What Is a DDOS Attack and How Can It Crash a Website or Game?

If you've been online at all in the past few years, you've probably heard about services being forced offline during a DDoS attack. Without warning, your favorite website or video game is no longer online because someone or something is "DDoSing" it.

While the term DDoS seems cryptic, it's now part of the common internet lexicon. But if you're still unsure what a DDoS attack is and how a DDoS can crash a video game, read on.

What Is a DDoS Attack?

DDoS stands for Distributed Denial of Service, and it is the name given to an attack that overwhelms a service with requests, forcing it offline.

When you hear about a website or video game being taken down by hackers, a lot of the time, that means they're suffering a DDoS attack. Attackers target a specific website, service, or video game and flood the servers running with data requests. The number of requests can rapidly overwhelm the server infrastructure hosting the service, forcing it offline.

A DDoS attack is sometimes referred to as DDoSing.

How Does a DDoS Attack Work?

In a DDoS attack, the data doesn't have to be multiple large files requested for download. In fact, it is often the opposite, where thousands of machines all make small data requests simultaneously. Although each individual request is small, the number of requests amplify the effect across thousands of devices.

So, who controls thousands of computers that they can use to send requests to a single server?

For the most part, DDoS attacks come from large botnets, groups of compromised computers under an attacker's control. The attacker can point their botnet's power at a target, flooding the website or video game servers with requests, knocking them offline.

Directing a huge volume of traffic at the victim stops any regular traffic accessing the website or video game, causing a denial of service. That the traffic comes from numerous sources means the attack is distributed, hence Distributed Denial of Service attack.

At any one time, there can be multiple DDoS attacks taking place around the world. You're more likely to hear about them when they knock a major service offline, but you can use the Digital Attack Map as an approximation as to what's going on.

As with most types of cyberattacks, there are many different types of DDoS attacks. DDoS is the blanket term given to the attack style, but there are many different options for attackers.

Application Layer Attack

An application-layer DDoS attack targets website requests, making a substantial number of data requests simultaneously. For example, the attacker might make thousands of requests to download a specific file, causing the server to slow to a crawl.

These requests are almost indistinguishable from regular users' requests, which makes mitigating an application layer DDoS attack difficult.

Application layer DDoS attacks primarily focus on disturbing HTTP traffic. One common application layer DDoS attack type is the HTTP Flood, where an attacker creates as many HTTP requests as fast as possible. Think of it like hitting your browser refresh button thousands of times, but thousands of other browsers are also refreshing simultaneously.

Protocol Attack

A protocol DDoS attack targets the victim's network, targeting server resources of a different nature. For example, a protocol attack might overburden a firewall or load balancer, causing them to cease operation.

A SYN Flood DDoS atack is a useful example. When you make a request on the internet, three things happen. First, the request for data, known as SYN (short for Synchronization). Second, the response to the data request, known as the ACK (short for Acknowledgement). Finally, the SYN-ACK, which is essentially the requester confirming the data has arrived. It sounds confusing but takes place in the blink of an eye.

The SYN Flood basically sends heaps of fake SYN packets from fake IP addresses, meaning the ACK responds to a fake address, which in turn never responds. The request sits there while more pile in, causing a denial of service.

Volumetric Attack

A volumetric DDoS attack can work similarly to an application layer attack, flooding the target server with requests, but with a modifier that can amplify the number of simultaneous requests.

DNS Amplification is one of the most common types of DDoS attack, and is a prime example of a volumetric attack. When the attacker makes a request to the server, it includes a spoofed address, often the IP address of the target itself. Each request loops back to the target IP address, amplifying the number of requests.

Why Use a DDoS Attack?

There are many reasons why an attacker will opt to DDoS a target, such as cover for a different attack vector or to cause financial harm to the victim.

Service Disruption: At the root of the DDoS is a service disruption. If you flood the servers with requests, regular users cannot access the service. In some cases, DDoS attacks have been used to knock competitors offline, forcing service users to defect to the online competitor.
Hacktivism and Politics: Some hacktivist groups, such as Anonymous, are well known for using DDoS attacks to knock their targets offline for prolonged periods. A DDoS attack can cost a business or other organization substantially in terms of downtime, server costs, data fees, engineers, and more. Similarly, knocking government sites offline using a DDoS can force a government into action or is a display of protest.
Cover for Larger Attack: The DDoS activity may actually be cover for a different attack vector, running interference to keep an IT or cyber response team occupied. At the same time, the real attack takes place elsewhere. There have been multiple examples of criminal enterprises using this DDoS distraction technique to commit other crimes.
Mucking Around/Exploration/Testing: Sometimes, a DDoS happens because someone, somewhere is testing a new technique or script, and it goes wrong (or works perfectly!).

These are just four reasons why an attacker might DDoS a video game or website. There are more reasons out there.

Is a DDoS Attack Illegal?

Yes, in a word. A DDoS attack is illegal under the Computer Fraud and Abuse Act in the US, the Computer Misuse Act in the UK, and carries a maximum sentence of 10-years imprisonment in Canada.

Laws and interpretations vary worldwide, but most countries with functioning cybersecurity and computer abuse policies define a DDoS attack as illegal activity.

DDoS as a Service

You've heard of Software-as-a-Service (SaaS) and perhaps Infrastructure-as-a-Service (IaaS), but what about DDoSaaS? That's right, "Distributed Denial of Service as a Service" kits and platforms are available on dark web hacking forums.

Instead of taking the time to build up a botnet, a would-be attacker can pay the owner of an existing botnet to point their network at a target. These services usually carry the name of "stressor," implying that you can use them to stress test your network against a theoretical attacker.

However, with no vetting of customers and no steps taken to ensure server ownership, these DDoSaaS platforms are open to abuse.

DDoS Attack Examples

Rounding up, here are some prime examples of DDoS attacks from the past few years. According to Neustar's Cyber Threats & Trends Report for Q1/Q2 2020 [PDF, sign-up required], the number of attacks delivering a sustained data load over 100Gbps rose by over 250 percent in a 12 month period.

The following list helps illustrate the varying size between DDoS attacks and how that size has grown in the past few years.

September 2016. The newly discovered Mirai botnet attacks security journalist Brian Krebs' website with 620Gbps, massively disrupting his website but ultimately failing due to Akamai DDoS protection. The Mirai botnet leverages Internet of Things devices to increases its capabilities.
September 2016. The Mirai botnet attacks French web host OVH, strengthening to around 1Tbps.
October 2016. An enormous attack took down most internet services on the U.S. Eastern seaboard. The attack was aimed at DNS provider Dyn, with its services receiving an estimated 1.2Tbps in traffic, temporarily shutting down websites including Airbnb, Amazon, Fox News, GitHub, Netflix, PayPal, Twitter, Visa, and Xbox Live.
November 2016. Mirai strikes ISPs and mobile service providers in Liberia, bringing down most communication channels throughout the country.
March 2018. GitHub is hit with the largest recorded DDoS at the time, registering some 1.35Tbps in sustained traffic.
March 2018. Network security company Arbor Networks claims its ATLAS global traffic and DDoS monitoring system registers 1.7Tbps.
February 2020. Amazon Web Services (AWS) was hit with a 2.3Tbps attack, though Amazon didn't reveal the DDoS attack's actual target.