.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
What is a Distributed Denial of Service (DDoS) attack?
Distributed Denial of Service (DDoS) Defined
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve their scale by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include traditional computers, servers, and insecure Internet of Things (IoT) devices.
- How: It leverages a botnet — a network of malware-infected devices controlled remotely — to flood a target with massive traffic, exhausting its bandwidth or processing power.
- Why: Attackers launch these campaigns for financial extortion, competitive sabotage, political hacktivism, or as a loud distraction to mask a concurrent data breach.
- Impact: It causes prolonged operational downtime, severe financial losses from unavailable services, and degrades customer trust in digital availability.
How a DDoS Attack Works
- Infect and Recruit: The attacker infects thousands of vulnerable devices worldwide with malware, turning them into bots or "zombies" that can be controlled remotely without the owners' knowledge.
- Establish Command and Control (C2): The attacker groups these compromised devices into an interconnected network called a botnet, managing them via a centralized C2 infrastructure or decentralized peer-to-peer networks.
- Target Identification: The adversary selects a target, such as a corporate website, an e-commerce checkout application, or a critical network gateway IP address.
- Unleash the Flood: The attacker sends a command to the botnet, ordering every infected device to simultaneously flood the target with web traffic or data packet requests.
- Overwhelm and Crash: The targeted server or network attempts to process the massive influx of requests, exhausting its memory, CPU capacity, or bandwidth. This causes the service to slow to a crawl or crash entirely, blocking legitimate users.
Types of DDoS Attacks
Volumetric Attacks
The goal of a volumetric attack is to completely saturate the bandwidth of the target's network. These attacks send massive amounts of data packets using amplification techniques, where a small request from the botnet triggers a massive response from an open server, directing the resulting data flood straight to the victim (e.g., DNS amplification, UDP floods).
Protocol Attacks
Protocol attacks focus on consuming the actual processing resources of network infrastructure equipment, such as firewalls, routing tables, and load balancers. They exploit flaws in network communication protocols, such as sending flood requests that require the server to wait for a handshake validation that never arrives (e.g., SYN floods, Ping of Death).
Application Layer Attacks
Sometimes called Layer 7 attacks, these campaigns target the specific web application or software application where web pages are generated on the server. They mimic legitimate human browsing behavior but execute intensive requests, like loading a complex database query thousands of times simultaneously, to quietly exhaust server memory from within (e.g., HTTP GET/POST floods, Slowloris).
Why DDoS Matters for Cybersecurity
Modern organizations rely entirely on continuous digital availability to run their businesses. A successful DDoS attack can take down an online storefront, a banking system, or an internal communication tool instantly, causing massive operational losses. Furthermore, DDoS attacks have evolved into a dangerous tactical smokescreen. Threat actors routinely launch a loud, chaotic volumetric attack to overwhelm a security operations center (SOC) with alerts. While your internal IT team scrambles to keep the website online, the hackers quietly execute a completely separate network intrusion or data breach in the background. With the explosive rise of unsecure IoT devices, building a massive bot army has never been easier for cybercriminals, making robust edge filtering mandatory for modern enterprises.
DoS vs. DDoS: Understanding the Difference
| Feature | Denial of Service (DoS) | Distributed Denial of Service (DDoS) |
| Traffic Source | Originated from a single computer, server, or internet connection point. | Distributed across thousands or millions of geographically scattered devices. |
| Attack Volume | Low to moderate; limited by the bandwidth capabilities of a single system. | Massive, frequently reaching gigabits or multi-terabits per second. |
| Mitigation Difficulty | Low. Administrators can easily block the single offending IP address at the gateway. | High. Blocking individual IPs is impossible due to the sheer number of unique sources. |
| Attack Execution | A direct, straight-line connection attack launched from the actor to the target. | Coordinated globally through a decentralized Command and Control botnet. |
Frequently Asked Questions About DDoS
What is a botnet in the context of a DDoS attack?
A botnet is a collective network of internet-connected devices — including computers, smart TVs, and security cameras — that have been infected with malware. This infection allows an attacker to control the devices remotely as a unified force to launch massive traffic floods.
How can an organization tell if it is under a DDoS attack?
Signs include unexplainable network slowdowns, specific websites becoming completely inaccessible, or sudden, dramatic traffic surges originating from diverse global IP addresses. Network analytics tools will display abnormal spikes that do not match standard usage patterns.
What is a traffic amplification attack?
This is a volumetric strategy where an attacker spoofs the victim's IP address and sends small requests to open servers on the web (like public DNS servers). The open servers respond with massive, data-heavy packets back to the victim's IP, amplifying the original attack size exponentially.
Can a standard network firewall stop a major DDoS flood?
Traditional firewalls are often overwhelmed by large-scale DDoS attacks because the volume of data packets exhausts their processing memory. Defending against modern floods requires cloud-based scrubbing centers or edge-filtering networks designed to filter out bad packets before they reach your network infrastructure.
Sophos Solutions for DDoS Threats
Sophos provides comprehensive edge security and endpoint monitoring designed to minimize your digital attack surface and keep your business systems accessible. To drop malicious traffic spikes and inspect data packet anomalies at your network perimeter, Sophos Firewall delivers robust rate-limiting controls and deep packet inspection capabilities. To ensure your company devices are never hijacked and drafted into an external botnet, Sophos Endpoint leverages advanced behavioral monitoring to block botnet malware and command-and-control communication pathways at the host level. These threat vectors integrate seamlessly with Sophos XDR to provide full operational visibility, while Sophos MDR offers a 24/7 fully managed threat hunting service where elite human experts watch your estate to isolate threats before they can cause operational disruption.