The best protection against DoS attacks and DDoS attacks is a multilayered posture that can protect websites, applications, APIs, authoritative DNS, and network resources by using technologies that have a proven record for blocking these events.
In a distributed denial-of-service (DDoS) attack, a type of cyberattack, an attacker overwhelms a website, server, or network resource with malicious traffic. As a result, the target crashes or is unable to operate, denying service to legitimate users and preventing legitimate traffic from arriving at its destination.
From a high level, a DDoS or DoS attack is like an unexpected traffic jam caused by hundreds of bogus rideshare requests. The requests appear to be legitimate to rideshare services, and they dispatch drivers for pickup that inevitably clog up the city streets. This prevents regular legitimate traffic from arriving at its destination.
A DDoS attack on a company’s website, web application, APIs, network, or data center infrastructure can cause downtime and prevent legitimate users from buying products, using services, getting information, or accessing other resources.
How does a DDoS attack work?
Building a botnet — To launch a DDoS attack, attackers use malware to create a network of bots — internet-connected devices that are infected with malware, which attackers can direct to send a flood of traffic to targets. This bot network, or botnet, may include endpoints like Internet of Things (IoT devices), smartphones, and personal computers, as well as routers and network servers. Each infected device becomes capable of spreading the malware to other devices to amplify the size of an attack.
To use a popular culture reference here, think of how the Night King in the HBO series Game of Thrones created an army of White Walkers. The Night King created an initial set of White Walkers. These White Walkers attacked humans to turn them into new White Walkers, and thus the army kept growing. And every single member of this army was controlled by the Night King.
Launching an attack — Once an attacker has built a botnet, they send remote instructions to the bots, directing them to send requests and traffic to a targeted server, website, web application, API, or network resource. This creates an overwhelming amount of traffic that leads to a denial of service, preventing normal traffic from accessing the target.
DDoS as a service — Sometimes botnets, with their networks of compromised devices, are rented out for other potential attacks through “attack-for-hire” services. This allows people with malicious intent but no training or experience to easily launch DDoS attacks on their own.
The purpose of DDoS attacks
The purpose of DDoS attacks is to severely slow down or stop legitimate traffic from reaching its intended destination. For example, this could mean stopping a user from accessing a website, buying a product or service, watching a video, or interacting on social media. Additionally, by making resources unavailable or diminishing performance, DDoS can cause business to grind to a halt. This can result in preventing employees from accessing email or web applications, or conducting business as usual.
DDoS attacks may be launched for several reasons.
- Hacktivism. Attackers may direct a DDoS attack against companies or websites with which they have philosophical or ideological disagreements.
- Cyber warfare. Governments may use cyberthreats like DDoS to impair the critical infrastructure of an enemy state.
- Extortion. Attackers often use DDoS threats to extort money from companies.
- Entertainment. Many attacks are launched by hackers who are simply seeking to entertain themselves by wreaking havoc or experimenting with cybercrime.
- Business competition. A business may launch a DDoS attack on another company to gain a competitive advantage.
Types of DDoS attacks
There are many different types of DDoS attacks, and cybercriminals often use more than one type to take down their targets. DDoS attacks typically target one of the seven different layers of a computer network as described in the Open Systems Interconnection (OSI) model. Each layer of the OSI model has a unique purpose, like the floors of an office building where different functions of a business take place on each floor. Attackers target different layers depending on what type of web or internet-facing asset they’d like to disrupt.
The four key types of attacks are:
- Application-layer attacks
- Protocol attacks
- DNS amplification/reflection attacks
- Volumetric attacks
Application-layer DDoS attacks
Application-layer DDoS attacks (Layer 7 DDoS attacks) target specific vulnerabilities in web applications to prevent the application from performing as intended. These DDoS attacks often target the communication protocols involved in exchanging data between two applications over the internet. While difficult to prevent and mitigate, they are among the easiest DDoS attacks to launch.
- HTTP floods. HTTP floods exploit the HTTP internet protocol that is used to load web pages or send content over the internet. HTTP floods cause a server, website, or web app to slow down or crash by overwhelming it with a large number of HTTP GET or POST requests.
- Low and slow attacks. A low and slow attack is a type of denial-of-service (DoS) attack designed to evade detection by sending traffic and HTTP requests that appear to be legitimate at a very slow rate. Low and slow attacks require little bandwidth and may be launched from a single computer or with a botnet. Traffic in a low and slow attack is difficult to detect because it appears to be legitimate Layer 7 traffic and is not sent at a rate that triggers security alerts.
- Slowloris. A Slowloris DDoS attack is designed to overwhelm a web server by opening and maintaining many simultaneous HTTP connections to a target server. Slowloris uses up server resources with requests that seem slower than usual but otherwise appear to be standard traffic. Attackers take advantage of a feature unique to the HTTP protocol: the ability for clients to split GET or POST requests into several packets. A Slowloris attack compromises a targeted web server by opening multiple connections and keeping them open as long as possible. This is accomplished by sending partial HTTP requests that are never completed.
Protocol DDoS attacks
Protocol attacks target weaknesses and vulnerabilities in internet communications protocols in Layer 3 and Layer 4 of the OSI model. These attacks attempt to consume and exhaust compute capacity of various network infrastructure resources like servers or firewalls by sending malicious connection requests that exploit Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP) protocols.
- SYN flood. One of the main ways people connect to internet applications is through the TCP. This connection requires a three-way handshake from a TCP service — like a web server — and involves sending a SYN (synchronization) packet from where the user connects to the server, which then returns a SYN-ACK (synchronization acknowledgement) packet, which is ultimately answered with a final ACK (acknowledgement) communication back to complete the TCP handshake. During a SYN flood attack, a malicious client sends a large volume of SYN packets (part one of the usual handshake) but never sends the acknowledgement to complete the handshake. This leaves the server waiting for a response to these half-open TCP connections. Eventually, the server runs out of capacity to accept new connections for services that track connection states.
If we were to use the rideshare analogy here, think of it as a situation where thousands or even hundreds of thousands of bogus requests are made to a rideshare company. The cabs wait for passengers to get in and start the journey, but that never happens, ultimately exhausting all available cabs and rendering the service unavailable to legitimate rides.
- Smurf DDoS attack. The name of this DDoS attack is based on the concept that numerous tiny attackers can overwhelm a much larger opponent by sheer volume, just like the fictional colony of small blue humanoids that are its namesake. In a Smurf DDoS attack, large numbers of ICMP packets with an intended target’s spoofed source IP are broadcast to a computer network using an IP broadcast address. By default, most devices on a network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the victim’s computer may be slowed down to a crawl from being flooded with traffic.
DNS amplification/reflection DDoS attacks
Domain Name System or DNS amplification/reflection attacks are a specific type of volumetric DDoS attack vector where hackers spoof the IP address of their target to send large amounts of requests to open DNS servers. In response, these DNS servers respond back to the malicious requests by the spoofed IP address, thereby creating an attack on the intended target through a flood of DNS replies. Very quickly, the large volume of traffic created from the DNS replies overwhelms the victim organization’s services, making them unavailable and preventing legitimate traffic from reaching its intended destination.
To explain this type of attack using the rideshare analogy, imagine if hundreds or thousands of rideshare requests were placed to send cabs to a victim’s address. These rideshare cabs now clog up the streets leading up to the victim’s house, preventing legitimate visitors from reaching the individual’s address. This analogy can also be extended to explain volumetric DDoS attacks in the next section.
Volumetric DDoS attacks
Volume-based DDoS attacks are directed at OSI Layers 3 and 4, overwhelming a target with a flood of traffic from multiple sources and eventually consuming all of the target’s available bandwidth, causing it to slow down or crash. Volumetric attacks are often used to divert attention away from other types of DDoS attacks or more dangerous cyberattacks.
- UDP floods. UDP floods are frequently chosen for larger-bandwidth DDoS attacks. Attackers attempt to overwhelm ports on the targeted host with IP packets containing the stateless UDP protocol. The victim host then looks for applications that are associated with the UDP packets, and when not found, sends a “Destination Unreachable” back to the sender. The IP addresses are often spoofed to anonymize the attacker, and once the targeted host becomes inundated with attack traffic, the system becomes unresponsive and unavailable to legitimate users.
- ICMP floods. Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany Transmission Control Protocol (TCP) packets that enable application programs and computing devices to exchange messages over a network, when connecting to a server. An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.
How to defend against DDoS attacks
Organizations can protect against and limit disruption from DDoS attacks with a strong DDoS strategy, superior DDoS mitigation services, and advanced superior cybersecurity controls.
Cloud-based solutions offer high-capacity, high-performance, and always-on anti-DDoS protection that can prevent malicious traffic from reaching a website or interfering with web API communications, limiting the impact of the attack while allowing normal traffic to get through for business as usual.
DDoS mitigation services
In a constantly evolving attack landscape, DDoS protection through a mitigation provider that takes a defense-in-depth approach can keep organizations and end users safe. A DDoS mitigation service will detect and block DDoS attacks as quickly as possible, ideally in zero or a few seconds from the time that the attack traffic reaches the mitigation provider’s scrubbing centers. Because attack vectors keep changing and attack sizes keep getting bigger, to achieve the best DDoS protection, a provider must continually invest in defense capacity. To keep up with large, complex attacks, the right technologies are needed to detect malicious traffic and begin robust defensive countermeasures to mitigate attacks quickly.
DDoS mitigation providers filter out attack traffic to prevent it from reaching the intended targeted asset. Attack traffic is blocked by a CDN-based web protection service, a DDoS scrubbing service, or a cloud-based DNS service.
- CDN-based DDoS defenses. A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attacks targeting that URL can then be dropped at the network edge. This means that Layer 3 and Layer 4 DDoS attacks are instantly mitigated, as this type of traffic is not destined for web ports 80 and 443. As a cloud-based proxy, the network sits in front of a customer’s IT infrastructure and delivers traffic from end users to the websites and applications. Because these solutions operate in-line, web-facing assets are protected at all times without human interaction from network-layer DDoS attacks.
- DDoS cloud scrubbing. DDoS scrubbing can keep your online service or business up and running, even during an attack. A cloud-based scrubbing service can quickly mitigate attacks that target non-web assets, like network infrastructure, at scale. Unlike CDN-based mitigation, a DDoS scrubbing service can protect across all ports, protocols, and applications in the data center, including web- and IP-based services. Organizations direct their network traffic to the mitigation provider’s scrubbing infrastructure in one of two ways: via a Border Gateway Protocol (BGP) route advertisement change or DNS redirection (A record or CNAME). Traffic is monitored and inspected for malicious activity, and mitigation is applied when DDoS attacks are identified. Typically, this service can be available in both on-demand and always-on configurations, depending on an organization’s preferred security posture — although more organizations than ever before are moving to an always-on deployment model for the fastest defensive response.
- Web application firewalls. For application-layer–specific defenses, organizations should deploy a web application firewall (WAF) to combat advanced attacks, including certain types of DDoS attacks like http requests, HTTP GET, and HTTP POST floods, which aim to disrupt Layer 7 application processes of the OSI model.
- On-premises (on-prem) DDoS protection. On-prem or on-network DDoS protection involves physical and/or virtualized appliances that reside in a company’s data center and integrate with their edge routers to stop malicious DDoS attacks at the edge of their network. This is particularly helpful when cybercriminals utilize “low and slow” or “small and fast” attacks designed to avoid detection. Additionally, on-prem DDoS protection helps companies avoid operational costs related to rerouting traffic to a cloud scrubbing center when they are not targeted with volumetric attacks. On-prem DDoS protection also serves companies that require ultra-low latency with their network traffic. Examples of such use cases include companies that provide voice and video conferencing platforms, multimedia services, and gaming platforms, or other services that have near-real-time latency requirements.
- Hybrid DDoS protection. A hybrid DDoS protection solution combines the capabilities and benefits of both on-premises as well as cloud DDoS protection. A hybrid DDoS solution protects a customer’s network infrastructure from the vast majority of small attacks with on-prem or on-network appliances but utilizes the scale and the capacity of a cloud scrubbing center as a backup for large volumetric attacks.
- Cloud Signaling. Cloud signaling is an industry term indicating that on-prem appliances automatically transfer attack footprint, signature, and other relevant information to the cloud scrubbing centers when such a redirection becomes necessary to optimally protect a customer’s network assets and infrastructure from a DDoS attack.
Benefits of a DDoS mitigation service
During mitigation, your DDoS protection provider will deploy a sequence of countermeasures aimed at stopping and diminishing the impact of a distributed denial-of-service attack. As modern attacks become more advanced, cloud-based DDoS mitigation protection helps to provide defense-in-depth security at scale, keeping back-end infrastructure and internet-facing services available and performing in an optimal manner.
Through DDoS attack protection services, organizations can:
- Reduce the attack surface and business risk associated with DDoS attacks
- Prevent business-impacting downtime
- Guard against web pages going offline
- Increase speed to respond to a DDoS event and optimize incident response resources
- Shorten the time to understand and investigate a service disruption
- Prevent loss of employee productivity
- More quickly deploy countermeasures to defend against a DDoS attack
- Prevent damage to brand reputation and bottom line
- Maintain application uptime and performance across digital estates
- Minimize costs associated with web security
- Defend against extortion, ransomware, and other new evolving threats
Protect your web and internet-facing services from DDoS attacks with Akamai
Akamai provides in-depth DDoS defense and mitigation services through a transparent mesh of dedicated edge, distributed DNS, and cloud scrubbing defenses. These purpose-built cloud services are designed to strengthen DDoS and network security postures while reducing attack surfaces, improving the quality of mitigation and reducing false positives while increasing resiliency against the largest and most complex attacks. Moreover, the solutions can be fine-tuned to the specific requirements of your web applications and internet-based services.
- Edge defense with App & API Protector. Akamai App & API Protector brings together web application firewall, bot mitigation, API security, and Layer 7 DDoS protection into a single solution. It quickly identifies vulnerabilities and mitigates threats across your entire web and API estates — even for the most complex distributed architectures. Recognized as the leading attack detection solution on the market, App & API Protector is easy to implement and use. It delivers automatic updates for security protections and provides holistic visibility into traffic and attacks.
- DNS defense with Edge DNS. Akamai’s authoritative DNS service, Edge DNS, also filters traffic at the edge. Unlike other DNS solutions, Akamai specifically architected Edge DNS for availability and resiliency against DDoS attacks. Edge DNS delivers superior performance, with architectural redundancies at multiple levels, including nameservers, points of presence, networks, and even segmented IP anycast clouds.
- Comprehensive DDoS protection with Prolexic. Akamai Prolexic comes in three options — on-prem, cloud, and hybrid — and offers comprehensive DDoS protection to a customer’s data centers and hybrid infrastructures, across all ports and protocols. Prolexic cloud DDoS protection — whether as a stand-alone solution or as a hybrid backup to Prolexic On-Prem — is powered by more than 36 cloud scrubbing centers in 32 global metropolitan centers, offering more than 20 Tbps of dedicated DDoS defense. This capacity is designed to keep internet-facing assets available — a cornerstone of any information security program. As a fully managed service, Prolexic can build both positive and negative security models. The service combines automated defenses with expert mitigation from Akamai’s global team of 225+ frontline SOCC responders. Prolexic also offers an industry-leading zero-second mitigation SLA via proactive defensive controls to keep data center infrastructure and internet-based services protected and highly available.
Learn more about DDoS attacks
- What Is DoS Protection?
- What Is an ICMP Flood Attack?
- What Is a Memcached DDoS Attack?
- What Are SYN Flood DDoS Attacks?
- What Is a Slowloris DDoS Attack?
- What Is a UDP Flood DDoS Attack?
- What Is an Application-Layer DDoS Attack?
- What Is a DNS Amplification Attack?
- What Is a SSDP DDoS Attack?
- What Is a CLDAP Reflection DDoS attack?
Frequently Asked Questions (FAQ)
A DoS attack, or denial-of-service attack, is designed to render a website, router, server, or network unavailable to legitimate users. A DoS attack is launched from a single computer, while a distributed denial-of-service (DDoS) attack uses a botnet or distributed network of IPv4 or IPv6 addresses — a robot network of hijacked computers, machines, or IoT devices — to attack a target from multiple locations.
A DoS or DDoS attack attempts to flood a server, website, network device, or machine with so much malicious traffic that it is unable to operate. In a volumetric attack — such as an ICMP flood or a UDP flood attack — attackers overwhelm a target with massive amounts of traffic, overloading the system, or network path to the system, while preventing legitimate traffic and users from accessing that resource.
A protocol attack such as a SYN flood attempts to consume and exhaust the compute capacity of network infrastructure resources like firewalls or load balancers by sending malicious connection requests that exploit protocol communications. In an application-layer attack like Slowloris, attackers exploit the capacity of a web server, application server, or database by exhausting the amount of requests it can handle while flying under the radar of low request volumes, rendering it unavailable to users.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.
Related Products
Prolexic
Stop DDoS attacks with the fastest, most effective defense — at scale.
Edge DNS
Rely on highly secure DNS for nonstop availability of web apps and APIs.
App & API Protector
One-stop, zero-compromise security for websites, applications, and APIs.
Additional Resources
DDoS Defense in a Hybrid Cloud World
All DDoS mitigation is not created equal. See how many cloud service providers fall short, and what to look out for.
DDoS Threats in EMEA 2024
Our latest research gives you the knowledge you need to better defend against rising DDoS attacks in EMEA.
What can an analysis of malicious DNS traffic reveal about an organization’s risk exposure?
DNS is one of the oldest internet infrastructures. However, an incredible amount of attack traffic passes through it. Details about the most prevalent threats and more can be found in this report.
Related Pages
Learn more about related topics and technologies on the pages listed below.