DDoS Attacks: What They Are, How They Work, and How to Protect Against Them

Discover what a DDoS (Distributed Denial of Service) attack is, how it works, and which strategies can mitigate and prevent this type of threat. Learn how to protect your infrastructure with monitoring and early detection tools like Pandora FMS.

Introduction

A DDoS attack (Distributed Denial of Service) takes place when a cybercriminal, using zombie devices or botnets, launches mass and successive requests to an IP address (for example, targeting a server, service, or network) with the intention of overloading and crashing it.
The consequences of these attacks on companies and online services are significant, as IT systems and services become inaccessible, preventing access to data or other business resources. The impact is seen in business continuity (due to the lack of access to critical services and loss of productivity), high repair costs, and severe damage to reputation. According to the ENISA Threat Landscape 2024 report, DDoS attacks rank as the number one cyber threat faced by organizations.

How Does a DDoS Attack Work?

To understand how a DDoS attack is carried out, let us refer to Figure 1, where the cybercriminal (1) prepares the attack by leveraging infected devices (endpoints like smartphones, computers, laptops, servers, or IoT devices) using malware to turn them into zombies or botnets (2). These botnets form a network of compromised devices (3) remotely controlled by the cybercriminal. Additionally, the attacker may use IP Spoofing a technique where the source IP address is falsified to impersonate a legitimate user, masking the true origin of the attack. Both botnets and IP spoofing aim to generate malicious traffic. Multiple false requests (4) are launched simultaneously at the same target (5) to overwhelm it, compromising its bandwidth, CPU capacity, or memory. This traffic flood results in latency or makes it completely impossible for legitimate users (6) to access the affected network or IT services.

Figure 1 – Diagram of a DDoS Attack

Most Common Types of DDoS Attacks

To understand what you and your team might face, it is essential to know the different types of DDoS attacks:

• Volumetric attacks
  Volumetric attacks consume bandwidth resources by generating a high volume of traffic, preventing legitimate users from accessing the target system. These attacks often include DNS amplification (Domain Name System), where the attacker uses the target’s IP address to initiate requests for large amounts of data. The server ends up sending and receiving the same data simultaneously, resulting in overload. Here are some examples:
  • In a SYN flood attack, the attacker sends multiple SYN packets to the server but never completes the handshake by sending the final packet. As a result, these open connections continue to consume server resources.
  • In a UDP flood, the attacker sends a massive volume of UDP packets to random ports on the target server. The server tries to process each request and, when it doesn’t find an application listening on those ports, it responds with a “destination unreachable” message. This process can saturate bandwidth, rendering the server unstable or completely inoperable.
  • In an ICMP Flood attack, multiple ICMP echo request packets (pings) are sent to the target server. Each request forces the server to process and respond with an echo reply. Over time, this can overwhelm the server, consuming processing power and bandwidth, and ultimately denying access to legitimate users.
• Protocol Attacks
  Protocol attacks target network resources by overwhelming firewalls or load balancers, earning them the name state exhaustion attacks. For instance, an attacker may manipulate the three-way TCP handshake until network resources are fully consumed, preventing other devices from establishing new connections. Here are some common examples:
  • DNS Amplification Attack: Attackers exploit vulnerable DNS servers to send UDP packets with spoofed IP addresses. This tactic can result in blocking legitimate traffic, disrupting service availability.
  • Smurf Attack: This method abuses the Internet Control Message Protocol (ICMP) by sending large volumes of ICMP packets with a spoofed source IP address (belonging to the victim) to the corporate network. This leads to network slowdowns or service outages by overwhelming system capacity.
  • Reflection Attack: Cybercriminals exploit servers that respond to requests without adequately verifying the source address. According to NIST, these attacks are particularly problematic because they rely on the ability of an infected host or a spoofed source address to direct requests to powerful internet servers (like DNS servers). By setting the victim’s IP address as the source, attackers can amplify and redirect traffic back to the victim, effectively weaponizing the Internet’s infrastructure against itself.
• Application Layer Attacks
  Also known as Layer 7 attacks, these target the “application layer” of the OSI model (Open Systems Interconnection). Unlike other DDoS attacks that focus on overwhelming the network with traffic, these attacks target specific functions or features of a web application or service.
  • Slowloris Attack: The goal here is to keep multiple partial HTTP connections open with the target server for as long as possible, ultimately exhausting server resources. Attackers achieve this by continuously sending incomplete headers, preventing the server from closing these connections due to timeout limits.
  • Ping of Death Attack: In this scenario, attackers send a ping de 65,536 bytes, que es el tamaño máximo en IP. TCP/IP permite fragmentar un paquete en segmentos más pequeños que luego se vuelven a ensamblar. Estos ataques aprovechan este fallo fragmentando paquetes que, cuando se reciben, suman más que la cantidad permitida de bytes, provocando la sobrecarga del búfer en el sistema operativo receptor, lo que hace que el sistema se bloquee y se interrumpan los servicios.request of 65,536 bytes, which exceeds the maximum size allowed in an IP packet. Although TCP/IP protocols allow packet fragmentation into smaller segments that are later reassembled, this attack exploits the system by sending fragmented packets that, once reassembled, exceed the allowed byte limit. This causes buffer overflow on the target operating system, potentially leading to system crashes and service disruptions.

Impact of a DDoS Attack on IT Infrastructure

Now that you understand the types of DDoS attacks, it’s important to recognize how they can impact your organization:

• Resource Overload and Service Availability: Key resources such as bandwidth, CPU capacity, and memory can become overwhelmed by malicious traffic targeting networks, servers, or critical services, resulting in a service outage.
• Service Disruption: Overloaded servers may be unable to process legitimate requests, leading to downtime and a halt in critical business operations.
• Revenue Loss: Particularly for organizations where online services are at the core of their business, a service interruption can result in direct financial loss by preventing customer transactions or responses. Even latency can lead to a poor customer experience and potential loss of business.
• High Mitigation and Recovery Costs: Addressing an attack can involve significant expenses, including the implementation of additional security measures and payment of fines for any regulatory non-compliance.
• Reputational Risks: In an era where customers are highly aware of how their information is handled, a security breach or service downtime can damage trust and portray the organization as unreliable.

Some Statistics on the Impact of DDoS Attacks on Organizations, According to the 224 DDoS Attack Trends Report by F5Labs:

• Incident frequency is directly proportional to the number of clients in a given region. Regardless of an organization’s headquarters location or its IPv4 address, attackers do not respect geographic boundaries.
• Due to their ease of execution, DDoS attacks have doubled year over year, increasing from 1,000 attacks in 2022 to over 2,100 in 2023.
• On average, companies have faced at least one DDoS attack per month.
• The organization that suffered the most attacks (187 during 2023) belonged to the Support Services sector.

Strategies for Protecting and Mitigating DDoS Attacks

To safeguard users and organizations from DDoS attacks, INCIBE recommends first implementing security layers within the network infrastructure, as it serves as the entry point to IT services. For instance, if an organization provides online services, it is crucial to install a router between the network and the service provider (ISP). This router should be configured with security layers, such as an Access Control List (ACL) to control network access based on user IPs or firewall rules. In many cases, the ISP provides the router, but this is not always the case. Moreover, some ISP routers may not allow for customized security configurations, making it necessary to install an internal router acting as a firewall within the organization’s network to enforce security policies. For organizations with online services hosted on external servers (like hosting, VPS, or dedicated servers), a virtual router should be deployed between the network and the ISP. This can be configured through server services or the provider’s control panels. Additionally, it is important to review the security measures and standards applied by the ISP across its entire network to ensure proper protection. Another essential recommendation is to implement a Content Delivery Network (CDN), especially for organizations with geographically dispersed services and a high volume of requests.
An additional strategy is the deployment of a reverse proxy towards multiple servers that contain exact copies of the services. This helps balance the number of incoming requests to each server, avoiding potential overload on a single node.

Figure 2 – DDoS Mitigation

Additionally, the following is recommended:

• In addition to firewalls as the first line of defense for filtering incoming traffic and blocking malicious traffic, intrusion detection and prevention systems (IDS, Intrusion Detection System/IPS, Intrusion Prevention System) should be used to monitor network traffic for suspicious activities and take measures to block attacks in real-time.
• Consider that DDoS mitigation systems can handle large volumes of malicious traffic and protect the infrastructure, such as cloud mitigation (e.g., Cloudflare, AWS Shield) to absorb and filter DDoS traffic before it reaches the target network; Content Delivery Networks (CDN) to balance the load across multiple servers; and auto-scaling to manage traffic spikes during an attack.
• Remember that implementing network monitoring and traffic analysis is fundamental to detecting abnormal patterns. Monitoring provides continuous and real-time visibility of network traffic, allowing you and your team to implement early detection of unusual behaviors that could indicate an impending DDoS attack. Traffic analysis also helps understand data flows and potential security gaps.

Constant updating of software and operating systems for devices and equipment is also recommended, keeping in mind that cybercrime is always on the lookout for vulnerabilities.

Strategies for Protecting and Mitigating DDoS AttacksHow Pandora FMS Helps Mitigate DDoS Attacks

Pandora FMS is a flexible and adaptable monitoring tool that can assist in mitigating DDoS attacks through several key features:

• Real-time Traffic Monitoring. Pandora FMS provides complete visibility of the network infrastructure from a centralized and intuitive platform to detect unusual traffic patterns that could indicate a DDoS attack.
• Event Correlation with Pandora SIEM to Detect Attack Patterns. Using tools and intrusion detection and prevention systems, malicious activities or policy violations can be detected. This information is centrally collected in the security information and event management system (Pandora SIEM), which can combine and correlate results from multiple sources and use alarm filtering to distinguish malicious activity from false alarms.
• Automation of Responses to Anomalous Traffic Detection. Pandora FMS allows configuring real-time alerts and can immediately and automatically notify about any suspicious activity or unusual traffic spikes.
• Integration with Advanced Monitoring Solutions. Pandora FMS integrates with Pandora SIEM and threat analysis tools, providing a robust solution to prevent attacks and enhance infrastructure security.

How Pandora FMS Complements Other Security Solutions

The threat analysis tools integrated into Pandora FMS use advanced algorithms to detect anomalies in network traffic and event logs. Leveraging cutting-edge technologies like Artificial Intelligence and Machine Learning, Pandora FMS can identify complex patterns and predict potential attacks before they occur. Additionally, advanced analytics and detailed reports can help you better understand threats and make more informed decisions.
Moreover, Pandora FMS can effectively integrate with Intrusion Detection and Prevention Systems (IDS/IPS) to enhance network security by combining security monitoring data with intrusion detection. This integration provides a comprehensive view of network security and streamlines the response of the security team. For instance, if your IDS system detects an intrusion attempt, Pandora FMS receives this alert and, thanks to its event correlation capabilities, identifies that this attempt is part of a broader attack. Immediately, Pandora FMS can trigger mitigation measures, such as blocking suspicious IP addresses, and notify the security team for manual intervention. With EDR (Enpoint Detection and Response), Pandora FMS incorporates threat detection and protection capabilities across devices, providing detailed visibility on each endpoint. This is especially beneficial for companies that have adopted a BYOD (Bring Your Own Device) approach, allowing employees to use their preferred devices.

Conclusion

Malware attacks are constantly lurking, targeting both individuals and companies, seeking even the slightest vulnerability in devices, networks, and applications to launch malware attacks that can subsequently lead to DDoS attacks. These attacks persist across all industries and regions year after year. Whether it’s a volumetric attack, protocol-based, or targeting application layers, a DDoS attack will attempt to overwhelm networks and IT services, impacting productivity, business continuity, and reputation. Keep in mind that there are platforms and technological tools that, when integrated—like Pandora FMS and Pandora SIEM—become robust and resilient against DDoS attacks. These solutions enable the implementation of a proactive strategy that detects attacks immediately and, in the event of an incident, minimizes downtime and preserves business continuity, avoiding greater financial losses and reputational damage.
Discover how Pandora FMS’s security and IT management solutions can help you implement a comprehensive and proactive security strategy – request your trial today.