What is a DDoS Attack and How Does it Work?

A Distributed Denial of Service (DDoS) attack is a deliberate effort to interrupt the normal functioning of a server, network, or online service by flooding it with excessive internet traffic.

Unlike traditional denial-of-service (DoS) attacks that originate from a single source, a DDoS attack involves multiple compromised systems, often forming a botnet to generate an overwhelming volume of requests simultaneously.

Important: don’t confuse the term with DoS. Even though DDoS is a special case of Denial-of-Service Attack (DoS), DDoS is a way more massive and wide-scale demarche when attackers use thousands and even millions of connected devices.

Read the full details of Operation Dragon Eye, where Group-IB uncovered a vast cyber-espionage campaign targeting APAC governments.

Here’s how it works:

1. Massive Distribution

As we have mentioned before, unlike a regular DoS (Denial of Service) attack, where a single computer or network is used to flood the target, a DDoS attack involves multiple sources.

These sources can be a network of compromised computers (often called a botnet), which are usually controlled remotely by the attacker. The use of a botnet makes it difficult to trace the attack back to a single source.

2. Coordinated Flooding

The attacker orchestrates this network of compromised devices to send an overwhelming amount of traffic requests to the target. This surge in traffic saturates the target’s network or server resources, rendering it unable to respond to legitimate user requests.

3. Service Breakdown

The sheer volume of incoming traffic can cause the target’s network to slow down significantly or, in extreme cases, crash, making the website or online service unavailable to users. Genuine users get locked out. Servers crash or stall. Online transactions fail.

Business grinds to a halt. In high-stakes environments like banking or e-commerce, this can translate to revenue loss, reputation damage, and SLA violations.

Types of DDoS Attacks

While the goal of a DDoS attack is consistent, disrupting availability, the way it happens can differ drastically. Understanding the types of DDoS attack helps determine the right mitigation strategy. DDoS attacks vary in their vectors, technical impact, and the layer of infrastructure they target.

Broadly, DDoS attacks fall into three main categories, each measured by a different metric:

1. Volumetric Attacks (Measured in Gbps)

Goal: Saturate the network’s bandwidth
Vector: Layer 3/4 – Network and Transport layers

These are the most “brute force” style of DDoS. Volumetric attacks overwhelm the target by sending massive amounts of traffic like UDP floods, ICMP floods, or DNS amplification. Attackers may use misconfigured servers to amplify requests, sometimes turning a 1MB command into a 100MB payload.

  • These attacks aim to consume all available internet bandwidth, making it impossible for legitimate users to connect.
  • Easily generated using large botnets or DDoS-for-hire services (“booter” platforms).

Real-world example:

In 2023, a European gaming provider was hit with a 2.5 Tbps UDP flood, knocking out regional traffic for hours.

2. Protocol Attacks (Measured in pps – packets per second)

Goal: Exhaust network or server resources
Vector: Exploits weaknesses in protocol handling

These attacks target infrastructure components like firewalls, load balancers, or TCP/IP stacks. Classic examples include SYN floods, Ping of Death, and Smurf attacks. These don’t necessarily need high traffic volume, they exhaust system resources by abusing low-level communication protocols.

  • These are resource-draining rather than bandwidth-draining.
  • They’re stealthy and efficient, 10,000 packets per second can do more damage than 1 Gbps of traffic if aimed well.

3. Application Layer Attacks (Measured in rps – requests per second)

Goal: Disrupt specific services or applications
Vector: Layer 7 – Application layer (e.g., HTTP, DNS, SMTP)

These are the most targeted and sophisticated attacks. Instead of flooding the network, they mimic legitimate user behavior, sending normal-looking HTTP requests, but at scale, to overload servers.

  • These attacks fly under the radar, standard firewalls often don’t catch them.
  • They hit business-critical endpoints like login pages, payment gateways, or account creation forms.

How To Identify a DDoS Attack?

Here are the common signs of DDoS attack:

DDoS Attack Identification Checklist

  • Sharp increase in requests from unfamiliar IPs or geographies
 Yes/No
  • Traffic comes in at regular intervals (suggesting automation)
 Yes/No
  • Pages are loading very slowly or timing out
 Yes/No
  • Services like login, checkout, or search stop working
 Yes/No
  • Server CPU, memory, or bandwidth usage hits max capacity
 Yes/No
  • Anomalous spikes in packets per second (pps) or requests per second (rps)
 Yes/No
  • Unusually high number of half-open TCP connections (common in SYN floods)
 Yes/No
  • Unresponsive DNS or overload on specific ports (e.g., port 80 for HTTP)
 Yes/No
  • Flood of HTTP GET or POST requests to the same URL
 Yes/No
  • Traffic with no referrer, or identical headers across requests
 Yes/No
  • Rapid form submissions or logins within milliseconds
 Yes/No
  • Alerts triggered by your firewall, WAF, or DDoS protection provider
 Yes/No
  • Traffic anomalies flagged by SIEM, IDS/IPS, or CDN analytics
 Yes/No
  • Geo-IP filtering tools flagging suspicious global access spikes
 Yes/No
  • Confirm no internal update, scheduled task, or infrastructure change is causing the issue
 Yes/No
  • Rule out legitimate traffic from a successful campaign, press coverage, etc.
 Yes/No
  • Compare against historical traffic baselines for the same time/day/week
 Yes/No

What Is the Process For Mitigating a DDoS Attack?

Step 1: Detection

The first and most critical step is recognizing that an attack is happening. Detection involves monitoring traffic patterns and identifying anomalies that suggest malicious intent.

  • Network-layer attacks (e.g., UDP floods) are usually detected by hardware appliances or out-of-band (OOB) network tools that monitor traffic volume, packet anomalies, and protocol misuse.
  • Application-layer attacks (e.g., HTTP floods) are harder to spot because they mimic normal user behavior. These require DDoS protection systems that analyze real-time traffic patterns and compare them against historical baselines to flag irregularities.

Step 2: Response

Once an attack is detected, mitigation strategies are deployed to absorb or block the malicious traffic before it disrupts services. Several techniques may be used, either individually or in combination:

  • Rerouting: Diverts traffic through alternative paths or scrubbing centers that filter out malicious data.
  • Blackholing (Null Routing): Drops all incoming traffic to the target server—including legitimate users. It’s fast but indiscriminate, used only in extreme cases to protect upstream networks.
  • Sinkholing: Routes traffic from known malicious IPs to a controlled environment. It’s more targeted than blackholing but can be bypassed by attackers rotating their IP addresses.
  • Scrubbing: Sends all inbound traffic to a centralized filter (scrubbing center), which removes malicious packets and passes only legitimate data to the server. This is considered one of the most effective and precise methods.
  • Bot Detection: Identifies automated scripts or bots mimicking human actions and blocks them using behavioral analysis, rate limiting, and CAPTCHA challenges.

Step 3: Analysis and Adaptation

After the immediate threat has been contained, a post-incident analysis is carried out. This stage is vital for improving future DDoS attack prevention.

  • Logs and telemetry data from the attack are reviewed to understand its origin, method, and scale.
  • The findings are used to update detection rules, improve response workflows, and identify any gaps in existing DDoS protection controls.

Step 4: Time to Mitigation (TTM)

The effectiveness of your DDoS response often comes down to speed. Time to Mitigation (TTM) includes:

  1. Detection Time: How fast the attack is identified after it starts.
  2. Activation Time: How quickly mitigation systems and teams are mobilized.
  3. Execution Time: How fast malicious traffic is successfully blocked or filtered.

Learn how Group-IB dismantled a fraud syndicate luring victims through dating apps in this in-depth investigation.

General Protection Measures To Undertake Against DDoS

  • Check if you have anti-DDoS protection and ensure it’s activated.
  • Don’t put all eggs in one basket and diversify providers: use multiple ISPs or cloud providers to ensure redundancy. If one is attacked, you can fall back on others.
  • Upstream filtering: some ISPs offer traffic filtering to block malicious traffic before it reaches your network.
  • Scale resources: be ready to automatically scale resources to handle traffic spikes. This is easier if you are using cloud services that provide auto-scaling.
  • Rate limiting: set thresholds for the number of requests a user can send in a certain time frame
  • If you are facing an L7 DDoS attack on web apps and the current provider has issues, check whether your organization has bot protection in place.
  • Implement geofencing to block non-region-related IP access for critical applications in the active face of an attack.
  • Use blacklisting and whitelisting.
  • Save logs during DDoS attacks: technical information about the attack can significantly enhance your detection and prevention abilities after an in-depth analysis. Moreover, it offers actionable insights for further investigation.

How Group-IB Can Help

Group-IB enhances every stage of DDoS attack mitigation with specialized tools and intelligence.

  • Group-IB Fraud Protection uses patented anti-bot technology to detect and neutralize bot-driven DDoS attacks before they impact your infrastructure. Learn more about it here.
  • Group-IB Threat Intelligence provides real-time insights into recent DDoS attacks, threat actors, and tactics, helping you prepare before an attack even begins.

Get in touch with our team to understand the solutions.