server attacks | DNS query floods execute real query requests, which is a normal service operation. If multiple zombies initiate a large number of domain name query requests at the same time, the server cannot respond to the requests. This can result in a denial of service. |
Connection-based DDoS attacks | Low and slow attack, connection exhaustion attack, Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC), Slowloris, PyLoris, and XOIC | Slowloris attacks can exhaust the concurrent connection resources of a target server. When the number of concurrent connections reaches the upper limit, the server denies subsequent connection attempts. For example, when the server receives a new HTTP request, the server processes the request, returns a response, and then closes the connection. If the connection remains open, the server must establish a new connection when the server receives another HTTP request. If all connections remain open, the server stops responding to any new requests. The Slowloris attacks exploit the features of HTTP. An HTTP request starts with |
Application-layer attacks | HTTP GET flood, HTTP POST flood, and HTTP flood attacks | Application-layer attacks can simulate user requests. For example, the attacks may simulate user requests as the requests are sent from search engines and crawlers. The difference between the attacks and normal requests is difficult to distinguish. Transactions and pages that consume large amounts of resources in web services are vulnerable to HTTP flood attacks in high concurrency scenarios, such as paging and sharding. If the page size is excessively large, frequent paging consumes large amounts of resources. The attacks are hybrid attacks. Operations that are frequently performed and have the features of real user operations are identified as HTTP flood attacks. For example, if a website is accessed by a ticket bot, the access can be identified as an HTTP flood attack. HTTP flood attacks target the backend services of web applications. In addition to causing a denial of service, HTTP flood attacks directly affect the functionality and performance of web applications, including the response time, database services, and disk read and write operations. |
How do I identify a DDoS attack?
If one of the following scenarios occurs, your services may be under DDoS attacks:
An unexpected disconnection occurs on your server, the access speed becomes slow, and users are offline but the network and devices work as expected.
The CPU utilization or memory usage of your server significantly increases.
The outbound or inbound traffic significantly increases.
Your website or application suddenly receives a large number of unsolicited requests.
The logon to your server fails or becomes excessively slow.
To determine whether an asset is under attack, view the status of the asset on the Assets page of the Traffic Security console. For more information about how to view the status of an asset, see View the Assets page.