A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.
$150
can buy a week-long DDoS attack on the black market. TrendMicro Research
More than 2000
daily DDoS Attacks are observed world-wide by Arbor Networks. ATLAS Threat Report
1/3
of all downtime incidents are attributed to DDoS attacks. Verisign/Merril Research
Building Capacity
Attackers build networks of infected computers, known as 'botnets', by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners' knowledge, and used like an army to launch an attack against any target. Some botnets are millions of machines strong.
Launching Attacks
Botnets can generate huge floods of traffic to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, or having computers send the victim huge amounts of random data to use up the target’s bandwidth. Some attacks are so big they can max out a country's international cable capacity.
Selling Silence
Specialized online marketplaces exist to buy and sell botnets or individual DDoS attacks. Using these underground markets, anyone can pay a nominal fee to silence websites they disagree with or disrupt an organization’s online operations. A week-long DDoS attack, capable of taking a small organization offline can cost as little as $150.
Exploring the Data
The Digital Attack Map displays global DDoS activity on any given day. Attacks are displayed as dotted lines, scaled to size, and placed according to the source and destination countries of the attack traffic when known. Some features include:
- Use the histogram at the bottom of the map to explore historical data.
- Select a country to view DDoS activity to or from that country.
- Use the color option to view attacks by class, duration, or source/destination port.
- Use the news section to find online reports of attack activity from a specified time.
- View the gallery to explore some examples of days with notable DDoS attacks.
Types of Attacks
DDoS attacks come in many different forms, from Smurfs to Teardrops, to Pings of Death. Below are details about the types of attacks and amplification methods found on the map:
Attack Class: Four common categories of attacks
TCP Connection Attacks - Occupying connections
These attempt to use up all the available connections to infrastructure devices such as load-balancers, firewalls and application servers. Even devices capable of maintaining state on millions of connections can be taken down by these attacks. Learn more...
Volumetric Attacks - Using up bandwidth
These attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion. Learn more...
Fragmentation Attacks - Pieces of packets
These send a flood of TCP or UDP fragments to a victim, overwhelming the victim's ability to re-assemble the streams and severely reducing performance. Learn more...
Application Attacks - Targeting applications
These attempt to overwhelm a specific aspect of an application or service and can be effective even with very few attacking machines generating a low traffic rate (making them difficult to detect and mitigate). Learn more...
Amplification: Two ways attacks can multiply traffic they can send.
DNS Reflection - Small request, big reply.
By forging a victim's IP address, an attacker can send small requests to a DNS server and ask it to send the victim a large reply. This allows the attacker to have every request from its botnet amplified as much as 70x in size, making it much easier to overwhelm the target. Learn more...
Chargen Reflection - Steady streams of text
Most computers and internet connected printers support an outdated testing service called Chargen, which allows someone to ask a device to reply with a stream of random characters. Chargen can be used as a means for amplifying attacks similar to DNS attacks above Learn more...