How to Know If You’re Under a DDoS Attack

Distributed denial-of-service (DDoS) attacks remain a major cyber threat, affecting organizations of all sizes around the world. Industry reports show that DDoS activity has surged in recent years, with attacks becoming more frequent and larger in scale.

To make matters worse, attackers are using increasingly sophisticated techniques that add to the complexity and impact of these attacks. As a result, websites can be overwhelmed quickly, often leading to outages before teams have time to respond.

Because of their immediate impact on website availability and user experience, DDoS attacks remain one of the most disruptive cyber threats organizations face today. Below, we break down the most common indicators to help you determine whether your website is under attack.

What is a DDoS attack?

A distributed denial-of-service DDoS attack centers around flooding servers with illegitimate traffic. During these attacks, threat actors take advantage of everyday operations, exploiting them to cause trouble for ISPs, network devices, servers, and the users who rely on them.

This type of attack can wreak havoc on internet service providers, ordinary web users, and the websites that serve them.

This strategy should not be confused with standard denial-of-service (DoS) attacks. Both are problematic, of course, but traditional denial-of-service is inherently limited in scope, as its illegitimate requests come from a single source. With distributed denial-of-service, however, malicious parties harness the power of volume. These threat actors utilize a variety of resources, relying on sheer numbers (plus remote locations) to distribute each attack.

During DDoS attacks, malicious players aim to manipulate network traffic, services, or equipment, such as modems, routers, and caching. Many attacks involve a large number of HTTP requests, often unleashed by legions of botnets.

Frequently referred to as zombie armies, these botnets make it exceptionally difficult for hosting providers to distinguish legitimate users from malicious threats. Meanwhile, unsuspecting users have no idea that their devices are involved in these attacks, especially as IoT devices are increasingly involved in these attacks.

How do DDoS attacks differ?

DDoS attacks can take many forms, varying not only in their use of botnets but also in terms of length and intensity. The purpose of these attacks is also beginning to evolve; while the main goal is still to disable servers and cripple functionality, many threat actors now regard DDoS as a prime opportunity to test websites' defenses. Hence, the surprising decrease in the typical length of a DDoS attack.

According to Microsoft, 89 percent of attacks carried out in 2022 lasted less than one hour, and more than one quarter of these attacks were completed within a mere one or two minutes. Brevity doesn't make these attacks any less damaging, however, and, if anything, reveals the need for sophisticated detection and mitigation strategies that can be deployed instantaneously.

Today's most common types of attacks include:

• Volume-based. When you imagine the 'typical' DDoS attack, a volume-based effort is probably what comes to mind. This common strategy uses high traffic volumes to overwhelm bandwidth and servers until the targeted website crashes.
• Protocol. Primarily intended to disable website resources (such as load balancers and firewalls), these attacks leverage known weaknesses to harm processing capacity and, ultimately, cause significant service disruptions. The TCP Syn Flood is a common example that overwhelms targets with TCP SYN requests and eventually makes them unresponsive.
• Application. As today's most sophisticated attacks, application strategies are notoriously stealthy. Talented hackers target the application layer with seemingly legitimate traffic that hogs server resources.

5 signs of a DDoS attack

DDoS attacks can be difficult to prevent, in part because they take so many forms and hackers are becoming increasingly stealthy. Despite this, effective mitigation is far from impossible. It begins with an awareness of network traffic and security vulnerabilities, along with the commitment to implementing layered security protocols. When in doubt, it's best to investigate as soon as you wonder if you're getting DDoSed.

Keep in mind that the signs of distributed denial-of-service may sometimes reflect other cybersecurity concerns or even ordinary fluctuations in traffic. Still, the following issues should be cause for alarm, particularly if several of them appear to plague your internet connection simultaneously:

1. Unusual traffic patterns

Traffic logs are one of the first resources worth investigating when you suspect that you've been targeted in a DDoS attack. While legitimate traffic naturally ebbs and flows throughout the year and even on a daily or hourly basis, sudden traffic spikes are one of the key markers of DDoS. After all, traffic is built into the goal: overload the system to render it unusable.

The amount of traffic isn't necessarily as telling as when and how that traffic arrives. Often, DDoS attacks involve surprising spikes during off-peak hours, with the frequency of these peaks also diverging from typical patterns.

Keep an eye out for redirection patterns, which may appear unusual. Traffic could be redirected to specific endpoints, reflecting clear similarities in terms of geolocation or browser version. Traditionally, high traffic from specific IP addresses has been cause for alarm, although today's stealthiest attacks are often able to bypass this warning sign.

2. Spike in failed login attempts

In addition to general increases in traffic, DDoS attacks may prompt a dramatic rise in the number of requests that failed to produce a successful login. This may be indicative of a brute force attack on the login page, where the same action is repeated in an effort to overwhelm the server.

This problem can be easy to confuse with credential stuffing, which, while once deemed a relatively minor issue, has become much more prominent and a lot more alarming in recent years. Both strategies rely on botnets, but credential stuffing makes the most of users' tendency to recycle passwords across numerous accounts. As experts at Computer Weekly point out, however, it is entirely possible for DDoS attacks to purposefully disguise credential stuffing initiatives.

3. 5xx error codes

A sudden influx of error codes within the 500 category should be cause for concern. Especially common are 500 status errors, which reveal that the server is unable to handle requests, and 503 “Service Unavailable” errors, which indicate the server is overloaded and often appear during DDoS attacks. While 503 errors can also occur during planned website maintenance, they are far more concerning when they appear suddenly alongside traffic spikes and the other warning signs listed above.

To determine whether 500 and 503 codes are more frequent — and whether they arise from DDoS attacks — take a close look at log files. Depending on the patterns for these codes and notifications, it may become evident that an application-layer attack is underway.

Because these codes (especially 500) can be indicative of many other issues, you may need to investigate other potential causes, such as corrupt .htaccess files, poorly configured DNS servers, issues with third-party plugins, or exhausted PHP memory limits.

4. External users can't access your website

Customer dissatisfaction and reputational damage are among the most problematic effects of DDoS attacks, particularly for businesses and industries that promise exceptional service availability. As such, reports from users who are unable to access web services should be taken seriously. These may skyrocket during — and in the immediate aftermath of — each attack.

An already suspicious influx of customer reports should be especially concerning if they arise from several geographic locations, as this could reflect the distributed nature of the attack. Complaints may be lodged via email, social media messages, or feedback forms.

With eCommerce, struggles with website accessibility can prompt abandoned carts and lost sales. Activity tracking may help to pinpoint when and where disruptions have occurred — and how they impacted customer behavior.

5. Internal software and applications slow down

While negative implications for customers often receive the bulk of the attention, DDoS attacks are also damaging from the employees' perspective. Hardworking professionals may suddenly be unable to access essential software or applications during DDoS-prompted downtime. These outages can have a swift and dramatic impact on productivity and, in the long run, may also harm employee morale.

Reliable connections are especially important now that remote work is more common. If employees are unable to access digital resources due to interference from threat actors, productivity will plummet.

The silver lining? Employees can provide valuable insight and should be asked for feedback whenever attacks are suspected. While ordinary users will be quick to abandon your site without considering that threat actors are involved in outages, employees will be eager to find a resolution so that they can get back online.

What to check if you’re seeing signs of a DDoS attack

If you suspect a DDoS attack, the first step is to confirm whether the activity exceeds normal traffic patterns and points to malicious behavior.

• Compare traffic against your baseline. Review analytics to see whether requests spike far outside your normal traffic patterns within a short time frame. Sudden surges, especially during off-peak hours, often suggest large-scale activity rather than organic growth.
• Inspect server resources and errors. Check CPU, memory, and bandwidth usage on the target server. Resource exhaustion combined with frequent 5xx errors, particularly 503 “Service Unavailable,” is a strong indicator that the server is being overwhelmed.
• Analyze logs for attack patterns. Look for repeated requests, unusual endpoints, or sudden traffic surges from many sources. In some cases, increased UDP traffic may also be a warning sign.
• Review routing and network behavior. Sudden routing changes, increased packet loss, or upstream congestion can indicate traffic is being saturated before it reaches your application.
• Test defensive controls. Temporarily tightening rate limiting or firewall rules can help determine whether the issue is traffic-related. If performance stabilizes quickly, that’s often confirmation that the traffic isn’t legitimate.
• Coordinate with your host or ISP. Hosting providers can confirm whether traffic matches known cyber threats and may already be seeing similar patterns across their network.
• Escalate protection if needed. When multiple indicators align and disruptions persist, additional protection may be required to filter malicious traffic and restore availability, especially during sustained or distributed attacks.

Protect your website from DDoS attacks with Sitelock

The combined impact of these issues can lead to serious short- and long-term consequences for organizations, users, and employees. While the full cost of a DDoS attack can be difficult to measure, research from Corero suggests that, without taking ransomware into account, the cost averages about $218,000 per attack. That reality makes effective DDoS protection and mitigation essential.

This is where SiteLock can help. Our security solutions are designed to detect and stop DDoS attacks quickly, as well as reduce the risk of future incidents. Protection starts with continuous malware scanning, which is especially important as DDoS attacks are often used to mask other malicious activity.

A web application firewall, or WAF, is another critical layer of defense. A WAF analyzes incoming traffic in real time to identify suspicious behavior and block malicious requests before they reach your website.

Explore our website security plans to see which level of protection fits your needs or contact us to learn more.