Is Distributed Denial Of Service or DDoS attack a malicious attempt?

Know how a distributed denial-of-service or DDoS attack, disrupts the traffic of a targeted server, network. You can protect your server.
Is Distributed Denial Of Service or DDoS attack a malicious attempt

Main Index

  1. Introduction
  2. How does a DDoS attack function?
  3. How to determine a DDoS attack?
  4. Types of DDoS attacks
    1. Application layer attacks
    2. Protocol attacks
    3. Volumetric attacks
  5. What are the procedures for restricting a DDoS attack?
    1. Blackhole routing
    2. Rate limiting
    3. Web application firewall (WAF)
    4. Anycast network diffusions
      1. Cloudflare Steps for restriction of attack
      2. Step 1: Enable the ‘Under Attack Mode'
      3. Step 2: Enable ‘WAF managed rules'
      4. Step 3: Challenge or block the traffic through Security
      5. Step 4: Restrict DDoS Ransom programs
        1. Mitigating DDoS Ransom Campaigns
        2. Do not pay the ransom.
        3. Disable Privacy Pass Support
        4. Enable I'm Under Attack Mode (IUAM)
        5. Enable Rate Limiting
        6. Configure more aggressive caching
      6. Step 5: Connect to Cloudflare Support department
  6. What Motivates a DDoS Attack: The Reasons Behind a DDoS Attack
    1. Financial purpose:
    2. Ideological Motives:
    3. State-sponsored Motives:
    4. Tactical Motives:
    5. Business/Economical Motives:
    6. Extortion Motives:
  7. Conclusion


Hi readers! After having a go through my previous articles like CyberSecurity, now we'll have discussed about DDOS attack concept.

A DDoS (Distributed Denial-Of-Service) attack is a malicious attempt to disturb the genuine traffic of a targeted server, service or network by dominating the target or its enclosing infrastructure with a huge stream of Internet traffic.

DDoS attacks attain significance by employing multiple compromised pc systems as attack traffic sources. Influenced machine can include pcs and other network resources like numerous IoT devices.

Considering high level, a DDoS attack causes a sudden traffic jam clogging up the main path, restricting usual traffic from attaining its destination.

GO Back to Main Index

How does a DDoS attack function?

DDoS attacks get connected with internet-internet-linked machines. These networks link up computers, and IoT devices which have been corrupted with malware granting them to be regulated remotely by any one attacker. These. devices are known as bots or zombies, and a collection of bots is known a botnet.

After establishment of botnet, the attacker might attack by transmitting instructions to each bot remotely.

Whenever the server or network of a victim gets targeted by the botnet, every bot delivers requests to the IP address of targeted pc, powerfully effecting the server or network to get overwhelmed, ensuing in a denial-of-service to genuine traffic.

Since, every bot is a reliable Internet device, distinguishing the attack traffic from genuine traffic can be tough.

GO Back to Main Index

How to determine a DDoS attack?

The most noticeable symptom of a DDoS attack is a site or service suddenly turning slow or unavailable. But, many reasons like a legitimate spike in traffic — can build up same type of performance problems, further checking is generally expected. Traffic analytic reporting tools can assist you identify some of these telltale determination of a DDoS attack:

  • Suspicious quantities of traffic starting from a specific IP range or IP address.
  • A flow of traffic from end users who share a single functioning profile, such as device category, geolocation, or version of web browser.
  • Odd traffic structures such as stakes at odd moments of the day or structures that seems to be unnatural (e.g. a spike at 10 minutes interval.)
  • An unknown rise in requests to an individual page or endpoint.

Many signs of DDoS attack are there which are special and can be altered as per the attack categories.

GO Back to Main Index

Types of DDoS attacks

Different DDoS attacks target different elements of a network connection. To realize how different DDoS attacks perform, it is mandatory to understand how a network connection is formulated.

A network connection that is available on the Internet is composed of various components or “layers”. Just like construction of a house from the base, every layer in the model has a different objective.

Whenever almost DDoS attacks participate overpowering a targeted device or network with traffic, attacks can be differentiated into 3 types such as application layer attack, volumetric attack, and protocol attack. An attacker may utilize one or more distinct attack vectors, or the cycle attack vectors in reply to counter estimates carried by the target.

GO Back to Main Index

a) Application layer attacks

Objective of attack:

Sometimes pertained to as a layer 7 DDoS attack (ref: 7th layer OSI model), the objective of these attacks is to tire out the resources of the targeted pc to expand a denial-of-service.

The attacks target mainly that layer where web pages are developed on the server and are delivered in reply to HTTP requests. An individual HTTP request is computationally inexpensive to run on the client side, but sometimes it could be costly for the targeted server too as the server allows various files loaded always and gets queries of database run in order to create a web page.

Layer 7 attacks are tough to protect against, since it can be difficult to distinguish malicious traffic from valid traffic.

Example of Application layer attack :HTTP flood

This HTTP:flood attack is equal to refreshing a web browser over and over on various computers at once – huge numbers of HTTP requests become flood on the server, and results in denial-of-service.

This type of application layer attack runs from simple to complex.

Simpler enactments might access one URL with the equivalent range of attacking IP addresses, user agents, and referrers. Complex versions of attack might utilize a huge number of attacking IPs, and target spontaneous URLs utilizing user agents, and spontaneous referrers.

GO Back to Main Index

b) Protocol attacks

Objective of attack:

Protocol attacks (state-exhaustion attacks), cause a service disturbance through over-consumption of server resources and/or the network equipment resources like and load balancers and firewalls.

Protocol attacks use drawbacks in layer 3 and 4 of the protocol stack to induce the target unattainable.

Example Of Protocol attack: SYN flood

A SYN Flood is comparable to a user in a supply room attaining requests that come from the storefront.

The end user receives a request, comes up and obtains the package, and carries for confirmation prior to snatch the package out to front place. The user further gets multiple package requests without confirmation until they couldn't possess any more packages, turn overpowered, and requests starts getting unanswered.

This attack influences the TCP handshake — the arrangement of communications by which two computers commence a network connection — by delivering a target a large volume of TCP “Initial Connection invitation” SYN packages with spoofed reference IP addresses.

The target machine acknowledges to every connection request and then holds for the final stage in the handshake, which never happens, tiring out the target’s resources in the procedure.

GO Back to Main Index

c) Volumetric attacks

Objective of the attack:

This type of attacks try to develop congestion by absorbing all accessible bandwidth between the targeted pc and the bigger Internet. Large quantities of information are delivered to a targeted pc through a shape of amplification or other means of developing massive traffic, such as invitations from a botnet.

Example Of Amplification: DNS Amplification

A DNS amplification is like if somebody were to call a restaurant and states “I want one of each dish, please inform me and repeat my entire order,” where the callback number certainly relates to the victim. Using very little effort, a long acknowledgment is delivered to the victim.

By requesting an open DNS server along with a spoofed IP address (IP of the victim), the targeted IP then receives a response from the same server.

GO Back to Main Index

What are the procedures for restricting a DDoS attack?

What are the procedures for restricting a DDoS attack

The key issue in restricting a DDoS attack is distinguishing between attack traffic and regular traffic.

For illustration, if a product release possesses a company’s website that is overwhelmed with excited customers, cutting off all traffics is an error. If that company instantly possesses a surge in traffic from comprehended attackers, endeavors to relieve an attack are possibly essential.

The complication lies in informing the actual customers apart from the traffic attackers.

In the latest Internet, DDoS traffic appears in several forms. The traffic can differ in layout from un-spoofed individual source attacks to the attacks that are complex and adapting to multiple vector.

A DDoS attack with multiple vector utilizes numerous attack pathways for the purpose of overwhelming a targeted pc in various routes, powerfully diverting mitigation actions on any single trajectory.

An attack that makes target on more than one layer of the protocol stack at the same moment, such as a DNS amplification (that targets layers 3/4) associated with an HTTP flood (that targets layer 7) is an an illustration of multiple vector DDoS.

Restricting a DDoS attack (multiple vectors) needs different strategies for the purpose of countering various trajectories.

Generally, the difficulty of attack traffic depends upon the complexity of DDoS attack. Hence, it is problematic to separate attack traffic from regular traffic as the objective of the attacker is to mix up as much as probable, propelling restriction efforts as ineffective as possible.

Restriction attempts that include dropping or lowering traffic unequally may push decent traffic out with the guilty, and the attack might also alter and modify to amend countermeasures. For the purpose of overcoming a complicated attempt at disturbance, a layered solution will provide the greatest advantage.

GO Back to Main Index

Blackhole routing

Blackhole routing is one virtual solution for all network admins in order to develop a blackhole route and funnel type traffic into the same route. When blackhole filtering is applied without particular restriction norms, both legal and malicious network traffic is directed to a null route, or blackhole, and declined from the network.

If an Internet system is suffering from a DDoS attack, the Internet service provider (ISP) of property may transmit the traffic of all the sites into a blackhole as a a protection. But, this is not a suitable solution, as it provides the attacker their required objective: it makes the network unreachable or block the network.

GO Back to Main Index

Rate limiting

Restricting the number of requests a server accepts over a specific time window is also a path of restricting denial-of-service (DDOS)  attacks.

While rate restricting is more useful in reducing speed of web scrapers from snatching content and for restricting forcefully login attempts, it couldn’t control a complicated DDoS attack powerfully.

On the other hand, rate restricting is a significant component in an effective DDoS restriction strategy.

GO Back to Main Index

Web application firewall (WAF)

A WAF (Web Application Firewall) is a tool which helps in restricting a layer 7 DDoS attack. Through a WAF application between an origin server and the Internet, the WAF might play the role of a reverse proxy, conserving the targeted server from specific categories of malicious traffic.

By sorting the requests based on some rules could recognize the DDoS tools, 7th layer attacks can be inhibited. A crucial WAF can implement custom rules quickly in reaction to an attack.

GO Back to Main Index

Anycast network diffusions

This alleviation method utilizes an Anycast network to distribute the attack traffic over a network of allocated servers to the specific point where the traffic is comprehended by the network.

Like channeling a running river down into distinct smaller size channels, this strategy unravels the effect of the distinguished attack traffic to the particular point where it will be controllable, diffusing any disturbing ability.

The dependability of an Anycast network to restrict a DDoS attack, depends on the extent of the attack and the size and ability of the network. A significant part of the DDoS restriction applied by Cloudflare is the utilization of an Anycast distributed network.

Cloudflare possesses a 172 Tbps network that is a sequence of magnitude greater than the biggest DDoS attack reported.

GO Back to Main Index

Cloudflare Steps for restriction of attack

If you are presently under DdoS attack, and are on Cloudflare already, you can go through the following steps to restrict your attack.

        To get the ‘Under Attack Mode' activated, go through the following steps
    1. Log in to Cloudflare account with your id and password.
    2. Choose the domain presently under attack.
    3. Change the status of ‘Under Attack Mode' to ‘On' throughout the Quick Actions part of the Overview app of Cloudflare.
      The ‘Under Attack Mode’ can be also configured for particular URLs through the Cloudflare Page Rules app through alternation of the Security Level setting to choose ‘I’m Under Attack'.
    4. (Optional step) You can adjust ‘Challenge Passage’ through Security>Settings.

    • IP Access Rules- This rule is applied for restricting different IP addresses, /16 or /24 IP ranges, or Autonomous System Numbers (ASNs).

    • Firewall rules - this rule is applied for restricting a country, any valid IP range, or more complex attack structure. Firewall rules have restrictions but are more flexible and permit matching upon more types of expressions and fields than the IP Access Rules.

    • Zone Lockdown - This grants only delegated IP addresses or ranges to a particular area of your site.

    • User Agent Blocking - This is used for preventing suspicious User-Agent headers for your whole domain.

It is common for ransomers to threaten DDoS attacks, even when a customer is utilizing Cloudflare. Some troubleshooting tips are given below if you’re targeted by ransomers to make sure your origin server is kept readied to control excess requests.

Mitigating DDoS Ransom Campaigns

It is very formal for ransom ventures to instill a sense of necessity. Any delay reduces the chance of achievement for the DDOS attacker as it provides the target time to assess choices. The most crucial thing to remember is that if you presume your site is being preferred for a ransom, first contact Cloudflare support support.

Restrict DDoS Ransom programs

Some mitigation alternatives are listed below for DDoS ransom purpose:

a) Do not pay the ransom.

It's not right to make payment to the ransom. If it's paid, the ransomer realizes they have obtained a crucial target and might periodically come back to obtain another payment. Often, Ransomers strive to bring up themselves as security experimenters who have obtained a susceptibility. This understandably enhances the answer rate of website owners, as it is not instantly clarified that they are supposed to be ransomed. If at all probable, one should not react to the ransom at all, and rather customer assistance department of cloud flare.

b) Disable Privacy Pass Support

In various reports, attackers allege to influence Privacy Pass. This is not enough a susceptibility in Privacy Pass, just a partial effect of how Privacy Pass deals with other Cloudflare aspects. Don't enable Privacy Pass Support if a stream of requests with Privacy Pass tokens integrated is expected.

c) Enable I'm Under Attack Mode (IUAM)

IUAM is formulated to assist mitigate attacks and commonly boost security of a zone, so it's a nice idea during different types of attacks.

d) Enable Rate Limiting

Often, some DDoS attacks are valuable at low rates as the attacker makes an endpoint as target that they have obtained to be uncacheable and functionally costly for the base server. If a base server generally obtains a dozen or more logins each second and instantly detects thousands per second, this could bring degraded result in enactment and will increase bill for cloud service. The Rate Limiting executes well against adequate single-origin DoS, smaller botnets, and it might prohibit the attacks from prevailing for a long time. It can also assist decline floods to the origin server, but its potency may be insufficient for very unstable origin servers.

e) Configure more aggressive caching

Getting your content cached at Cloudflare also insures your website against smaller DDoS attacks, but uncleared assets may need extra manual intervention phases given above.

For any more issues, get connected to support assistance of cloud flare.

GO Back to Main Index

What Motivates a DDoS Attack: The Reasons Behind a DDoS Attack

In order to prevent DDoS attacks, it’s essential to know what drives the occurrence. While DDoS attacks fluctuate vastly in nature when it arrives to tricks and procedures, DDoS attackers also might have a quantity of motives, including the following.

  • Financial purpose: DDoS attacks are always integrated with ransomware type attacks. The attacker mails a message notifying the victim that the attack would be stopped if the victim pays an amount. These types of attackers are vital part of a standardized crime coalition. Now these days, though, these coalitions can be as small as a number of people with networking proficiency and excess time on their hands. Occasionally, rival industries will even perform DDoS attacks in their competitors to achieve a competitive target.

  • Ideological Motives: DDoS attacks are always initiated to target overwhelming governing corpses or protestors in critical political circumstances. This type of DDoS attack is always performed to support a specific political interest or assumption system, like a religion.

  • State-sponsored Motives: In this motive, DDoS attacks are always wanted to affect difficulty for defence troops or civilians when political violence or disagreement comes to be apparent.

  • Tactical Motives: In this motive, the DDoS attack occurs as portion of a bigger campaign. In some matters, the campaign contains a physical attack or other types of software attacks. For illustration, militaries have been recognized to integrate DDoS attacks with the physical ones. The Tactical attacks are utilized to distract scrutiny away from realistic IT tasks to get benefits of another target – the former bait-and-switch based cyberattack.

  • Business/Economical Motives: This type of DDoS attacks, supports to collect private information or create problems in specific industry sectors. For illustration, attacks on big companies like British Airways, Sony, and Equifax caused customers to lose trust in whole industries.

  • Extortion Motives: Some attacks are utilized to accomplish some private or monetary profit through cheated means.

GO Back to Main Index


Overall, the DDoS preservation that we apply on Cloudflare is multifunctional in order to reduce the many apparent attack vectors. Hope the above article will definitely help out the developers/end-users to protect against DDOS attack effectively.


Anjan kant

Outstanding journey in Microsoft Technologies (ASP.Net, C#, SQL Programming, WPF, Silverlight, WCF etc.), client side technologies AngularJS, KnockoutJS, Javascript, Ajax Calls, Json and Hybrid apps etc. I love to devote free time in writing, blogging, social networking and adventurous life

Post A Comment: