A distributed denial of service (DDoS) attack uses multiple computers to launch coordinated attacks against one or more targets through malicious programs. The attack undermines the performance or consumes network bandwidth and makes the target servers unresponsive.

Attack principle

Typically, an attacker installs a DDoS master program on a single computer using an unauthorized account and then installs agent programs on multiple computers. During a specified period, the DDoS master program communicates with a large number of agent programs. When the agents receive the command, they initiate attacks. The master program can initiate hundreds or even thousands of agent programs within seconds.

Risks of DDoS attacks

The attacks may cause the following risks to your business:

  • Significant economic loss

    Once DDoS attacks occur, your origin server may be unable to provide services and users cannot access your services, resulting in huge economic loss and reputation damage.

    For example, when an e-commerce platform suffers from DDoS attacks, websites cannot be accessed or may be temporarily closed. Therefore, legitimate users cannot purchase products.

  • Data leak

    Attackers may get access to the core data of your business.

  • Unfair competition

    Competitors may launch DDoS attacks against your service to gain a competitive advantage.

    For example, if a game is under DDoS attacks, the number of players reduces, and the game may go offline for a few days.

Common DDoS attack types

Type Typical attack Description
Malformed packet attack Fragment flood, smurf, stream flood, land flood, malformed IP packet, malformed TCP packet, and malformed UDP packet A malformed packet attack occurs when malformed IP packets are sent to a target system. This may cause the system to stop responding.
Transport layer DDoS attack SYN flood, Ack flood, UDP flood, ICMP flood, and RST flood SYN floods are protocol attacks that exploit a vulnerability in the TCP three-way handshake. In a normal handshake process, when a server receives an SYN request, the server saves the connection in an SYN queue. If attackers continuously send SYN requests to the server but do not respond with the expected ACK messages, server resources are consumed. When the SYN queue is full, the server will stop responding to requests from users.
DNS DDoS attack DNS request flood, DNS response flood, DNS query flood (spoofed request and real requests), authoritative server attacks, and local server attacks DNS query floods execute real query requests, which is a normal service operation. If multiple zombies initiate a large number of domain name query requests at the same time, the server cannot respond to them. This can result in a denial of service.
Connection-based DDoS attack Low and slow attack, connection exhaustion attack, Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC), Slowloris, PyLoris, and XOIC Slowloris attacks can exhaust the concurrent connection resources of a target server. When the number of concurrent connections reaches the upper limit, the server denies additional connection attempts. For example, if the server receives a new HTTP request, the server processes the request, returns a response, and closes the connection. If the connection remains open, the server must establish a new connection when it receives another HTTP request. If all connections remain open, the server stops responding to any new requests.

The Slowloris attacks exploit the features of HTTP. If an HTTP request contians \r\n\r\n, the part before \r\n\r\n is the request header. If the server receives only \r\n, the connection remains open and waits for the subsequent content of the request.

Application layer attack HTTP GET flood, HTTP POST flood, and HTTP flood attacks Application layer attacks can simulate user requests. You can hardly tell the attacks and normal requests apart, like search engines and crawlers.

Transactions and pages that consume large amounts of resources in web services are vulnerable to HTTP flood attacks in high concurrency scenarios, for example, paging and sharding. If the page size is too large, frequent paging will consume large amounts of resources.

The attacks are hybrid attacks. Operations that are performed frequently and have the features of real user operations are identified as HTTP flood attacks. For example, if a website is accessed by ticketing software, the access can be identified as an HTTP flood attack.

HTTP flood attacks target the backend services of web applications. In addition to causing a denial of service, HTTP flood attacks directly affect the functionality and performance of web applications, including the response time, database services, and disk read and write operations.

How do I identify a DDoS attack?

You identify a DDoS attack when:

  • Your server is suddenly disconnected, the access speed becomes slow, and users are offline but the network and devices are working properly.
  • The CPU or memory usage of your server increases significantly.
  • The outbound or inbound traffic increases significantly.
  • Your business website or application suddenly receives a large number of unsolicited requests.
  • The logon to your server fails or becomes too slow.