The IT Law Wiki


A distributed denial-of-service attack (DDoS)

[is] [a] variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than a single source. It often makes use of worms to spread to multiple computers that can then attack the target.[1]
utilizes other computers — often from unwitting individuals — to assist in flooding a network.[2]
occurs when a hacker creates a "zombie" network by installing remote control client software on open systems on the network, and uses the remote control software to flood a single target with unwanted data traffic. Eventually the target is forced to shut down and becomes inaccessible by legitimate users.[3]


"DDoS attack vectors can fall into one of three categories:

  1. Volumetric Attacks: These attacks attempt to consume the bandwidth either within the target network or service, or between the target network or service and the rest of the Internet. These attacks are simply about causing congestion.
  2. TCP State‐Exhaustion Attacks: These attacks attempt to consume the connection state tables that are present in many infrastructure components, such as load balancers, firewalls, and the application servers themselves. They can take down even high‐capacity devices capable of maintaining state on millions of connections.
  3. Application‐Layer Attacks: These target some aspect of an application or service at the Application Layer. They are the most sophisticated, stealthy attacks because they can be very effective with as few as one attacking machine generating a low traffic rate. This makes these attacks very difficult to proactively detect with traditional flow‐based monitoring solutions. To effectively detect and mitigate this type of attack in real time, it is necessary to deploy an in‐line or other packet‐based component to your DDoS defense."[4]

A DDoS attack occurs in two steps. First, the attacker takes over a large number of Internet host computers and installs a malware program on them that will allow the attacker, at any later time, to remotely control those host computers. Second, at a later time, the attacker's computer sends a command to the host computers to launch an attack against the target computer or network at the same time.

DDoS attacks are unique for three reasons: (1) they exploit vulnerabilities in their target's software or operating system that cannot be easily repaired or 'patched'; (2) each individual packet is a legitimate request — only the rate and total volume of packets gives an attack its destructive impact; and (3) the severity of the attack is measured in terms of its duration. Unlike malware, which alters or infects its target, DDoS attacks consist of the same types of packets, a unit of data, that a typical user would send when making a legitimate request. The only difference is in the number and frequency with which the attacker generates requests.[5]

DDoS attacks seek to render an organisation's website or other network services inaccessible by overwhelming them with an unusually large volume of traffic. Malware indirectly contributes to DDoS attacks by creating a renewable supply of compromised computers (bots) through which the flood attacks are launched.

DDoS traffic may consist of relatively easily identified bogus packets, or properly-formed and seemingly legitimate "requests for service." This flood of traffic is intended to exceed the capacity of either the network bandwidth or the computer resources of the targeted server, or both, thereby making the service unavailable to most or all of its legitimate users, or at least degrading performance for everyone.

Simple DDoS attacks use a distributed network of bots (called a botnet) to attack a particular target. The more complex DDoS attacks use multiple botnets to simultaneously attack the target. In traditional DDoS attacks, botnets are used to send massive amounts of queries and overwhelm a system. However, low and slow attacks, a recent trend noted by some security experts, occur over a longer period of time and use a small amount of bandwidth from thousands, if not millions, of compromised computers. Often the attacker co–ordinates the attack so that not all the bots will attack the target at the same time, but rather on a rotating basis. The victim and the Internet service provider may not notice that their network traffic has increased but over time, it becomes a drain on their infrastructure and other resources.

"DOS attacks are illegal under Computer Fraud and Abuse Act."[6]

Examples of DDoS Attacks[]

The first large DDoS attack, in February 2000, took down some of the Web's most popular websites for hours, including Yahoo!, CNN, eBay,,, and E*Trade. The FBI eventually tracked down the perpetrator, 15-year-old "Mafiaboy," after he bragged about it to friends online.

DDoS attacks have been launched against governments for various purposes including political or ideological ones. For example, Swedish government websites were attacked in the summer of 2006 as a protest against the country's anti-piracy measures. More recent events in Estonia have raised an interesting discussion on what a cyberattack of this nature means for countries.

On February 7, 2007, a DDoS attack, emanating from sources in the Asia-Pacific region, was launched on nine of the 13 root servers that support the domain name system. It was unsuccessful.

"In theory, a DDoS attack could temporarily take down the entire web by simultaneously targeting the 13 root servers on which all Internet traffic depends. In practice, this has not yet happened."[7]


See also[]

External resource[]

  • VeriSign Intelligence Operations Team, "Distributed Denial of Service (DDoS) Attacks: An Overview and an Analysis" (June 4, 2010) (full-text).