Understanding the DDoS attack threat

In 2024, the largest distributed denial of service (DDoS) attack in history that targeted global sectors was thwarted. At its peak, the attack threw 3.8 terabytes of traffic that targeted multiple customers in the financial services, Internet and telecommunications sectors.

How to define DDoS attacks

DDoS attacks are an amplified version of a denial of service (DoS) attack. In a DoS attack, a single source, usually a computer or compromised server, maliciously floods a targeted resource—a web server, a network server or a computer—with more traffic than it can handle with the intention of overwhelming the target or any network system that is in the path to the target. Verizon's 2024 DBIR showed that DOS attacks were responsible for more than 50% of the data breach incidents examined among the more than thirty thousand of security incidents analyzed.

In a DDoS attack, the attack is distributed—meaning the attackers have multiplied the malicious traffic by using multiple compromised systems—which could include computers, servers, smartphones and other networked resources, such as Internet of Things devices—as attack sources. DDoS attacks can generate tremendous amounts of traffic from millions of sources, snarling the targeted server, service or network until it chokes.

Most DDoS attacks are small and come from cyber criminals, but they can also come from nation-states, business competitors or would-be hackers testing their skills. Usually, attackers are after one of three goals: shutting down enterprise networks, services or applications; extorting money; or winning bragging rights.

Signs of a DDoS attack: Identifying DDoS attacks in network security

The problem is that DDoS attacks' most common symptoms—traffic spikes and interrupted service—don't immediately register as suspicious. But analyzing those traffic spikes uncovers telltale attack markers, such as unusual or unnatural traffic patterns and suspicious traffic from a single IP address or device type.

Generally, it can be easier to identify a denial of service or DoS attack, than it is to identify a DDoS attack. A DoS attack can be identified by most intrusion detection systems and can be stymied with a firewall. Detection systems and firewall rules can sniff out a DDoS attack, but detection must be part of a broader strategy that includes prevention and defense.

Some common signs of a DDoS attack include unusual traffic patterns.

• Are there sudden and significant spikes in network traffic?
• Is there a new or unusual traffic pattern - traffic from more hosts, on different ports or protocols  or different geo-regions than expected?
• Has application performance slowed possibly due to an unexpected heavy traffic load? 

Types of DDoS attacks

There are three common types of DDoS attacks, although variants of each type remain in continuous development by cybercriminals.

1. Application-layer attacks that target web application servers and can include HTTP floods, Border Gateway Protocol (BGP) hijacking, Slowloris (designed to overwhelm a single computer, web server, database, or API), Slow post (intended to slow servers down), and more.

2. Protocol attacks that exhaust the resources of servers, firewalls, load balancers and other network equipment. Examples include SYN flood attacks (when a large number of synchronize requests to overwhelm a server), the ping of death (when IP packets that are larger than the 65,536 bytes allowed by the IP protocol are sent to a server), and more.

3. Volumetric attacks that intend to consume the bandwidth of a targeted asset, such as a DNS amplification attack (when a large amount of traffic is sent to a target system to make it unavailable), and UDP floods (an attack that can make a server unavailable by overwhelming a server with a large volume of User Datagram Protocol (UDP) packets to undermine the server’s processing power.

Preventing DDoS attacks

It is difficult, but certainly not impossible, to defend against a DDoS attack in network security. Perimeter security only sometimes provides sufficient protection and is most capable with application layer attacks where volume is typically lower and there is sometimes the mandate to perform all application level inspection within a customer's security perimeter. To prevent DDoS attacks on the cloud, IT and security teams must ensure that the perimeter is secure and that firewall rules regarding dropping packets are firmly established.

Focus on prevention and mitigation. Some of the most common tools and strategies include:

• Content delivery networks can automatically spread out traffic across thousands of servers, thus minimizing the chances that a tidal wave of toxic web-based traffic overwhelms the targeted organization.
• Advanced firewalls can add intrusion prevention and application-specific functionality to traditional firewalls, supporting inspecting and dropping malicious traffic in encrypted sessions.
• Traffic scrubbing can redirect malicious traffic to massively connected data centers to inspect and drop attack traffic well away from any customer-specific routing infrastructure; it is a viable solution for volumetric attacks that span more than web protocols.
• Source-rate limiting can block excess traffic from the source of an attack

If your systems are down, the consequences could be inconvenient—or a disaster. Even an hour of downtime can compromise your bottom line.

For the best protection, seek out a managed services provider that can reduce the burden on your in-house IT teams and provide the intelligence to analyze traffic and defend against high-volume attacks.

Learn how Verizon's DDoS Shield technology can mitigate the effects of unexpected and unpredictable DDoS attacks.

The author of this content is a paid contributor for Verizon.