You're woken by your phone erupting with notifications. You drowsily reach for it and find a barrage of messages from frustrated clients complaining about your website.

You try to load your website but you're met with a frightful "service unavailable" message.

You could be a victim of a DDoS attack.

What is a DDoS attack?

A Distributed Denial of Service attack (DDoS attack) is the process of sending an overwhelming amount of data requests to a web server with the intention of impeding its performance. This disturbance could cause the web server to slow down or completely crash.

Is DDoSing Illegal?

Whether your seeking vengeance for poor customer service or you just want to play a practical joke on a friend, launching a DDoS attack against another person or business is illegal.

Is DDoSing Illegal in the U.S?

DDoSing is an Illegal cybercrime in the United States. A DDoS attack could be classified as a federal criminal offense under the Computer Fraud and Abuse Act (CFAA).  

The use of booter services and stressers also violates this act.

If you're found guilty of causing intentional harm to a computer or server in a DDoS attack, you could be charged with a prison sentence of up to 10 years.

If you believe you are a victim of a DDoS attack you should seek legal advice as soon as possible.

How Does a DDoS Attack Work?

A DDoS attack is a coordinated attack between multiple computers and internet of things (IoT) devices. These devices are infected with malware so that they can be controlled by cyber criminals.

The more infected devices (bots) an attacker recruits, the more powerful the assault. When these bots are linked together the malicious network is known as a botnet.

Multiple computer devices sending traffic to a server

When a DDoS attack is initiated, each bot sends consistent traffic requests to the host IP address. This flood of requests overwhelms the web server forcing it to deny entry (or deny service) to legitimate website visitors.

Here's a fascinating visualization of a DDoS attack in action:

DDoS attacks are not always launched for extortion purposes, like ransomware. They're usually intended to solely cause disruption and send a message of hatred. They can be launched either by an individual or a group of people.

The motivation behind a DDoS attack ranges from personal vendettas to political activism. Some attacks are launched by hacktivist groups, such as the ubiquitous group Anonymous.

Common Types of DDoS Attacks

There are many variations of DDoS attacks. Some are simplistic and fairly easy to mitigate, others are deeply complex. To maximize damage and frustration, attackers sometimes use a variation of DDoS attacks in a single event.

Here are three common types of DDoS attacks.

​1. Volumetric attacks

This is the most common type of DDoS attack. The attacker floods a web server with data packets to completely saturate its bandwidth. This prevents real visitors from loading a victim's website.

DNS amplification is a type of volumetric attack where amplified data requests are made to open DNS servers and the resulting response traffic aimed at victims.

2. Application attacks

In an application attack, the very top layer of the Open Systems Interconnection (OSI) model is targeted, layer 7. Because application attacks are focused on just the top layer, they require less bandwidth saturation to execute a successful DDoS attack.

Since application attacks target the path of common internet requests, such as HTTP, these attacks could request millions of downloads per second or millions of page refreshes per second. The effect is a rapid consumption of server resources.

3. Protocol attacks

This particular cyber attack target levels 3 and 4 of the OSI model. It aims to deplete server resources for firewalls and load balancers.

An example of a protocol attack is a SYN flood attack. A SYN flood attack exploits the standard 3-way handshake of a TCP/IP transaction. The three-phase of this transaction are as follows:

  • SYN - the host receives a message to initiate the transaction
  • SYN/ACK - confirms the request for information
  • ACK - server closes the connection.

In a SYN flood attack, the server sends an ACK message to a spoof IP address that doesn't respond, preventing the handshake loop from closing. Because the server is forced to wait for multiple ACK responses that never arrive, its resources are depleted.

What's the Difference Between a DoS Attack and a DDoS Attack?

A DoS attack is executed by a single computer whereas a DDoS attack is executed by a network of compromised devices. The cumulative effect of DDoS attacks makes them substantially more destructive to web servers.

Difference between a DoS and DDoS attack

DDoS attacks are severely detrimental to an online business because they completely stop the flow of traffic or slow a website down to the point of it being unusable. In both scenarios, a website's income generation engine will grind to a halt.

Business owners need to, therefore, learn how to identify when a DDoS attack is taking place and understand the correct remediation process.

How to Identify When a DDoS Attack is Happening

There are a couple of signs that may be evidence of a DDoS attack taking place. These signs alone are not enough to conclude an attack is taking place, but they should encourage further investigation.

1. Your website is loading very slowly

Because DDoS attacks deplete the resources of web servers, a website under attack will process information very slowly if it can still be loaded.

You can test your site speed for free using Google's page speed insights tool. You should have a benchmark site speed value to measure against.

To ensure there isn't an issue with your internet connection, you should try to load other websites too.

2. You receive a 503 service unavailable error

If you see a '503 service unavailable error' when you try to load any of your webpages, but other websites load perfectly, there's a high chance you're a victim of a DDoS attack. The 503 service unavailable error means that a web server is incapable of processing a load request.

Keep in mind that this error could also mean that a server is temporarily down for maintenance.

A 503 error should definitely warrant further investigation. If you don't have access to your server logs, you should contact your ISP to check the status of your server.

If you do have access to your web server, you can identify a DDoS attack from access logs.

Identifying a DDoS Attack from the Command Line Interface (CLI)

Through your web server's Command Line Interface (CLI) you can generate a log of all the active connections to your server.

You can generate a list of the IP addresses connected to your server ports with the following command prompt:

netstat -an

Here's an example output:


healthy web server log example
Healthy web server log example - source: loggly.com


During a DDoS attack, you will notice multiple instances of the same IP address connected to one server port, timing out the connection.

Here's an example of such an instance:

web server log during DDoS attack
Example of web server log during DDoS attack - source: loggly.com


You can narrow your filter to only list HTTP requests for your website on port 80. This will help you identify multiple connections from a single IP address. To do this use the following command:

netstat -an | grep :80 | sort

To list the number of connections by IP address to port 80 (HTTP traffic), use the following command:

netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

You should also analyze IP address connections on the port running all encrypted traffic (HTTPS), port 443.

netstat -an | grep :443 | sort

And list the number of connections by IP address to this encryption port as follows:

netstat -plan|grep :443|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

To see how many times each IP address connects to your server, use the following command line:

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

During a DDoS attack, your server may receive thousands of connection requests from a single IP address, so look for unusually high server requests.

In 2014, CCTV cameras infected with malware were used to launch a DDoS attack peaking at 20,000 requests per second (RPS).

Similarly, in 2016 a devastating Mirai-based DDoS attack was launched against Dyn, a DNS service company. The attackers used Wi-Fi cameras in their botnet to implement the attack. The attack resulted in internet outages throughout most of the east cost.

To most effectively identify a DDoS attack from your server logs, you need to have a server connection activity baseline to measure against. This will help you identify and resolve an attack as soon as possible instead of waiting to see how the data develops.

What to Do During a DDoS Attack

If you don't have immediate access to your web server, you should contact your internet service provider as soon as possible. Once the attack has been resolved, they may provide you with a new IP address.

To save you time (and stress) during a DDoS attack, preemptively call your internet service provider to note down the direct number to call when one is taking place. Like all cybersecurity threats, a speedy response is paramount.

If you do have access to your server, you should clear your logs ASAP. Because the aim of DDoS attack is to deplete as many of your web resources as possible, your web server could fail catastrophically under the immense data load. Make sure you are only clearing log data you do not need.

If you can identify suspicious IP addresses during a DDoS attack, you should blacklist them and monitor the progression of the attack. If the severity is decreases or the IP addresses attempt to connect again, they're likely from innocent visitors. DDoS attackers tend to modify the IP addresses of their botnets in response to being blacklisted.

How to Prevent DDoS Attacks

DDoS attackers are continuously evolving their strategies to bypass mitigation solutions. Their methods continue to grow in complexity and severity. To give your business the highest chances of fending off a DDoS attack you need to implement several cybersecurity defense layers.

1. Increase the bandwidth of your web server

With a broader resource bandwidth, your server could possibly bear the burden of a DDoS attack while keeping your website functioning.

In-house server hardware does not give you the option of efficiently expanding your bandwidth to meet increased demand. This limitation makes on-premise hardware vulnerable to failure during a DDoS attack.

You might want to consider switching to a secure cloud-based web server. Advanced Cloud-based web servers let you expand your bandwidth very efficiently. They also offer a bandwidth tolerance to absorb DDoS attacks before your resources are penetrated.

Some cloud-based servers have a dedicated security team continuously monitoring your website for DDoS attacks.

2. Blacklist suspicious IP addresses

If you identify suspicious IP addresses accessing your website you should blacklist them. This would require you to continuously monitor your access logs for unusual activity. Just make sure you're not too trigger happy, you don't want to blacklist innocent prospective customers.

3. Implement multiple firewalls with packet filters

Multiple firewall layers are a very effective DDoS protection solution. In a double firewall setup, traffic needs to pass through two screening routers and a Bastion host before entering your internal network.

The first filter identifies and removes spoofed source IP packets. Spoofed packets are identified when their hop count values differ from the original source IP address.

The second filter has stricter entry conditions. It uses a Router Path Analysis (R-PA) method to analyze the path names of the entering data packets. Spoofed IP packets can be readily identified by their path name values and blacklisted.

double firewall DDoS defence
Double FIrewall DDoS Defence

Can a VPN Defend Against DDoS Attacks?

A VPN cannot protect you from a DDoS attack if the attacker knows your real IP address. If you think a potential attacker knows your IP address, you should change it to reap the cybersecurity benefits of your VPN.

If your internet service provider offers you a dynamic IP address, resetting your router will modify your IP address. Otherwise, you will need to contact your ISP to have it manually modified.

Learn the difference bewteen a VPN nad Proxy server >

Is Your Business at Risk of a Data Breach?

At UpGuard, we can protect your business from data breaches, identify all of your data leaks, and help you continuously monitor the security posture of all your vendors.

Check your risk of suffering a data breach, click here to get your free security rating now.

Ready to see
UpGuard in action?