What is a DDoS attack?

DDoS inscribed on a digital background made up of numbers
(Image credit: Getty Images)

The modern hacker has a huge toolset at their fingertips, and it's only getting bigger by the day. Many of these tactics, techniques, and procedures are on the cutting edge, but there are old-school attacks that'll never go out of fashion – and DDoS attacks are one of them.

A DDoS (Distributed Denial of Service) attack relies on the way the internet is built to cause chaos. Simply put, they involve overwhelming a server with an enormous amount of specially crafted traffic, making it impossible to access the attacked service or site. This malicious flood of traffic is designed to cripple websites, online games, and even critical infrastructure. In the worst cases, DDoS attacks can cause serious financial damage.

Although DDoS attacks are relatively simple to recover from compared to other hacks, they can be a real pain to deal with while they're happening. There aren't a lot of consumer-level tools built to deal with DDoS attacks, unfortunately, but today's best VPNs can prevent frustration by hiding your real IP address from hackers – meaning they won't have a clear target.

Keep reading, and I'll dig into how DDoS attacks happen, who's behind them, and how a VPN comes in handy.

What is a DDoS attack?

A DDoS attack is a flood of internet traffic from many different machines. It targets a single device, service, or network with the intent of overwhelming a specific target so that it can’t be used.

The target needs to process each and every packet of data sent to it – so, DDoS attacks usually utilize data that's expensive for the target to process, ensuring that it uses up as many resources as possible.

When too many illegitimate requests flood the target, it can no longer process genuine traffic. Nobody can connect while the flood of traffic is taking up all of the connection slots.

In the best-case scenario, the DDoS only prevents you from checking out the site or service while the attack is ongoing – once the flood stops, the service can accept new connections.

DDoS attacks target a single device, service, or network with the intent of overwhelming a specific target so that it can’t be used.

However, in worse cases, overloading a service can lead to crashing the machine that it's running on, and causing significant data loss.

If that doesn't seem that bad, think of how it'd play out in a brick-and-mortar store.

Let's say two stores are selling the same product – and one is willing to do anything to run the other out of town.

The attacking store hires a bunch of malicious shoppers to fill the store they’re targeting. These shoppers spend all day in the victim store, not buying anything, but wasting as much of the cashiers' time as possible.

Eventually, it becomes apparent that a few of these shoppers are up to no good. They're banned from the store – but not before they've taken up significant amounts of staff time that could've been used to help legitimate shoppers make purchases.

The targeted shop can't just ban everyone from shopping to resolve the issue – they wouldn't make any money. Until it becomes apparent that a "customer" is there solely to waste a clerk's time, the shop can't do anything about it and, ultimately, makes less money because real shoppers can't buy anything. Some of the staff quit, others get worse at their job, and the whole operation falls apart.

The worst DDoS attacks are large-scale assaults involving millions of devices.

Over time, management at the target store realizes that the malicious shoppers are all using the same tactic to waste time: asking for obscure stock that the clerk must pull from the store’s inventory instead of off the shelves. It takes up a huge chunk of time and puts the staff out of reach of legitimate customers.

Of course, some of these real shoppers could make the same request, but management decides that anyone who repeatedly asks for warehouse stock is banned from the store, immediately.

The attacking store keeps sending the malicious shoppers but they're filtered out much more effectively – and now the targeted store can continue to operate in relative peace.

It's easy to think of a DDoS as a small, localized disruption, but the worst ones are large-scale assaults involving millions of devices. They cost money, they disrupt commercial output, and they have real-world consequences.

It's also a booming business for hackers. Despite constant efforts by the FBI and other law enforcement organizations to take down so-called "booter" or "stresser" sites (which are essentially DDoS for hire), DDoS attacks surged by 200% in 2023.

DDoS attacks aren't going anywhere, so you need to know how they happen and what you can do to defend against them.

Why do DDoS attacks happen?

The motivations behind DDoS attacks are as varied as the methods used to execute them.

A DDoS attack is just a means to an end, too, so there's a wide range of threat actors who might include it in their toolkit. The size, length, and intensity of a DDoS attack will also vary drastically depending on the perpetrator.

With that in mind, let's run through some of the people (and organizations) commonly behind today's DDoS attacks.

Massive attack

Botnet

(Image credit: Shutterstock / BeeBright)

However, that doesn't mean that there's a direct correlation between the two. The Mirai botnet was built by just a few people and affected millions of Linux IoT devices worldwide.

Gamers
You're more likely to be the victim of a DDoS attack in situations when the lowest-stake attacks happen.

For example, if you're playing multiplayer games using P2P matchmaking, your IP is usually exposed to the other players in the same game. This makes your home IP a prime target for hackers – but it's not the end of the world.

Most ISPs will reconnect you on a different IP once you reset your router. It's inconvenient, but you'll be back to browsing the internet again within minutes.

However, if you're using a static or dedicated IP, you're going to need a different solution (like one of today's most secure VPNs).

Hacktivists
Of course, some conflicts are more than just personal vendettas.

Digital disruptions

A laptop with digitally inserted hack warnings around it

(Image credit: Getty Images)

DDoS attacks have a huge impact on today's cyberwarfare – and are still a favorite tool of hacktivists around the world.

Hacktivists are a subset of hackers who use their skills to advance their political aims – like protesting organizations, governments, or ideologies they oppose.

For example, a hacktivist group might target a government agency website in a country where there's heavy internet censorship

Hacktivists usually rely on defacing websites instead of taking them out with DDoS, but there are still plenty of DDoS attacks that have been attributed to politically motivated groups. 

Extortionists
Next up are the cybercriminals that use DDoS attacks as a form of blackmail or extortion.

These bad actors might launch an attack against a company and then demand a ransom payment in exchange for halting the assault.

Most incidents of extortion are the result of destructive ransomware, these days, but it's easier to launch a ransom DDoS from outside the network in question.

It's not as lucrative, however, although some targets (like e-commerce sites) are more susceptible to DDoS attacks and, therefore, juicier targets.

Nation-state actors
On a more serious level, DDoS attacks are frequently used in cyber warfare by nation-state actors.

Governments or state-sponsored groups deploy DDoS attacks to disrupt critical infrastructure, communication networks, or financial systems in enemy countries. 

The thing that makes DDoS attractive to all of these groups is that it's very difficult to trace the origin of the attack.

Although it’s easier to attribute larger botnets to groups and nations, there are plenty of botnet operators out there who will rent out DDoS as a service. So, it's nigh impossible to figure out who’s actually behind a DDoS attack.

How do DDoS attacks work?

The basics of a DDoS attack all boil down to "send so much network traffic to a target that nobody else can use it." That's the "Denial of Service" part.

What makes DDoS really interesting is the “Distributed” part.

All DDoS attacks start with a botnet. A "bot" is an internet-connected device that has been compromised by a hacker and infected with malware.

All DDoS attacks start with a botnet.

You might immediately think of a computer, but hackers can turn anything that sends internet traffic into a bot. Think IoT devices: smart TVs, cameras, and even household appliances like fridges and thermostats.

So, a botnet is just a group of bots that a hacker can control. To build a botnet, hackers spread malware through phishing emails, malicious websites, or by exploiting software vulnerabilities.

Once a device is infected, it starts communicating back to the rest of the botnet through a "command and control" medium. Essentially, this is like a giant chatroom where the botmaster can send commands to each bot in the botnet.

When it's time to strike, the attacker sends remote commands to the botnet, instructing the devices to send massive amounts of traffic to the target's IP address.

The key to a successful DDoS attack is volume. By coordinating thousands of bots to send traffic simultaneously, the target is hit with far more requests than it can handle. This flood of traffic overwhelms the target's server or network and results in a denial of service.

The hardest part of defending against a DDoS attack is distinguishing the legitimate traffic.

The hardest part of defending against a DDoS attack is distinguishing between legitimate and malicious traffic. Botnets are usually composed of a wide range of regular internet devices from various locations around the planet.

Although some types of DDoS attacks, such as TCP-based timeout attacks, are more easily identified by a network administrator, pure UDP-based traffic floods make it difficult to distinguish between regular users and bots.

Can a VPN help with DDoS attacks?

DDoS attacks sound pretty scary, but you're very unlikely to be the victim of a long-term targeted DDoS attack.

Today's DDoS prevention systems are designed for enterprise users who need to keep their systems up and running 24/7 in the face of high-bandwidth attacks.

Instead of rushing over to CloudFlare and asking what it can do for you as a residential user, or buying an expensive business router, you’re much better off checking out a VPN instead.

Want to learn more?

A VPN app running on a mobile device

(Image credit: Getty Images)

VPNs are must-have tools for all of us internet-dwelling folks – and our guide to how VPNs work is a jargon-free explainer.

Think about it – when you connect to the internet through a VPN it, for all intents and purposes, becomes your IP.

Your VPN masks your original IP address, too, so hackers would have to send a DDoS attack through your VPN provider to try and knock you offline.

Any good VPN provider will already have enterprise-grade DDoS protection set up and may even have a good portion of the botnet that's attacking you blacklisted for performing similar attacks in the past (or for being used as a node to spread malware.)

However, it's important to note that a VPN isn’t a foolproof solution. If the attacker already knows your original IP address, they can still carry out the attack regardless of whether you're using a VPN.

In a worst-case scenario, the attack might be able to take out the entire VPN range if you're subscribed to a particularly small provider. It's pretty unlikely, but if you're worried about DDoS attacks, I'd recommend sticking to VPNs with a large network of servers.

There are plenty of good reasons to use a VPN besides their DDoS protection:

  • Encryption: the most obvious VPN benefit is that it encrypts your internet traffic, making it much more difficult for cybercriminals to intercept and steal your data. This is especially useful if you regularly use public Wi-Fi hotspots
  • Kill switch: most reputable VPNs come with a kill switch. They automatically disconnect you from the internet if the VPN connection drops. Why? Well, it prevents your real IP address from being exposed and ensures you don't send any unencrypted (and potentially identifiable) data.
  • Geo-spoofing: VPNs know how to have fun, too, and allow you to change your virtual location by selecting a server in a different country. This allows you to check out geo-restricted streaming content – and even makes it harder for hackers to trace your real location and DDoS you.
Disclaimer

We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Sam Dawson
VPN and cybersecurity expert

Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.