A distributed DDoS attack is carried out simultaneously from a large number of devices - attackers gain control over them and generate streams of garbage requests on command. Such an attack can cause a denial of service to the systems of a large company or network.

Table of contents:
The principle of operation
Who are DDoS attacks being carried out against?
Classification of DDoS attacks
Ways to protect against DDoS attacks
The principle of operation of a DDoS attack
The purpose of a DDoS attack is to achieve denial of service of Internet-connected devices: network equipment and infrastructure, various Internet services, websites and web applications, Internet of Things infrastructure.

The vast majority of attacks occur in the following sequence:

collecting data about the victim and analyzing it in order to identify obvious and potential vulnerabilities, choosing an attack method;
preparing for an attack by deploying malicious code on computers and Internet-connected devices that have been intercepted;
generating a stream of malicious requests from multiple devices controlled by an attacker;
analysis of the effectiveness of the attack: if the attack goals were not achieved, the attacker can conduct a more thorough analysis of the data and re-search for attack methods (go to paragraph 1).
In case of a successful attack, the resource under attack will demonstrate a significant decrease in performance or will not be able to process legitimate requests from users and other services at all. Depending on what exactly the victim resource is, the consequences of a successful DDoS attack may be a sharp drop in performance or unavailability of the network, server, Internet service, website, application. As a result, the Internet resource "freezes", legal users cannot access it at the right moment, the network or server becomes "cut off" from the Internet for a while, the Internet resource stops working correctly, etc.

Motivation
The motivation of the attackers may be different. Unfair competition, attempts at blackmail, conflicts of interest or beliefs, and social or political protest are the most common. Revenge attacks also often occur, out of a desire to "practice" hacking criminal craft, as well as out of vanity. However, in recent years, the desire of DDoS attack perpetrators to earn extra money has come to the fore. And if the order for the attack is generously paid for, it can be very intense, last for many hours, be modified and repeated over and over again.

Damage
The damage from a successful DDoS attack primarily lies in financial and reputational costs: lost profits, termination of contracts and outflow of users, numerous complaints and complaints from customers, a wave of negativity in the media and social networks and, as a result, the decline in popularity of the Internet resource and its owner. DDoS attacks are often used as a cover for the main malicious impact during targeted attacks: while information security specialists focus on repelling DDoS and restoring system performance, attackers strengthen the main vector of attack — for example, they hack a service, steal confidential data or install malicious codes.

What harm a DDoS attack can cause to a site is described in more detail in the material.

Who are DDoS attacks being carried out against?
Most often, DDoS attacks target government, financial institutions, gaming services, and e-commerce companies. Since the beginning of the pandemic, attacks on educational resources, video conferencing services, online cinemas, media and entertainment sites have increased dramatically.

One of the most intense and prolonged was the series of DDoS attacks in 2007 against government, financial, media and other resources in Estonia, which most likely became an expression of protest against the demolition of monuments to Soviet soldiers who liberated the republic.

Another major attack was carried out in 2013 against the international non-profit organization Spamhaus, which aims to combat spam. It can be assumed that the attackers interested in spreading spam were clearly dissatisfied with her successful activities.

In 2014, one of the most powerful DDoS attacks in history was carried out - this time against the Occupy Central movement, which was gaining strength in Hong Kong, advocating a change in the country's voting system.

In 2015 and 2018, two more historic DDoS attacks took place against the world's largest Internet resource for joint development and hosting of IT projects, GitHub.

The attackers also do not forget about Russian resources. Thus, the websites of the Central Election Commission of the Russian Federation, Sberbank and other financial institutions of Russia, and various commercial companies are regularly attacked. In particular, Sberbank reported that on January 2, 2020, the most powerful DDoS attack in its entire history was recorded, it was carried out using autonomous Internet of Things devices.

StormWall regularly collects statistics on the most affected industries — read about it on the website in the Analytics section.

Classification of DDoS attacks
The most commonly used way to classify attacks is by the OSI level at which they were carried out. Let's list the most common types of attacks:

Network Layer (L3): DDoS attacks of this level "work" over IP, DVMRP, ICMP, IGMP, PIM-SM, IPsec, IPX, RIP, DDP, OSPF, OSPF protocols. The targets of the attacks are primarily network devices — switches (switches) and routers (routers).
Transport layer (L4): the impact is carried out using the TCP and UDP protocols, as well as the DCCP, RUDP, SCTP, UDP Lite subprotocols. Servers and some Internet services, such as gaming, are usually the targets of attacks at this level.
Application Layer (L7): The attack is carried out at the application protocol level. Most often, attackers use HTTP, HTTPS and DNS. Attacks of this level target both popular network services and various websites and web applications.
Another common method of classification is by the method of exposure:

exploiting protocol vulnerabilities: they allow to achieve denial of service by influencing the attacked resource with incorrect requests, as a result of which the victim "goes into a stupor" trying to process them;
traffic overflow with a powerful stream of requests that the victim is unable to "digest";
exposure to weaknesses in the architecture and logic of applications, which can severely disrupt the performance of an Internet-connected software package, especially if it has a weak level of security.
Read about all types of modern DDoS attacks in the article "Various types of DDoS attacks".

Ways to protect against DDoS attacks

Before you start using DDoS protection services, you should take care to increase the degree of security of the Internet service - its ability to effectively repel attacks with minimal resource consumption. Otherwise, in order to protect the Internet service from impacts, you will have to spend a lot of effort and money. In short, to increase security, you need to:

provide as little information as possible to the attacker;
provide as much information as possible to the DDoS defender;
provide clear attack filtering capabilities;
to ensure the reliability of the service under attack.
DDoS protection capabilities can and should be provided for in an Internet resource at the design stage of its architecture: good design will increase the availability of the resource and reduce the cost of protecting it from attacks.