What Happens During a DDoS Attack?

View all blog posts under Articles | View all blog posts under Online Bachelor of Science in Information Systems

Working in information technology today means dealing with the potential security risks facing companies of all sizes, industries, and regions. The field of cybersecurity is vast and varied, encompassing subtle data theft tactics such as spear phishing, as well as larger brute-force maneuvers including distributed denial of service (DDoS) attacks.

Due to the damage a cyberattack can cause a company — both in the immediate aftermath of the incident and on an ongoing basis — businesses need people who understand the risks they face and how to create effective countermeasures. Becoming familiar with cyber threats such as DDoS attacks is therefore a way to take on a role as a more valuable member of an information systems team.

A digital image of a padlock

What Is a DDoS Attack?

A DDoS attack is a type of cyberthreat based on sending too many requests to an online resource, forcing that site or resource offline. The attacker takes advantage of a vast network of computers to create this pressure, often by using “zombie” machines they have taken over through malware.

Kaspersky notes that DDoS attacks work because web resources can only handle so much traffic at any given time. When the amount of data or requests flowing into the networked asset becomes too great, legitimate users may be unable to access it, just as would happen if there were too many people trying to use the resource, but on a much greater scale. A web server suffering the effects of a successful DDoS attack will slow down or become completely inaccessible to users.

Considering that modern companies use online platforms for their most important services, both customer-facing and internal, it’s easy to see how a well-timed DDoS attack could do major harm to a business. Whether that means shutting an e-commerce merchant down during a busy retail season, taking a business’s in-house servers offline, or one of any number of similar outcomes, the damage can be notable.

How Are DDoS Attacks and DoS Attacks Different?

A DDoS attack is the modern, larger-scale version of a simple denial of service (DoS) attack. Digital security firm Norton explains that DoS attacks have existed since 1974, when a 13-year-old remotely shut down networked computers. IT professionals shouldn’t let themselves become complacent just because DoS attacks have a nearly 50-year history. By evolving from DoS to DDoS, these intrusions have stayed relevant to the present day.

That initial strike in 1974 was launched from a single computer, which means it was a simple DoS, not a DDoS. Norton notes that DDoS attacks are defined by using multiple pieces of hardware to generate the illegitimate network activity that takes a resource down. The fact that a botnet of captured computers or other devices can deal far more damage than a single PC has turned DDoS into the standard way of damaging companies’ servers.

What Is the Goal of a DDoS Attack?

The objective of a DDoS attack is typically to harm a company by taking its most essential resources offline. Kaspersky points out that some organizations make especially attractive targets for these types of digital intrusions. These include e-commerce retailers and digital-first businesses of all kinds, including internet casinos.

CSO gave an example of how DDoS attacks can have a waterfall effect, wherein taking down one company can harm others. In October 2016, the Mirai botnet, a compromised swarm of internet of things (IoT) devices, was leveraged to send requests to an internet services provider’s servers. The net consisted of up to 400,000 IoT devices and was capable of overwhelming important infrastructure, bringing down Twitter, Amazon, Spotify, and more.

What Happens During a DDoS Attack?

A DDoS attack is relatively simple, which is one of the reasons why this type of cyberthreat is so dangerous. Norton explains that in these incidents, the hacker doesn’t have to install any of their code on a victim’s server. Instead, the compromised machines in the attacker’s botnet send millions of pings, as if a vast number of machines were trying to connect to that service all at once.

Because the compromised “zombie” computers and other devices that make up a hacker’s botnet all have different IP addresses, companies often have a hard time defending their resources against DDoS incidents. A simple countermeasure once a DoS attack is detected would involve blocking all requests from the offending IP address, but in the case of DDoS, more sophisticated defenses are necessary.

What Are the Three Main Types of DDoS Attacks?

While the one-or-many distinction between DoS and DDoS attacks is clear, DDoS attacks themselves can be divided into three categories. The division is based on how the hacker achieves the goal of creating so much traffic that the target network, site, or other resource becomes inaccessible.

Sometimes, the damage caused by a cybercriminal is not directly connected to the size of the botnet involved, but rather tied to the types of bogus requests being generated. CSO magazine listed the three types of DDoS attacks as follows:

  • Volume-based attacks are measured by the sheer amount of traffic sent to a site. The hacker behind one of these incidents is simply trying to send as many requests as possible in an allotted span of time, potentially using a vast number of captured devices to produce the necessary pings.
  • Networking-layer DDoS attacks, also known as protocol attacks, are aimed at the infrastructure behind networks. Because these attacks are more about packets of information rather than raw bits, they are measured in packets per second.
  • Application-layer attacks affect apps directly rather than compromising the infrastructure that powers those software tools. They are measured in requests per second, because hackers use their networks of computers and other devices to continuously request access to the app’s services, creating too much traffic and bringing the software down.

Rather than using those same three types, Norton broke DDoS incidents down into two categories based on their intended outcomes: flooding and crashing.

  • A flooding attack is any attempt to use an overwhelming flood of data to take down a server. An ICMP flood or ping flood happens when an attacker sends data packets to affect a whole group of connected computers, bringing that poorly configured network down. A SYN flood is slightly different, using uncompleted “handshakes” between host, server, and user to fill up every port on the target server.
  • A crashing attack is the less common variant of DDoS. This is based on barraging a compromised system with bugs that affect weaknesses in the targeted piece of infrastructure. With those unpatched flaws exploited, the system crashes.

How Do You Prevent a DDoS Attack?

Effective defenses against DDoS attacks can take many forms, with IT personnel stepping up to either counteract these intrusions as soon as they are detected or create proactive defenses that will prevent companies from becoming targets in the first place.

CSO noted that the first step to mitigating DDoS attacks is simply to include these types of incidents in the business’s overall disaster recovery plan. When organizations have specific steps to follow, including everything from digital countermeasures to media messaging, there will be less panic in the moment and more ability to swiftly coordinate efforts against the hackers.

While preparation is one essential step in battling DDoS attacks, there is also a need for improvisation in the moment. Once it’s confirmed that such an incident is underway, IT personnel have to be as adaptable and determined as the hackers trying to break their defenses down.

CSO specified that in the past decade, hackers have started to monitor recovery efforts undertaken against their DDoS attacks, modifying their tactics in real time to keep the attack going. The IT security response must match each of these new strikes. As an added wrinkle of complexity, sometimes the secondary attack is completely different in nature, with the DDoS intrusion acting as a cover for the hacker’s real goal.

Norton added that companies can take steps against DDoS attackers in the way they choose and configure their routers and other network hardware. When a company has the latest generation of firewalls installed and all of its equipment is fully patched and updated, hackers will have a harder time finding gaps in the system through which they can send their bogus packets.

As with so many modern cybersecurity practices, the battle against DDoS attacks is a matter of combining the right technology investments with best practices. IT departments should ensure their resources are difficult targets by installing the latest hardware and software patches, but must also stand ready to combat the intrusions in real time, if and when a hacker manages to get through the outer defenses and bombards the servers with traffic.

What Can You Learn About Digital Security in an Information Systems Degree Program?

Information systems careers are some of the most important roles in organizations of all types today, because they exist at the connective point between business departments and IT. The people in these roles are tasked with figuring out the best technologies and strategies for their companies from this dual perspective. Unsurprisingly, these employees should be well-versed in security, with experience in battling DDoS attacks and other types of intrusion attempts.

Education in this field encompasses learning about state-of-the-art IT defenses and threat mitigation. Studying in the online Bachelor of Science in Information Systems program from the University of Alabama at Birmingham’s Collat School of Business is one way to pick up critical security knowledge that may pay off in a corporate IT setting.

Network security is one of the subjects approached in the core course Business Data Communications. This class also provides a general overview of working with local and wide-area networks, ensuring graduates are ready to help their employers optimize the way they store and transfer data.

Students especially interested in taking on security responsibilities in their professional roles can select the elective course Information Security Management. This class, concerned entirely with the major concepts behind protecting resources against digital threats, encompasses risk management, policy creation, and disaster recovery. Upon finishing this class, participants will understand how to perform a security audit, design defenses, and manage the uncertainty inherent to today’s threat landscape.

To learn more about the online BSIS and find out if this degree fits into your plans for career advancement, visit the program page.

Recommended Readings:

A Day in the Life of an Information Security Analyst

How to Become an Information Security Analyst


CSO — DDoS protection, mitigation and defense: 8 essential tips

Kaspersky — What is a DDoS Attack? – DDoS Meaning

Norton — What are Denial of Service (DoS) attacks? DoS attacks explained

CSO — DDoS explained: How distributed denial of service attacks are evolving