Distributed Denial of Service (DDoS) Attacks

Security model &threats

Paul Krzyzanowski

April 13, 2025

Introduction

Denial of Service (DoS) attacks are malicious attempts to disrupt the availability of systems or services by overwhelming them with excessive traffic or resource-heavy requests. These attacks exploit asymmetries in computing, where it is often far easier to send requests than to process them. The main objective is to make the target system unresponsive or unavailable to legitimate users.

DoS attacks come in various forms: flooding services, triggering system crashes, or exhausting network bandwidth. Traditional DoS attacks originate from a single source, but Distributed Denial of Service (DDoS) attacks are launched from a globally distributed network of compromised devices, coordinated through a botnet. This multiplicity makes DDoS far harder to mitigate.

2. Characteristics and Techniques

Understanding how DDoS attacks are constructed and executed is essential to defending against them. These attacks are not random floods of traffic but carefully engineered operations that exploit structural and behavioral properties of computer networks and systems.

Various methods enable attackers to scale up traffic, obscure their identities, and bypass simple filtering mechanisms.

Asymmetry Exploits

DDoS attacks often take advantage of computational asymmetries, where the effort required to send a request is significantly less than the effort required to process it. A single command might force a server to allocate memory, open database connections, or perform CPU-intensive calculations, rapidly consuming system resources.

IP Spoofing and Return Address Manipulation

Attackers can forge source IP addresses in packets, a tactic known as IP spoofing. This conceals the attacker’s identity, avoids response traffic, and can redirect attack responses to a third-party target. IP spoofing is especially effective with stateless protocols like UDP.

Reflection

In reflection attacks, requests are sent to intermediary servers with the source IP set to the victim’s address. The servers then reflect the responses to the target. Since the traffic appears to come from legitimate services, this technique also evades some basic filtering.

Amplification

Amplification refers to sending small queries to services that return disproportionately large responses. This dramatically boosts attack volume. For example, a 60-byte DNS query may trigger a 4,000-byte response. Combined with reflection and spoofing, amplification enables massive bandwidth attacks with minimal input.

Botnets

Botnets are large networks of compromised systems (zombies) that can be remotely controlled. These include personal computers, servers, and increasingly, poorly secured IoT devices. Botnets allow attackers to launch coordinated floods from many sources, bypassing per-source rate limits and overwhelming even robust infrastructures.

3. Categories of DDoS Attacks

Volumetric Attacks
Volumetric attacks seek to saturate the target’s Internet bandwidth by overwhelming it with high volumes of data. Examples include UDP floods, ICMP floods, and TCP floods. These attacks are measured in bits per second (bps).
Packet-per-Second Attacks
These attacks are focused on overwhelming routers and firewalls by sending a large number of packets per second. High PPS attacks exploit the inability of devices to process traffic fast enough, leading to buffer overflows and dropped packets.
Application-Layer Loops
Application-layer attacks target specific applications (e.g., HTTP servers) or protocols. Some DDoS variants use malformed packets or manipulate services like TFTP or DNS to create infinite loops of responses, causing servers to become trapped in a feedback cycle.

4. Reflection and Amplification in Depth

Reflection attacks exploit the trust in public UDP services. Attackers send requests to servers like DNS or NTP with the victim’s IP address as the source. The server sends its response to the victim, allowing the attacker to stay anonymous while the victim bears the traffic.

Amplification is measured by the ratio of response size to request size. Services with large amplification factors can be devastating in DDoS attacks.

Protocol Amplification Factor Notes
Memcached Up to 51,200x Massive amplification when exposed.
NTP (Monlist) 556x Returns IP addresses of prior clients.
DNS 50–179x ANY queries can return many records.
CLDAP 56–70x Vulnerable Windows protocol for AD queries.
DTLS 37x Exploited when misconfigured to respond to small pings.

5. Botnets and C&C Infrastructure

A botnet is controlled via a Command & Control (C&C) system. The controller issues commands to the bots, which may be located in diverse geographic locations. Many well-known botnets like Mirai leverage insecure IoT devices and use common services like IRC, HTTP, or custom TCP protocols for coordination.

Modern botnets use stealthy techniques to evade detection:

  • DNS Tunneling: Encodes command data in domain lookups or responses.
  • DGAs (Domain Generation Algorithms): Bots algorithmically create domains, making takedown difficult.
  • Fast-Flux Networks: Rotate DNS records rapidly to evade blacklists.
  • Encrypted C&C: Use of HTTPS or custom encryption hides payloads within standard traffic.

These methods allow botnets to persist, reconstitute after takedown attempts, and avoid intrusion detection systems.

Real-World Incidents and Trends

Year Peak Volume Description
2018 1.7 Tbps Memcached-based attack targeting GitHub.
2020 2.3 Tbps CLDAP-based DDoS mitigated by AWS Shield.
2022 3.47 Tbps Microsoft Azure blocked spoof-based UDP flood.
2023 398M RPS Google Cloud faced largest Layer 7 attack via HTTPS.
2024 5.6 Tbps IoT botnet targeted telecom and finance sectors.
2025 6.5 Tbps Eleven11bot (Mirai variant) led record DDoS campaign.

Trends show DDoS volume, speed, and frequency all increasing. IoT vulnerabilities and cloud hosting abuse are central to these developments. The market for DDoS-as-a-Service continues to lower the bar for attackers.

Defenses Against DDoS

Network-Level Techniques

  • Overprovisioning: Mitigates short bursts but not sustained attacks.
  • Rate Limiting: Controls traffic volume from individual sources.
  • Traffic Shaping: Prioritizes essential or low-risk traffic.
  • Blackhole Routing: Used to drop all traffic to a target IP under siege.
  • Geo-IP Filtering: Limits access from geographic regions known for abuse.

Application-Level Defenses

  • Web Application Firewalls (WAFs): Filters application-level attacks.
  • CAPTCHAs and Rate Throttling: Thwart automated bots at login or query points.
  • Content Delivery Networks (CDNs): Spread load and absorb volumetric attacks through edge caching.

Participation Controls

  • Disable Vulnerable UDP Services: Prevent servers from being reflectors.
  • Regular Patching and Configuration Audits: Fix exploitable software and harden exposed services.
  • Behavioral Monitoring: Detect abnormal traffic patterns quickly.

DDoS attacks are a major threat in modern cybersecurity. Their ability to exploit asymmetries in network architecture, abuse open services, and employ massive distributed infrastructures makes them formidable. Effective defense is challenging, and requires a multi-layered strategy, continual monitoring, and the cooperation of ISPs, service providers, and endpoint operators.

Last modified April 23, 2025.

© Paul Krzyzanowski. All rights reserved.

For questions or comments about this site, contact Paul Krzyzanowski, gro.kp@ofnibew

recycled pixels

The entire contents of this site are protected by copyright under national and international law. No part of this site may be copied, reproduced, stored in a retrieval system, or transmitted, in any form, or by any means whether electronic, mechanical or otherwise without the prior written consent of the copyright holder. If there is something on this page that you want to use, please let me know. Any opinions expressed on this page do not necessarily reflect the opinions of my employers and may not even reflect my own.

Page design derived from: HTML5 UP.