A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal flow of a targeted server, service, or network by flooding the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines may include computers and other networked resources such as IoT devices.
At a high level, a DDoS attack is like an unexpected traffic jam clogging a highway, preventing normal traffic from reaching its destination.
DDoS attacks are carried out through a network of networked machines. These networks consist of computers and other devices (such as IoT devices) infected with malware, allowing attackers to control them remotely. These individual devices are called bots, and a group of bots is called a botnet. Once a botnet is established, an attacker can launch an attack by sending remote commands to each bot. When a victim's server or network is targeted by a botnet, each botnet sends requests to the target's IP address, which can overwhelm the server or network, causing normal traffic to be denied. Because every bot is a legitimate Internet device, it is difficult to separate attack traffic from normal traffic.
The most obvious symptom of a DDoS attack is a sudden slowdown or unavailability of a website or service. But similar performance issues can arise for a number of reasons - such as legitimate traffic spikes - and further investigation is usually warranted. Traffic analysis tools can help you spot some signs of a DDoS attack:
Suspicious traffic from a single IP address or range of IPs
Torrent of traffic from users sharing a single behavioral profile such as device type, geographic location, or web browser version
Inexplicable spikes in requests to a single page or endpoint
Odd traffic patterns, such as spikes at odd times of the day, or unnatural-looking patterns (such as spikes every 10 minutes)
Depending on the type of attack, there are other, more specific signs of a DDoS attack.