DDoS ATTACK  ▷ What are they How it works How to avoid them? ▷ 2020

Today we are going to learn more about a term that many people do not even know but that is the order of the day on the internet: the DDoS attack, a way to crash a site without having to meander through their networks or introduce malware.

What the DDoS attack basically does is deplete a server based on demands, so that it cannot continue to function. Of course, there is much more behind it, but that is the basis. We will see everything below, from what it is exactly to how to do it, through the types that exist, the most notorious attacks in history …

As a curiosity, indicate that this is a resource widely used to claim, especially against governments. However, it is not very useful and, at the moment, it is having a negative effect, tarnishing the image of network professionals. Anyway, that’s not the subject; Let’s get to know DDoS in depth!

What is a distributed denial of service or DDoS attack? Definition

DDoS attack scheme

DoS, Denial of Service: It is a kind of computer attack that is executed to make a system inaccessible, due to saturation, for those users who use it legitimately. Living up to the name that has been given to this performance, it is intended get a denial of service.

DDoS, Distributed Denial of Service: It is an amplified version of the DoS attack. In this case, it is saturate a server attacking it from several computers at the same time and making use, of course, of several internet connections. In this way a higher volume of attack packets is achieved, being easier to achieve the disablement of a server or, in fact, allowing it (there are cases in which a simple DoS would not be capable).

Types and examples of DDoS attacks

do a DDoS attack from Kali Linux

Seeing what it is and what it means, we have to indicate that there are different types of DDoS attacks. Of course, these have all of the above in common, but they have details that make them differ from each other and are more useful in one case or another.

We can classify them as:

  • Volume-based DDoS: What is sought is bandwidth saturation, congesting it.
  • Protocol DDoS: Consume resources and / or services.
  • Application layer DDoS: Illegitimate requests are used to elicit responses directed at convenience.

The most common types are:

Syn Flood or Syn packet flooding

It is the most common, the one that best reflects what we have just seen. Is based on TPC protocol which includes three steps in its connection. We have to the third step is never taken and, therefore, the second remains active and waiting until that request is completed, so no others can be made; that is, a very simple method of disabling.

Is done a flood of requests based on headers with SYN flags from various points so that the server tries to connect with the different addresses of origin (which are usually false) Y, at the same time, wait of the corresponding reply packet, which never arrives.

So, the server consumes resources continuously and the number of connections is crowded that the server allows, so that it stops responding.

ICMP Flood or flooding of ICMP packets

In this case, what What is sought is an exhaustion of bandwidth sending a huge number of ICMP packets (Internet message control protocol) so that the response is based on ICMP Echo reply packets, which overload the system.

These are thrown over and over again, creating an effect similar to that of the ping-pong game (in fact, this SSoD attack is also known as such). For this attack to take effect, it is necessary for the attacker to have a greater capacity to withstand the overloads (remember that communication is bidirectional).


Is a ICMP flood enhanced. In this case one more variable comes into play, an intermediary that first receives the ICPM echo request packets but whose origin appears to be that of the victim and not the attacker’s. The intermediary should then respond to the victim believing that it is the true origin. Obviously, the greater the number of intermediaries, the more responses to the victim.


Connection Flood

Wanted have active as high a number of connections as the victim server can support, opening as they close or expire to have it always on top and that it cannot receive queries other than those of the attacker.

UDP Flood or UDP packet flooding

In this case, the packets that are generated and sent are of type UDP, which is a user datagram protocol. An IP spoofing is used or identity theft, since this protocol works, naturally, without a connection. The attack usually targets Echo services due to the size of their response messages.

Slow Read

What this type of attack does is very slow sending of data, so that it keeps the server busy for a longer time and consuming resources.

What are the differences between DoS and DDoS attacks?

differences between DoS and DDoS attacks

We have already seen that DDoS corresponds to a distributed attack. In the case of DoS (Denial of Service) we have to this is much simpler. You will only need a computing machine with an internet connection, unlike DDoS, in which, as we have seen, several machines and connections are necessary that are distributed.

Derived from this we have that the DoS attack is more easily deflectableas it can be traced. DDoS, being dispersed, is very difficult to divert.

How does a DDoS attack affect a web page and how to stop them?

ddos attack on web

Obviously, the consequences will differ depending on the attack and the characteristics of the attacked server. However, the essence is similar. Faced with an abnormally large volume of requests in unison and arrival of data, server starts running slower, either because it consumes resources or because it works on a network with a bandwidth that is being diminished, which leads to taking down the web and leaving it out of service.

You have to take into account the volume of the attack and also the filters that the server has (or should have) to detect foreign packets. We can launch the biggest attack in history and that the best protected server on the planet is hardly affected Or we can make a small, “test” attack against an unprotected server and throw it out completely for hours, preventing it from even solving the problem until the attackers decide to stop.

Following this, The consequences will be those of not having the web active because they have “knocked it down”. If the site is that of a dentist, the only thing that will happen is that a person who was going to enter to decide to go to this does not do so. If you have a marketplace like eBay, Amazon, El Corte Inglés etc, imagine what an hour without sales means.

In general, this is the only thing that happens, that the server is partially or totally unavailable. Physical damage is possible but this is not at all common; they would give combining the attack with the introduction of takeover malware and in the event that it exists, a vulnerability is known and exploited.

What have been the most powerful denial of service attacks in history?

Like, throughout the internet history, virus attacks with impressive repercussions have been made known throughout the globe, we also have cases to take into account in relation to distributed denial of services attacks. The most famous have been.

Graph countries of origin DDoS attacks
Graph – Countries of origin of DDoS attacks

  • MafiaBoy Attack: In 2000 Yahoo !, the search engine stopped working for an hour. Guilty? A Canadian boy who decided to launch a DDoS attack to publicize the capabilities that he and his group had; And he was right, because in subsequent days they also successfully attacked spaces such as CNN, eBay or Amazon, among others.
  • July 2009 set: In this case, several attacks were launched that affected government, financial and news websites in the US and South Korea. A botnet of about 50,000 computers could be estimated. To date the performers of such a feat are not known.
  • The spam attack: The most recent of the DDoS to go around the world was carried out between companies in the same sector, a low attack to render competition inoperative. One company shipped hundreds of junk emails or SPAM to the other, even causing a general slowdown of interne and leaving the central node of London itself inoperative.

If you have any questions, leave them in the comments, we will answer you as soon as possible, and it will surely be of great help to more members of the community. Thank you! 😉

You may be interested:

Leave a Comment