What is a Distributed Denial-of-Service (DDoS) Attack?

A Distributed Denial-of-Service, or DDoS, attack is a popular hacking method where digital threat actors overwhelm a website’s servers with traffic. The idea is to bombard the site’s servers with a flood of visitors and eventually cause them to crash.

DDoS attacks aren’t used to gain sensitive files, data, or financial gain. These attacks usually act as a distraction. Once servers crash and an organization’s IT team scrambles to restore them, hackers are free to infiltrate the system toward more malicious ends.

If a DDoS attack is successful, it will affect a website’s entire user base. It’s also a high-profile attack that usually grabs the attention of a large audience – both internally and externally.

Part of what a DDoS attack is, by its very nature, involves grabbing attention at scale. As a result, these cyber threats are popular choices for individuals or groups trying to make a statement or advocate for a particular cause. Extortionists, cyber vandals, and hacktivists use DDoS attacks routinely. Some examples include digital assaults after Black Lives Matter rallies, an attack on the U.S. Executive Wing in 2013, and a large-scale attack against the U.K.’s Labour Party. 

How does a DDoS attack work?

Now that you’re familiar with the meaning of DDoS attacks and when you might encounter them, let’s explore how they work. Understanding the mechanics behind these attacks is critical to identifying them early and preventing significant damage.

As mentioned earlier, DDoS attacks rely on overwhelming a site’s servers with traffic. Usually, this traffic is fake, and hackers distribute it via a botnet. This botnet is a network of multiple online devices that are all connected. 

Cybercriminals point this botnet at a particular network's edge devices (switches, routers, etc.). It’s easier for digital threat actors to exploit network behavior on these individual devices rather than targeting a complete server. 

To make things simpler, picture so many people calling your phone that you can’t even use it. The calls keep coming in, to the point that you contact your provider to block these calls. 

The same principle applies to a DDoS attack. Traffic is thrown at the network’s “pipe” in a similar fashion until the available bandwidth is overwhelmed. Hackers can either do this in short bursts or through a series of repetitive attacks. 

Although these attacks are primarily used as distractions that lead to larger infiltrations, they can still be dangerous in their own right. Businesses can feel the effects of a successful DDoS attack for days, weeks, and sometimes even months. To understand the true extent of the damage DDoS attacks can inflict, we only need to look at the recent attack on Google.

What does DDoS mean for businesses if it can take months to recover? In addition to acting as a “gateway” for more malicious attacks, they can also cost businesses significant losses in revenue, and corporations may even have to pay regulatory fines due to the damage. Companies may also start to see customer trust diminish due to DDoS, meaning they may lose their reputation and, ultimately, more revenue.

What are the different types of DDoS attacks?

DDoS attacks can fall under three distinct categories: 

  • Volumetric attacks
  • Protocol attacks
  • Application layer attacks

Let’s take a deeper look at each.

Volumetric attacks

This is when hackers bombard a site’s servers with more traffic than they can handle. The cybercriminal will send DNS requests to the server, but so many DNS requests are sent that having to send out an equal number of DNS responses inundates the server. This is known as DNS amplification and is the most common method of a volumetric attack.

Other volumetric attack methods are:

  • UDP Flood – digital threat actors use User Datagram Protocol (UDP) packets to overwhelm a target network with traffic.
  • IP/ICMP Fragmentation – large data packets may need to be segmented in order to be successfully transmitted between servers. Hackers take advantage of this process by sending fake packets that can’t be fragmented. These fake packets must be stored by the target system until, eventually, its resources are exhausted and a crash occurs.
  • ICMP Flood an attacker uses internet computer message protocols (ICMPs) or pings to overwhelm a network server. Normally, these pings are used to assess device health and connectivity, but a hacker can flood a target computer with them leaving it inaccessible to regular traffic.
  • IPsec Flood this attack type leverages the internet key exchange (IKE) protocol to infiltrate the target system. IKE is used to create VPNs on less secure networks and encrypt data during transmission. At one time, IPsec attacks were popular, but the creation of IKEv2 has made them obsolete.
  • Reflection Amplification attacks – reflection attacks use UDP to “spoof” a target server’s IP address and request information. The server will then respond to the request, sending information to the attacker’s spoofed IP. An amplification attack is when a hacker sends “trigger packets” to a vulnerable system. The response is many times larger than the initial request, overloading the system’s resources. A reflection amplification attack combines both of these methods. The result is that an attacker can exponentially grow the amount of traffic they send while also being able to hide its true source.

Protocol attacks

These attacks focus on a network’s resources – the resources of a server or another device like a router or firewall. An example would be an SYN flood attack. Before two computers can connect, they need to form a TCP handshake.

SYN packets are necessary to initiate that handshake. Hackers will send countless SYN packets with fake or “spoofed” IP addresses. This is the equivalent of the hacker extending numerous hands for a handshake.

When the target computer responds and establishes the connection, the hacker won't answer. All these SYN requests left hanging in cyberspace will eventually crash the target server.

Application layer attacks

In this scenario, hackers take advantage of responses to server requests. When a user enters a website into their browser, a request is sent out to the site’s server. The server will then collect all the information for that page, package it, and send it back to the user’s browser.

This game of “pitch and catch” happens in a server’s application layer. Digital criminals will use bots to make repetitive requests to a server’s application layer until it gets overwhelmed and crashes. 

To better protect your clients from DDoS attacks, you need a deep understanding of these concepts/devices and how they all relate. Visit our cybersecurity glossary to learn more, and feel free to contact us with any questions.

Signs of a DDoS attack

Education is your greatest weapon for stopping DDoS attacks early and minimizing damage. If you can train yourself and your team on some warning signs to look for, you may be able to stop a DDoS infiltration before it starts.

Some signs you should look for are:

  • The traffic of a single endpoint increases unexpectedly and exponentially.
  • A server starts crashing repeatedly for no reason.
  • Website responses take much longer than normal to process.
  • You begin to experience a lot of incoming traffic with similarities. The traffic may come from similar devices, a similar browser version or type, location, or IP address.

What to do if you’re hit by a DDoS attack

The nature of modern society has most businesses constantly in the cloud or cyberspace in one form or another. We always like to tell MSPs it’s not a matter of if you experience a cyber attack; it’s a matter of when.

If you find your or your client’s network is the target of a DDoS attack, don’t worry. Once you identify the attack, here are some steps to take to respond and resolve the threat:

  • IP Blocking. If waves of high traffic start to come in from one IP, or similar IPs, they can be blocked. 
  • Casting. Giving incoming traffic multiple points of access may seem counterintuitive. But, if you can spread the incoming traffic across multiple servers, you can decrease the odds of overwhelming your system by increasing server capacity.
  • Black hole filtering. Examine incoming traffic and decide on filtering criteria. All server requests that meet these criteria can be sent to a digital “black hole,” and they’ll drop off the server’s pending request queue.

Visit our cybersecurity center to learn more about these defense mechanisms and other concepts to help strengthen the DDoS protection you offer your clients.

Thinking ahead to mitigate and avoid DDoS attacks

DDoS attacks serve as an “opening act” to much larger infiltrations. But MSPs and other IT professionals should be aware that they can also do a good deal of damage themselves.

Knowing what signs to look for and taking the mid-attack defensive measures above are essential to keep your clients’ networks safe. With that said, taking preventative measures may be even more important. 

Every MSP or cybersecurity team should have a DDoS incident response plan in place. This gives everyone a specific role or task in the event of an attack and keeps your team focused with a clear head. 

The ConnectWise team is here to help you prepare. Read our threat report, DDoS, crypto, and ransomware, oh my! to show your clients they’re in good hands if an attack slips through their defenses.


A DDoS attack uses a network of connected devices called a botnet to deliver high-volume traffic and server requests to overwhelm a website’s servers to the point that they crash. Once the servers are down, hackers use this as an opportunity to infiltrate the site and perform more sophisticated attacks, resulting in much more damage.

DDoS means Distributed Denial-of-Service. Hackers distribute numerous requests to access a website across several connected devices. Eventually, the website’s server crashes from attempting to handle all of these requests simultaneously.

MSPs or cybersecurity professionals can stop a DDoS attack in a few different ways. They can use IP blocking to block IP addresses that repeatedly send suspicious traffic, banish server requests off into the depths of cyberspace via black hole filtering, or distribute server traffic across multiple access points via casting to avoid overwhelming their network.