Distributed denial-of-service attacks (DDoS) are devastating and, unfortunately, they're also on the rise. In 2022, Microsoft reported that an average of 1,435 attacks per day called for mitigation, with a shocking maximum of over 2,200 attacks reached on a single day. Similarly, Kaspersky reported an average of 923 daily attacks during Q3 of 2022.
To make matters worse, DDoS attacks are becoming more intense and more difficult to mitigate. An especially noteworthy attack in February of 2023 led to peak traffic exceeding 900 gigabits per second.
While this is just one of many types of cyberattacks that can harm your website and cause long-lasting problems for your organization, it's definitely one of the most worrisome, especially as attackers' techniques and targets evolve.
As DDoS attacks increase in severity, it is even more important to recognize the warning signs — and to implement the strongest and most cutting-edge solutions. To help, we've highlighted the main signs and symptoms that will help you answer an important question: Am I being DDOS-ed?
A distributed denial-of-service DDoS attack centers around flooding servers with illegitimate traffic. During these attacks, threat actors take advantage of everyday operations, exploiting them to cause trouble for ISPs, network devices, servers, and the users who rely on them.
This type of attack can wreak havoc on internet service providers, ordinary web users, and the websites that serve them.
This strategy should not be confused with standard denial-of-service attacks. Both are problematic, of course, but traditional denial-of-service (DoS) is inherently limited in scope, as its illegitimate requests come from a single source. With distributed denial-of-service, however, malicious parties harness the power of volume. These threat actors utilize a variety of resources, relying on sheer numbers (plus remote locations) to distribute each attack.
During DDoS attacks, malicious players aim to manipulate network traffic, services, or equipment, such as modems, routers, and caching. Many attacks involve a large number of HTTP requests, often unleashed by legions of botnets.
Frequently referred to as zombie armies, these botnets make it exceptionally difficult for hosting providers to distinguish legitimate users from malicious threats. Meanwhile, unsuspecting users have no idea that their devices are involved in these attacks, especially as IoT devices are increasingly involved in these attacks.
DDoS attacks can take many forms, varying not only in their use of botnets but also in terms of length and intensity. The purpose of these attacks is also beginning to evolve; while the main goal is still to disable servers and cripple functionality, many threat actors now regard DDoS as a prime opportunity to test websites' defenses. Hence, the surprising decrease in the typical length of a DDoS attack.
According to Microsoft, 89 percent of attacks carried out in 2022 lasted less than one hour — and over one-quarter of these attacks were completed within a mere one or two minutes. Brevity doesn't make these attacks any less damaging, however, and, if anything, reveals the need for sophisticated detection and mitigation strategies that can be deployed instantaneously.
Today's most common types of attacks include:
Volume-based. When you imagine the 'typical' DDoS attack, a volume-based effort is probably what comes to mind. This common strategy uses high traffic volumes to overwhelm bandwidth and servers, until the targeted website crashes.
Protocol. Primarily intended to disable website resources (such as load balancers and firewalls), these attacks leverage known weaknesses to harm processing capacity and, ultimately, cause significant service disruptions. The TCP Syn Flood is a common example that overwhelms targets with TCP SYN requests and eventually makes them unresponsive.
Application. As today's most sophisticated attacks, application strategies are notoriously stealthy. Talented hackers target the application layer with seemingly legitimate traffic that hogs server resources.
DDoS attacks can be difficult to prevent, in part because they take so many forms — and because hackers are increasingly stealthy. Despite this, effective mitigation is far from impossible. It begins with an awareness of network traffic and security vulnerabilities, along with the commitment to implementing layered security protocols. When in doubt, it's best to investigate the moment you wonder: Am I Being DDOS-ed?
Keep in mind that the signs of distributed denial-of-service may sometimes reflect other cybersecurity concerns or even ordinary fluctuations in traffic. Still, the following issues should be cause for alarm, particularly if several of them appear to plague your internet connection simultaneously:
Traffic logs are one of the first resources worth investigating when you suspect that you've been targeted in a DDoS attack. While legitimate traffic naturally ebbs and flows throughout the year and even on a daily or hourly basis, sudden traffic spikes are one of the key markers of DDoS. After all, traffic is built into the goal: overload the system to render it unusable.
The amount of traffic isn't necessarily as telling as when and how that traffic arrives. Often, DDoS attacks involve surprising spikes during off-peak hours, with the frequency of these peaks also diverging from typical patterns.
Keep an eye out for redirection patterns, which may appear unusual. Traffic could be redirected to specific endpoints, reflecting clear similarities in terms of geolocation or browser version. Traditionally, high traffic from specific IP addresses have been cause for alarm, although today's stealthiest attacks are often able to bypass this warning sign.
In addition to general increases in traffic, DDoS attacks may prompt a dramatic rise in the number of requests that failed to produce a successful login. This may be indicative of a brute force attack on the login page, where the same action is repeated in an effort to overwhelm the server.
This problem can be easy to confuse with credential stuffing, which, while once deemed a relatively minor issue, has become much more prominent and a lot more alarming in recent years. Both strategies rely on botnets, but credential stuffing makes the most of users' tendency to recycle passwords across numerous accounts. As experts at Computer Weekly point out, however, it is entirely possible for DDoS attacks to purposefully disguise credential stuffing initiatives.
A sudden influx of error codes within the 500 category should be cause for concern. Especially common? 500 codes (revealing that the server is, for reasons unknown, incapable of handling the server requests) and 503 codes (which suggest that the server is simply overloaded with requests). While 503 codes often accompany purposeful disruptions required for website maintenance, it will be obvious when these accompany DDoS attacks, as the other issues from this list will also be present.
To determine whether 500 and 503 codes are more frequent — and whether they arise from DDoS attacks — take a close look at log files. Depending on the patterns for these codes and notifications, it may become evident that an application-layer attack is underway.
Because these codes (especially 500) can be indicative of many other issues, you may need to investigate other potential causes, such as corrupt .htaccess files, poorly configured DNS servers, issues with third-party plugins, or exhausted PHP memory limits.
Customer dissatisfaction and reputational damage are among the most problematic effects of DDoS attacks, particularly for businesses and industries that promise exceptional service availability. As such, reports from users who are unable to access web services should be taken seriously. These may skyrocket during — and in the immediate aftermath of — each attack.
An already suspicious influx of customer reports should be especially concerning if they arise from several geographic locations, as this could reflect the distributed nature of the attack. Complaints may be lodged via email, social media messages, or feedback forms.
With eCommerce, struggles with website accessibility can prompt abandoned carts and lost sales. Activity tracking may help to pinpoint when and where disruptions have occurred — and how they impacted customer behavior.
While negative implications for customers often receive the bulk of the attention, DDoS attacks are also damaging from the employees' perspective. Hardworking professionals may suddenly be unable to access essential software or applications during DDoS-prompted downtime. These outages can have a swift and dramatic impact on productivity and, in the long run, may also harm employee morale.
Reliable connections are especially important now that remote work is more common. If employees are unable to access digital resources due to interference from threat actors, productivity will plummet.
The silver lining? Employees can provide valuable insight and should be asked for feedback whenever attacks are suspected. While ordinary users will be quick to abandon your site without considering that threat actors are involved in outages, employees will be eager to find a resolution so that they can get back online.
The issues highlighted above coalesce to prompt significant short and long-term harm for organizations, users, and employees. The extent of these losses can be difficult to pinpoint, but research from Corero suggests that, without taking ransomware into account, the cost averages about $218,000 per attack. As such, the importance of effective protection and mitigation cannot be overstated.
This is where the experts at SiteLock can prove invaluable. We offer a variety of services that can help you quickly detect and put a stop to DDoS attacks — or prevent them in the first place. This effort begins with malware scanning, which is even more important now that DDoS is frequently used to conceal other types of attacks.
A web application firewall (WAF) is also a critical component of DDoS protection. This essential solution inspects network traffic to determine whether it might be malicious. It can also be configured to block problematic traffic.