Distributed Denial of Service (DDoS) Attacks

Security model &threats

Paul Krzyzanowski

April 13, 2025

Introduction

Denial of Service (DoS) attacks are malicious attempts to disrupt the availability of systems or services by overwhelming them with excessive traffic or resource-heavy requests. These attacks exploit asymmetries in computing, where it is often far easier to send requests than to process them. The main objective is to make the target system unresponsive or unavailable to legitimate users.

DoS attacks come in various forms: flooding services, triggering system crashes, or exhausting network bandwidth. Traditional DoS attacks originate from a single source, but Distributed Denial of Service (DDoS) attacks are launched from a globally distributed network of compromised devices, coordinated through a botnet. This multiplicity makes DDoS far harder to mitigate.

2. Characteristics and Techniques

Understanding how DDoS attacks are constructed and executed is essential to defending against them. These attacks are not random floods of traffic but carefully engineered operations that exploit structural and behavioral properties of computer networks and systems.

Various methods enable attackers to scale up traffic, obscure their identities, and bypass simple filtering mechanisms.

Asymmetry Exploits

DDoS attacks often take advantage of computational asymmetries, where the effort required to send a request is significantly less than the effort required to process it. A single command might force a server to allocate memory, open database connections, or perform CPU-intensive calculations, rapidly consuming system resources.

IP Spoofing and Return Address Manipulation

Attackers can forge source IP addresses in packets, a tactic known as IP spoofing. This conceals the attacker’s identity, avoids response traffic, and can redirect attack responses to a third-party target. IP spoofing is especially effective with stateless protocols like UDP.

Reflection

In reflection attacks, requests are sent to intermediary servers with the source IP set to the victim’s address. The servers then reflect the responses to the target. Since the traffic appears to come from legitimate services, this technique also evades some basic filtering.

Amplification

Amplification refers to sending small queries to services that return disproportionately large responses. This dramatically boosts attack volume. For example, a 60-byte DNS query may trigger a 4,000-byte response. Combined with reflection and spoofing, amplification enables massive bandwidth attacks with minimal input.

Botnets

Botnets are large networks of compromised systems (zombies) that can be remotely controlled. These include personal computers, servers, and increasingly, poorly secured IoT devices. Botnets allow attackers to launch coordinated floods from many sources, bypassing per-source rate limits and overwhelming even robust infrastructures.

3. Categories of DDoS Attacks

Volumetric Attacks
Volumetric attacks seek to saturate the target’s Internet bandwidth by overwhelming it with high volumes of data. Examples include UDP floods, ICMP floods, and TCP floods. These attacks are measured in bits per second (bps).
Packet-per-Second Attacks
These attacks are focused on overwhelming routers and firewalls by sending a large number of packets per second. High PPS attacks exploit the inability of devices to process traffic fast enough, leading to buffer overflows and dropped packets.
Application-Layer Loops
Application-layer attacks target specific applications (e.g., HTTP servers) or protocols. Some DDoS variants use malformed packets or manipulate services like TFTP or DNS to create infinite loops of responses, causing servers to become trapped in a feedback cycle.

4. Reflection and Amplification in Depth

Reflection attacks exploit the trust in public UDP services. Attackers send requests to servers like DNS or NTP with the victim’s IP address as the source. The server sends its response to the victim, allowing the attacker to stay anonymous while the victim bears the traffic.

Amplification is measured by the ratio of response size to request size. Services with large amplification factors can be devastating in DDoS attacks.

Protocol Amplification Factor Notes
Memcached Up to 51,200x Massive amplification when exposed.
NTP (Monlist) 556x Returns IP addresses of prior clients.
DNS 50–179x ANY queries can return many records.
CLDAP 56–70x Vulnerable Windows protocol for AD queries.
DTLS 37x Exploited when misconfigured to respond to small pings.

5. Botnets and C&C Infrastructure

A botnet is controlled via a Command & Control (C&C) system. The controller issues commands to the bots, which may be located in diverse geographic locations. Many well-known botnets like Mirai leverage insecure IoT devices and use common services like IRC, HTTP, or custom TCP protocols for coordination.

Modern botnets use stealthy techniques to evade detection:

  • DNS Tunneling: Encodes command data in domain lookups or responses.
  • DGAs (Domain Generation Algorithms): Bots algorithmically create domains, making takedown difficult.
  • Fast-Flux Networks: Rotate DNS records rapidly to evade blacklists.
  • Encrypted C&C: Use of HTTPS or custom encryption hides payloads within standard traffic.

These methods allow botnets to persist, reconstitute after takedown attempts, and avoid intrusion detection systems.

Real-World Incidents and Trends

Year Peak Volume Description
2018 1.7 Tbps Memcached-based attack targeting GitHub.
2020 2.3 Tbps CLDAP-based DDoS mitigated by AWS Shield.
2022 3.47 Tbps Microsoft Azure blocked spoof-based UDP flood.
2023 398M RPS Google Cloud faced largest Layer 7 attack via HTTPS.
2024 5.6 Tbps IoT botnet targeted telecom and finance sectors.
2025 6.5 Tbps Eleven11bot (Mirai variant) led record DDoS campaign.

Trends show DDoS volume, speed, and frequency all increasing. IoT vulnerabilities and cloud hosting abuse are central to these developments. The market for DDoS-as-a-Service continues to lower the bar for attackers.

Defenses Against DDoS

Network-Level Techniques

  • Overprovisioning: Mitigates short bursts but not sustained attacks.
  • Rate Limiting: Controls traffic volume from individual sources.
  • Traffic Shaping: Prioritizes essential or low-risk traffic.
  • Blackhole Routing: Used to drop all traffic to a target IP under siege.
  • Geo-IP Filtering: Limits access from geographic regions known for abuse.

Application-Level Defenses

  • Web Application Firewalls (WAFs): Filters application-level attacks.
  • CAPTCHAs and Rate Throttling: Thwart automated bots at login or query points.
  • Content Delivery Networks (CDNs): Spread load and absorb volumetric attacks through edge caching.

Participation Controls

  • Disable Vulnerable UDP Services: Prevent servers from being reflectors.
  • Regular Patching and Configuration Audits: Fix exploitable software and harden exposed services.
  • Behavioral Monitoring: Detect abnormal traffic patterns quickly.

Example: Google Cloud Armor

Google Cloud Armor is a network security service designed to defend applications running on Google Cloud against DDoS attacks and other forms of malicious traffic. It leverages Google’s global edge infrastructure and the company’s extensive experience in mitigating large-scale attacks. Cloud Armor protects HTTP(S)-based workloads deployed behind Google Cloud’s Global External HTTP(S) Load Balancer and applies security policies close to the edge of Google’s network, significantly reducing the impact of volumetric attacks before traffic reaches the backend services.

At the core of Cloud Armor’s DDoS protection is a combination of traffic filtering, rate limiting, protocol enforcement, and edge-based traffic scrubbing. Incoming requests are evaluated against customizable security policies defined using rules that inspect HTTP headers, request methods, URI paths, query parameters, and even geolocation or IP reputation data. For instance, administrators can write rules that enforce allowlists or denylists based on IP subnets or block suspicious request patterns such as known bot signatures or common reconnaissance probes.

Cloud Armor integrates with Google’s global load balancers, which distribute traffic across hundreds of edge locations worldwide. This architecture enables early detection and absorption of high-volume attacks. For volumetric layer-3/layer-4 attacks (such as UDP floods or SYN floods), Google automatically redirects traffic to its DDoS scrubbing centers before it hits customer infrastructure.

What’s a scrubbing center?

A scrubbing center is used to filter suspicious network traffic. It monitors incoming network traffic to identify potentially malicious messages. Once identified, the traffic can then be redirected to an isolated environment where it can be further examined and logged.

These centers drop invalid packets using stateless filters and protocol validation before allowing clean traffic to proceed. For application-layer (Layer 7) attacks, Cloud Armor uses heuristics and machine learning to detect abnormal request patterns, such as HTTP floods. It can also enforce rate-based rules, dynamically throttling requests based on IP or other attributes.

To enhance resilience, Cloud Armor includes adaptive protection, a machine-learning-based system that detects and mitigates application-layer DDoS attacks in real time. Adaptive protection profiles application traffic behavior over time and alerts administrators or automatically blocks anomalous patterns indicative of an attack.

Project Shield

Project Shield is a separate but related initiative by Google, aimed at providing free DDoS protection to independent news organizations, human rights groups, and election monitoring services. Its goal is to protect access to information by defending vulnerable websites from censorship by DDoS. Project Shield runs on the same Google infrastructure as Cloud Armor and offers similar protections.

Unlike Cloud Armor, which is a commercial service integrated with Google Cloud, Project Shield is offered free of charge to qualifying organizations and can be used even by those not hosted on Google Cloud.

Like content delivery networks (CDN), the service uses a reverse proxy. Administrators configure the DNS data for their services to point to Google’s global load-balanced servers, which receive traffic on behalf of the service and forward safe traffic to the actual service.

Google’s vast network can absorb large-scale volumetric attacks. The service filters harmful traffic through custom rate limits and identifies malicious requests. Project Shield can also function as a protective content delivery network (CDN) by caching site content and serving cached versions, reducing traffic volume to the actual server.


DDoS attacks are a major threat in modern cybersecurity. Their ability to exploit asymmetries in network architecture, abuse open services, and employ massive distributed infrastructures makes them formidable. Effective defense is challenging, and requires a multi-layered strategy, continual monitoring, and the cooperation of ISPs, service providers, and endpoint operators.

Last modified May 21, 2025.
recycled pixels