. . .

DDoS Attack: The Definitive Guide [2018 Update]

About the Author

Hey guys, it’s Aayush here.

Unlike most so-called cybersecurity “experts”, I publish what I preach.

And in this guide, I’m going to show YOU what are DDoS attacks, their types, their major causes, how to detect them and how to mitigate a DDoS attack. Keep reading till the end.


A Distributed Denial of Service attack is a synchronized attack done using a large group of compromised infected machines, called zombies or bots, which send coordinated traffic to the victim which exhaust network resources of the victim.  The attackers aim to overcrowd, bombard and exhaust the network resources such as CPU, memory or link bandwidth of their victim through sending mass requests from botnet. As a result, the network or website is down and unable to access and perform user’s requests. Thus, the network denies responding to the incoming traffic.

DDoS attacks are catastrophic and can bring down a server or network very quickly. To launch a DDoS attack, the attacker develops (or rents) a network with compromised hosts — Botnets.

A Botnet is defined as a large group of malware-infected machines, also referred to as zombies, and send the commands to perform the attack. Bots are controlled using a botnet architecture and a command-and-control system, which may be based on Peer-to-Peer (P2P), Internet Relay Chat (IRC), Hyper Text Transfer Protocol (HTTP) or Domain Name System (DNS).

One can easily find and rent botnets on the black market to perform the DDoS attack.

The attacker takes advantage of these compromised hosts (collectively forming botnet) to gather security-related information. In a DDoS attack, the victim can range from a single web server even to Internet connection of an entire university, an entire city or even an entire country.


Generally, four players participate in the successful DDoS attack and they are —





The master or the attacker initially attempts to bring some hosts in a network under its control by compromising them.

The handlers include some malicious software (like malware) residing on remote machines that are used by the attacker. The purpose of choosing a set of victimized computers (handlers) to launch DDoS attacks is mainly to overcome the possibility of tracing the attack back to the attacker (client).

The agents, the third set of players are practically responsible for performing the attack. They typically consist of software on compromised machines through which the attack is performed.

Finally, the victim, the fourth player, maybe a single target machine, server or a network of many machines.


The DDoS attack is considered more damaging than a DoS attack and it usually takes more planning and diligence to initiate it.

DDoS attack mainly involves four steps and these are mentioned below.


Under this step, the attacker scans the whole network to find and recruit vulnerable hosts.


The vulnerable hosts are then compromised for exploitation by the attacker using malicious programs like malware, Trojan or any other backdoor programs.


The attacker infects the compromised hosts to create a base for the effective launching of the attack.


Finally the last stage, where the attack is launched using the compromised hosts.

DDoS attacks are classified by various researchers in different ways following different criteria. The following subsections present DDoS attack types based on Open Systems Interconnection (OSI) layers approaches used to launch attacks, the volume of traffic generated and on a rate at which attack take place.


DDoS attacks can be classified into seven categories based on the seven OSI layers model.  In order to better understanding, have a look at the various network layers.

DDoS attacks in layer 1 – Physical Layers include attacks such as cutting cables, jamming, power surging (high-voltage attack) and even Electromagnetic Pulse (EMP) attack results into the destruction of electronic equipment over a wide area.

In layer 2 – the attacks are generally MAC spoofing and MAC flood.

In layer 3 viz. Network layer there are two main attacks which are Floods (ICMP) and Teardrop
(overlapping IP segments).

In layer 4 which is a Transport layer, have many types of DDoS attacks — SYN Flood, RST Flood, FIN Flood, Window size 0 (looks like Slowloris), Connect attack, LAND (same IP as src/dst), ICMP echo, and UDP flooding.

In a network or transport layer attack, the attacker tries to exhaust resources such as the bandwidth of the links which carry traffic to the victim, or the memory of devices such as routers, switches, and firewalls. To achieve this objective, the zombies send huge amounts of traffic in layers 3 and 4 to the victim.

Such an attack is normally large in volume ranging from a few Mbps to several hundreds of Gbps or even Tbps. Different network layer protocols such as Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) are used in such an attack.

In the 5th layer, the major known attack is slowloris.

In the 6th layer viz. presentation layer, there are XML attacks where the attacker changes the XML breaks down and change the XML scripts and also expensive repeated queries.

In layer 7, i.e., application layer protocols such as HTTP and HTTPS, to send traffic to the victim. Such traffic normally carries CPU-intensive queries to the server and makes it busy forever.

The volume of traffic needed to put a server down is comparatively lower than that of the other type, i.e., a network layer attack. The traffic in an application layer attack is indistinguishable from legitimate traffic, making it very difficult to detect as every attacking device is a genuine internet device with an IP address.


In a DDoS attack, it is not always the zombies that send attack traffic to the victim. Servers running UDP-based services are often used by attackers to carry out massive DDoS attacks. Such servers are used as reflectors by the attacker. Based on the nature of the attacking machines, DDoS attacks are classified into two categories, (1) Direct AND (2) Reflector-based.

In a direct attack, the attacker uses zombies directly to launch DDoS attacks of various types. In contrast, in a reflection or amplification attack, many innocent intermediate nodes, known as reflectors, are used to generate an attack. The attacker sends requests to the reflector servers by spoofing the source IP as if it were the victim’s IP.

As a result, these servers reply to the victim by sending messages whose volume is normally many times larger than the original request message size. Hence, this type of DDoS attack is also called an amplification attack. The attacker uses this technique to amplify the attack traffic up to several hundred times. DNS amplification attacks and Network Time Protocol (NTP) attacks are examples of reflection-based DDoS attacks.


One can also classify DDoS attacks based on whether the attack traffic is sent to the victim directly or through intermediaries. In a direct attack, the attacker sends the attack traffic directly to the victim using a large number of compromised machines. In contrast, in an indirect DDoS attack, the attacker, instead of attacking the victim directly, attack the links and other services that are important for the victim to remain functional. Link-flooding attacks such as crossfire and coremelt are examples of indirect DDoS attacks.


DDoS attacks can also be classified based on the volume of attack traffic, as low and high.

In a low-rate DDoS attack, the attacker usually performs the attack by sending attack traffic at a low rate matching the legitimate traffic profile. For example, in the case of an application layer attack, the attacker tries to exhaust the victim’s processing resources by sending it CPU-intensive queries. Similarly, in a shrew attack, the volume of the attack traffic is comparatively low.

In a high-rate DDoS attack, the attacker sends a huge volume of attack traffic toward the victim. It is the most common type of DDoS attack. High-rate traffic sometimes called a flash crowd, is often mistaken for a DDoS flooding attack, resulting in dropping of legitimate user requests.

However, as pointed out in, a flash crowd can be distinguished from malicious traffic by observing the rate of introduction of new IP addresses over a sequence of time intervals. In a flash crowd, new IP addresses are introduced suddenly, resembling a flooding attack, but the rate of introduction of new IP addresses drops after some time, though the high request rate from legitimate users may persist.


In addition to the classification mentioned above, DDoS attacks can be classified based on other traffic characteristics, such as the dynamics of the attack traffic rate.


The attack rate reaches its maximum within a very short period of time. All zombies, after receiving a command from an attacker, start sending attack traffic at a constant rate. This type of attack creates a sudden packet flood at the victim end.


Instead of attacking the victim with full force instantly, the attacker gradually increases the traffic intensity toward the attacker. An increasing rate attack approach is adopted by the attacker to understand the victim’s response to attack traffic so that the attacker can attempt to evade the victim’s detection mechanisms.


In this type of attack, the attacker activates a group of bots periodically to send attack traffic to the victim. Such a mechanism is used to remain undetected by a detection mechanism. Shrew 52 is an example of a pulsing rate DDoS attack, sending short synchronized bursts of traffic to disrupt TCP connections on the same link, by exploiting a weakness in the TCP retransmission timeout mechanism.


As in the case of a pulsing rate attack, here also the attacker sends pulses of attack traffic to the victim. However, the zombies are divided into groups and these groups are activated and deactivated in different combinations. Such a subgroup attack approach is used by the attacker to remain disguised and carry on the attack for a longer period of time.

Here is the list of the most common DDoS attacks.


Under this type of attack, the aim is to take advantage of the weakness in TCP connection sequence (the three-way handshake). The attacker sends mass SYN requests to the victim’s server which exploits the limited slots and overloads them and ultimately resulting in the denial of service.


Under this attack, the attacker aims to bombard the victim’s network resources by amplifying the file size to its multiple times than the original ones. The larger the file, the larger the resources it needs and ultimately resulting in the denial of service.


Under the Slowloris attack, the client opens a connection and sends a request, the listener opens a socket and new connection established and then another and then another and so on.  The attacker exploits the process based model but opening a number of concurrent connections and holds them open for as long as possible with the least amount of bandwidth possible and ultimately resulting in the denial of service.


In ping of death attack, when the larger IP packet has to be transferred, it has to be split into multiple small fragments. But the attacker manipulates the size of the packet. The recipient host reassembles the small fragments into one packet. But due to the manipulation, the recipient receives a larger packet upon reassembling. Thus it overflows the memory allocated to the packet and ultimately resulting in the denial of service.

Attackers generally target Websites or databases as well as enterprise networks by gathering information on their weaknesses. But apart from finding vulnerabilities, there are other causes of DDoS attack as well.


The easy accessibility of a large number of attack tools floating in the public domain is one of the major cause for networks or organizations frequently coming under DDoS attacks. Evolution of new DDoS attack tools, several noble, and practical machine learning approaches have been used for DDoS attack detection and prevention. The relevance and effectiveness of such methods are mostly based on their performance in terms of classification accuracy and execution time.

One can easily set up and use these tools to launch attacks by sending unsolicited traffic to the victim from distributed armies of bots or compromised computers on the Internet. This unsolicited traffic is enough to paralyze the victim so that it no longer functions or provides service to legitimate users by consuming all of its resources and network bandwidth.


The pregnable architecture of the Internet is another major cause, allowing the attacker to easily spoof the source IP (SIP) addresses of attack packets, thus making it more difficult to detect the attack. Further, the detection of malicious traffic becomes even harder, if its size and pattern are similar to those of legitimate traffic, making malicious traffic unobtrusive.

Several design issues of the original Internet are also responsible. Some of these are (i) the existence of complex edges but simple cores, (ii) link bandwidth mismatch between core and edge networks, (iii) simple routing principles, (iv) lack of centralized network management, and (v) the habit of sharing reserved resources across data centers.


Another major cause is the easy availability of botnets in the black market. One can easily rent a botnet consisting of millions of Internet of Things (IoT). The botnet is available to rent for the specific time like for a week and one or two attacks.

We refer to a DDoS attack as fast when it generates a large number of packets or extremely high-volume traffic within a very short time, say a fraction of a minute, to disrupt service. An attack is referred to as a slow attack if it takes minutes or hours to complete the process.

To counter the rapid emergence of external and internal threats to networks and resources, researchers have looked at a variety of approaches such as intrusion detection system (IDS), intrusion prevention system (IPS), intrusion response system (IRS), and intrusion tolerance system (ITS). Among these, IDS and IPS are important components of a layered security infrastructure. To execute an attack on a network or a system, an attacker generally follows four main steps

(a) the attacker scans the whole network to find and recruit vulnerable hosts.

(b) the vulnerable hosts are then compromised for exploitation by the attacker using malware or backdoor programs

(c) the attacker infects the compromised hosts to create a base for the effective launching of an attack, and

(d) finally, the attack is launched using the compromised hosts.

A generic DDoS defense solution is comprised of three modules, in this section, I will focus mainly on monitoring and detection. In the next section, we will see the reaction module.


To perform such monitoring activities, it collects necessary information on the state of the network at various points within the network. For the identification of such unauthorized services, one should look not only at external traffic but also at internal traffic. Otherwise, one will miss internal hosts involved in unauthorized activities.


Identify any misuse or anomalous behavior in a network and generate reports to the administration. Intrusion detection is primarily focused on identifying possible intrusive patterns, incidents, or activities, and reporting them in a timely and meaningful manner. A detection module analyzes relevant network traffic information to identify possible security breaches, which include both misuses and anomalies.

Detection techniques of distributed denial-of-service attacks.


Misuse detection searches for definite patterns (i.e., signatures, rules, or activities) in the captured network traffic to identify previously known DDoS intrusion types. Such detection techniques usually exhibit high detection rates with low numbers of false alarms. However, a misuse detection technique fails to detect unknown DDoS intrusion types.


Anomaly-based detection techniques aim to identify new intrusion types in addition to the detection of known types. Such techniques analyze network traffic behavior and attempt to detect unusual patterns at an early stage.

The three main symptoms of DDoS attack are as follow – 1. A website becomes extremely slow. 2. A website does not load at all. 3. When a website becomes unavailable. In the next section, you will get to know about precautionary measures and what-to-do when you are under attack.

Intrusion prevention is performed by a software or hardware device that can intercept detected threats in real time and prevent them from moving closer toward victims. It is a useful approach against DDoS, flooding, and brute force attacks. Today, the general lack of adequate security infrastructure across the Internet is a major cause of the tremendous pressure faced by Internet Service Providers to prevent and mitigate DDoS attacks on their infrastructure and services, on their own.

For effective prevention, one must be able to detect source(s) early and then initiate appropriate action(s) to identify the attack sources. Since DDoS is a coordinated attack, it is not straightforward to identify the attack sources in real time. Further, spoofing of source IP addresses in the attack packets complicates attempts at reliable DDoS prevention.

Most prevention methods act upon detection of DDoS attacks in one or more of the following ways: (a) by reconfiguring the security mechanisms such as firewalls or routers to block future attacks, (b) by removing malicious content from the attack traffic by filtering out possible attack packets, or (c) by appropriate browser setting and by reconfiguring other security and privacy controls to avoid occurrence of future attacks.

However, for effective DDoS prevention, identification of true attack source(s) is an essential task. Although identification of the true source of the attack is a daunting task due to the open and decentralized structure of the Internet. IP traceback is one such powerful candidate among the mechanisms used to identify the true source of attacks in a network.


As we have discussed earlier, in a DDoS attack, attackers mostly use zombies or reflectors to send attack packets to the victim machine using spoofed IP addresses. One can attempt to detect the attack source manually as well as automatically. It may be performed either at the victim end or from intermediate routers and traced back to the original source end. Typically, a hop-by-hop traceback mechanism is used from router to router. Therefore, for successful identification of the attack source, co-operation among networks is highly essential. However, manual traceback is a tedious and time-consuming process. To expedite the process, researchers have introduced automated traceback schemes.


In link testing, the victim conducts a test on each of its incoming links as a probable input link for a DDoS attack traffic. If the test result is positive, it contacts the upstream router(s) closest to the victim. The contacted router then initiates an interactive traceback process recursively with its upstream routers until the true source of the attack is identified. This scheme has at least three main advantages: (i) it can discover attackers of flooding attacks reliably, (ii) it is cost effective due to relatively low network overhead, and (iii) the scheme can be replicated in a distributed manner easily. It has several limitations as well. One major limitation is the generation of additional traffic, which usually consumes significant network resources. One can apply link testing to detect attack sources in two distinct ways: (i) input debugging and (ii) controlled flooding.

In the input debugging scheme, the first task is to recognize an attack at the victim. Once an attack is recognized, the next task is to generate an attack signature based on the common features of attack packets. The victim then sends a message to an upstream router for installation of an input debugging filter on the egress port. It is expected that such a filter will reveal the associated input ports and the upstream routers responsible for the generation of the attack traffic.

The process is repeated recursively until the source of the attack is detected. This scheme is often successful in identifying the true sources of DDoS attacks because of its distributed nature. Its limitations include facts such as (i) the cost of management of resources used to support prevention is significantly high, (ii) the network and router overhead is large, (iii) it consumes a significantly large amount of time to communicate with upstream routers, and (iv) it requires skilled network professionals for effective traceback operation.

The controlled flooding traceback scheme, introduced by Burch and Cheswick, works automatically without the involvement of network operators. The scheme floods the incoming links on the router with high rate (bursty) network traffic and then observes the response from attackers. It chooses the incoming links nearest the victim and uses a pre-generated map of Internet topology, including a few selected hosts.

There is a high dropping probability for packets (including the attacker’s packets) traveling across the loaded links. The victim can infer the attack links by computing the changes in packet arrival rates. This process is then recursively applied on the upstream routers until the source of an attack is reached. It is a very effective traceback technique. However, like the previous schemes, it also suffers from three major limitations: (i) It has high management overhead, (ii) It requires coordination among routers or switches or even ISPs, and (iii) It requires skilled network administrators.


Packet marking is a significant recent addition to the techniques used for the identification of the origin of DDoS attacks. In a packet-marking scheme, routers mark forwarding packets either deterministically or probabilistically, with their own addresses. So, when an attack occurs, the victim uses the marked information associated with the packet to trace back to the attack source.


In the packet logging approach, routers store packet information so that such information can be used to trace an attack long after the attack has completed. One can use data mining techniques on the logged packet data to determine the path that the packets may have traversed. The main advantages of this method are (i) it stores packet log information historically for future investigation, (ii) it is easy to trace back, and (iii) it can be easily deployed in a distributed manner. However, it requires high storage space to store historical data and also has high network overhead and high management overhead.


In this mechanism, the router generates ICMP traceback messages that include the content of forwarded packets along with information about adjacent routers and sends them to the destination. When flooding attacks occur, the victim uses these ICMP messages to construct attack graphs back to the attacker. The traceback messages help the victim find the original source of the attack.

This mechanism relies on an input debugging capability that is not enabled in many router architectures. As a result, it may be difficult to establish a connection between a participating router and a non-participating router. ICMP traceback is effective in terms of network overhead as it incurs low management cost. Moreover, the approach can be distributed easily and is able to effectively detect attack paths during flooding attacks.

No matter, what you think, but there is no foolproof method to stop a DDoS attack. With the advancement of technologies, hackers are also finding new ways to attack which no one can detect and prevent. But still, there are some ways through which you stop these attack or minimize your loss. Let’s see what are some ways through which you can secure your system.


DDoS defense system typically reacts with two basic components, viz., a passive and an active component. The passive component, composed of a set of procedures, is involved in the inspection of the system’s configuration files to detect inadvisable settings, inspection of the password files to detect inadvisable passwords, and inspection of other system areas to detect policy violations.

In contrast, the active component, which is composed of another set of procedures, reacts to known methods of attack and generates system responses. It can respond to suspicious events in several ways, which include displaying an alert, logging the event, or even paging an administrator.

First, I have mentioned the proactive steps you should take before an actual attack takes place. In the second part, what to do when your system is under attack.

Below are the proactive steps, you shall take to minimize the DDoS attack.


Buy a Dos/DDoS protection service that will detect the abnormal traffic flows on your website and divert the traffic to another platform. This will filter out the excess traffic sent onto your website and hence your network resources will remain unexhausted.


Develop a disaster recovery plan to ensure successful mitigation and communication when your website is under attack.


It is also important to secure your system from any form of malpractice done by an attacker by way of malicious and other backdoor programs. For that, you need to regularly update and maintain good antivirus protection on all your devices. Moreover, install a firewall to restrict traffic incoming and outgoing from your website. Furthermore, you should always follow good security practices and take care of how many people have sensitive information to access your system.

What to do when you are experiencing a DDoS attack. Now there are three approaches to mitigate a DDoS attack.





You can do it yourself by buying more hardware capacity and other mitigating equipment.

The main benefits of doing it yourself are as follows –


When you are doing yourself mitigation of DDoS attack, the biggest benefit is there is the low delay in taking the required action. When you are doing everything by yourself, you are also continuously monitoring and the moment attack takes place, the moment you can mitigate it.


Another biggest advantage of doing it yourself is you can set mitigation to a particular application. For instance, you can set mitigation equipment to the Gaming industry specifically AND avoid other industry if you want.


Another advantage is that you can your systems can inspect both directions of the traffic.


Also, when there is TLS encrypted traffic, the keys to such stays with the company.

The main drawbacks of doing it yourself are as follows –


The biggest drawback when you are doing it yourself is that there are high fluctuations in the network capacity. You can not foresee how much do you overprovision? Double, triple, ten times? The attack can be of any capacity. You cannot change it everytime and immediately.


In order to do mitigation yourself, you must consider and need many requirements.

First, you need bandwidth – monthly recurring expensive which adds up, compute and network hardware. You also need qualified personnel who can take of the system and sadly it’s hard to find, expensive and hard to retain as well. You also need these requirements –

• traffic – 10GBps = $2,000/mo (NA)

colocation space – $400/mo

• power – depends on equipment and location

• equipment – min $20,000 per 10GBps port

• personnel – largest part, fluctuates based on location.

and you need them in many locations also with multiple per location.

Now, here is whether you should go for this method or not. But before concluding consider these points.

• At present DDoS attacks take place at a very large scale.

• Infrastructure is very expensive to build and maintain.

• Requires a significant amount of know-how.

Therefore, I recommend you that unless hosting a very large site it’s better you left to the professionals.


The second approach is to hire professionals and let them do all the work and you just sit back, relax and pay.

There are DDoS mitigation service providers and Content Delivery Networks (CDNs) available in the market. Their price is based on – (1) Size of Attack, (2) Clean Traffic. There are also two types of services (1) On-demand DDoS Mitigation and (2) Always Operational.

In the on-demand DDoS mitigation, the mitigation will only take place, when a system is under attack and only until the mitigation is completed. It has its own benefits and drawbacks as discussed below.


One major benefit of on-demand DDoS mitigation is that it helps very well when it comes to protecting your system from volumetric attacks.


On-demand DDoS mitigation is very easy to deploy. All you need to do is to have a contract with the firm and when you need it, they will deploy to ensure maximum protection.


The biggest flaw of doing mitigation yourself is that you can not handle high attack volume. But when you outsource it, you can get rid of this issue very easily.


Another major benefit of on-demand mitigation is that the services you get from professionals are harder to bypass. Unless there is a “once in 3-4 years” attack, otherwise their mitigation services are harder to crack.

Every coin has two sides, just like every solution also got another side. The drawbacks of on-demand mitigation are as follows.


This is not the case in doing it yourself approach. But in the outsourcing and taking on-demand help take some time in deployment. It takes time between the site being attacked until it switches to the service provider.


Another major drawback of on-demand DDoS mitigation is that it is difficult to terminate Transport Layer Security (TLS) without sharing keys.


The whole process from detection to mitigation takes time when it comes to on-demand mitigation. Therefore, it increases latency in order to complete the procedure.


When it comes to securing your network with on-demand mitigation, it creates complexity in Generic Routing Encapsulation (GRE) tunnel. GRE tunnels encapsulate various network layer protocols inside virtual point-to-point internet protocols.

If you want the best protection possible for your system and have a good budget, this is something you should go after. Here you will get complete protection for your system and moreover, it can increase your website performance if used with CDN (Content Delivery Network).


There is large and increasing pool of DDoS attack tools available on the internet. Most tools are freely available on the Internet and are powerful enough to crash networks and Websites. However, among these, LOIC and HOIC are very effective in launching a DDoS attack within a short duration of time. LOIC is capable of generating attack packets involving TCP, UDP, and HTTP protocols, whereas HOIC supports only the HTTP protocol.

Although TFN, Trinoo, and Stachaldraht are used in launching DDoS attacks, these tools require substantial customization to use on an experimental testbed. Further, they are not as powerful as LOIC. However, it must be noted that the use of these tools to launch an attack in a public network is unethical and a crime.

Building adequate defense against DDoS attacks is a non-trivial problem for the network administrator as well as the network security researcher. If attackers have high skill levels, an existing defense may not be able to handle all types of new DDoS attacks in near real time.

Since a DDoS attacker uses a large number of compromised nodes to flood the network instantly, early detection of an attacker’s preparatory activities is essential so that the attack can be mitigated immediately.


There are many tools and services available on the Internet and here is the list of best among them —

1. Cloudflare

2. F5 Networks

3. Arbor networks

4. Incapsula

5. Black Lotus

6. Akamai

7. AWS Shield

8. BeeThink Anti-DDoS Guardian

9. Sucuri

10. Cloudbric

11. Alibaba

12. Radware DefensePro

DDoS Attack: The Definitive Guide

I hope this guide help you understand everything about DDoS attack.

Did you learn something new from this guide?

Or maybe you have a question.

Either way, leave a comment below right now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.