Learning Objectives
  • Describe the process involved in a distributed denial of service attack.
  • Explain why many attacking devices make the attack distributed.
  • Explain how excessive traffic prevents legitimate access.
  • Distinguish DDoS from hacking and malware while recognising possible links.
Key Terms
Distributed denial of service
An attack in which many devices generate excessive traffic or requests to make a service unavailable.
DDoS
The abbreviation for distributed denial of service.
Traffic
Data and requests moving through a network or reaching a service.
Availability
The ability of authorised users to access a system or service when required.
Compromised device
A device controlled or used by an attacker without the owner’s intended permission.
Botnet
A group of compromised devices that can be instructed to act together.
Flood
To send such a large volume of traffic that resources become overloaded.
Legitimate user
An authorised person attempting to use the service normally.
Summary diagram
Summary Of The Main Ideas In This Lesson
The Core DDoS Process

A distributed denial of service attack uses many devices to send a very large number of requests or a large volume of traffic towards a target. The target can be a website, server or online service.

The target has limited processing capacity, memory, connection capacity or bandwidth. When attack traffic consumes these resources, requests from legitimate users are delayed or cannot be served. The intended result is denial of service: the service becomes unavailable or severely degraded.

The word distributed is important. The traffic comes from many devices or locations rather than from one source. This can make the attack more powerful and harder to control using a single-source block.

Compromised Devices And Coordinated Traffic

Attackers may use a collection of compromised devices. Each device sends traffic when instructed. The combined traffic can be much greater than the traffic one attacker device could generate.

The device owners may not realise their devices are participating. Malware can be used to gain control of devices, but the DDoS attack itself is the coordinated flooding of the target.

Candidates should distinguish the infection stage from the service attack. Malware may create or control the attacking devices; the DDoS process is the flood that harms availability.

Aim And Impact

The main aim is to prevent legitimate users from accessing the service. The attack targets availability rather than necessarily stealing or altering data.

A service under attack may respond very slowly, reject connections or stop responding. This can interrupt communication, online sales or access to information. The exact impact should be linked to the scenario in the question.

Distinguishing DDoS From Other Threats

Hacking concerns unauthorised access. A DDoS attack can prevent access without the attacker logging into the target. Data interception captures transmitted information; DDoS overwhelms the target with traffic.

A virus or worm is malware. It may help compromise devices used in an attack, but the flood of traffic is what makes the event a DDoS attack. Precise classification is therefore important.

Reducing The Threat

Firewalls and network controls can filter some unwanted traffic. Proxy servers can stand between users and an internal service and can help control requests. Keeping systems updated reduces the chance that devices are compromised and used in attacks.

No single syllabus solution should be described as guaranteeing prevention of every DDoS attack. Explanations should state how the measure helps, such as filtering suspicious requests or reducing compromised devices.

DDoS Sequence
Stage What Happens
1 Many attacking or compromised devices are coordinated
2 The devices send excessive traffic or requests
3 The target’s resources or connection capacity become overloaded
4 Legitimate requests are delayed, rejected or unanswered
5 The service becomes unavailable or severely degraded
Worked Examples
Recognising A DDoS Attack

Question: Thousands of compromised devices repeatedly request the same online service until genuine users cannot connect. Identify and explain the attack.

  1. Identify that many devices are involved.
  2. Identify that excessive requests are flooding the target.
  3. Identify the effect on genuine users.

Answer: It is a distributed denial of service attack. Many devices flood the service with requests, consume its resources and make it unavailable to legitimate users.

Distinguishing DDoS And Hacking

Question: Why is a DDoS attack not necessarily the same as hacking the target server?

  1. Define the essential action in hacking.
  2. Define the essential action in DDoS.

Answer: Hacking requires unauthorised access to the system. A DDoS attack can deny service by overwhelming the server with traffic without gaining such access.

Examination Guidance
  • Include many devices, excessive traffic and denial of legitimate access in a full description.
  • Explain distributed rather than simply expanding the abbreviation.
  • Connect DDoS to availability.
  • Do not claim that the main purpose is always to steal data.
Common Mistakes
  • Describing DDoS as one user refreshing a page once.
  • Omitting the effect on legitimate users.
  • Saying the target must be infected with a virus.
  • Confusing denial of service with unauthorised access.
Knowledge Check

1. What makes a DDoS attack distributed?

Answer: Traffic or requests come from many devices or sources.

2. What is the main aim of a DDoS attack?

Answer: To make a service unavailable or severely degraded for legitimate users.

3. Which security property is mainly affected?

Answer: Availability.

4. Why can compromised devices be useful to an attacker?

Answer: Their combined traffic can overwhelm the target and may come from many different sources.

5. Does a DDoS attack necessarily require access to the target account?

Answer: No. The target can be overwhelmed without the attacker authenticating to it.