Understanding DoS & DDoS: Real-World Examples

What is a DoS and DDoS Attack?

Denial of Service (DoS)

A DoS attack is a malicious attempt to overwhelm a system, server, or network with excessive traffic, rendering it unable to respond to legitimate requests. The objective is not to breach security but to disrupt the availability of the target system.

Example: One computer bombards a website with endless HTTP requests, slowing it down or crashing it entirely.

Distributed Denial of Service (DDoS)

A DDoS attack is the distributed version of a DoS attack. It involves multiple compromised devices (bots) acting as a unified system to flood the target with traffic. These devices form a botnet, often controlled through Command and Control (C&C) servers.

Think of it as hundreds or thousands of people all calling the same customer service number at once — the line gets jammed, and no one else can get through.

How DoS and DDoS Attacks Work

DoS Attack Flow

Attacker selects a target (e.g., website, server).
Crafts and sends an overwhelming number of requests.
The server struggles to handle requests, leading to slowdowns or complete downtime.

DDoS Attack Flow

Attacker infects devices (computers, IoT devices, routers) with malware.
These devices become “bots” and form a botnet.
A command is sent to the botnet to target a victim.
Massive traffic floods the target from multiple sources.

Common Techniques

UDP Flood: Sends a large number of UDP packets to random ports.
SYN Flood: Abuses the TCP handshake by sending multiple SYN requests and never completing the connection.
HTTP Flood: Imitates legitimate web traffic using HTTP GET or POST requests.
Ping of Death: Sends oversized or malformed packets using the ICMP protocol.
Slowloris: Sends partial HTTP requests and never finishes them, holding the connection open indefinitely.

Types of DDoS Attacks

Category	Attack Type	Description
Volume-Based	UDP Flood, ICMP Flood	Exhausts bandwidth
Protocol-Based	SYN Flood, Ping of Death	Targets resources like firewalls, load balancers
Application Layer	HTTP GET/POST Flood, Slowloris	Mimics legitimate traffic, harder to detect
Amplification	DNS, NTP, Memcached	Uses reflection and amplification to magnify attack volume
Zero-Day Attacks	Custom exploits	Unknown or patched vulnerabilities exploited in new ways

Real-World DDoS Attack Examples

1. GitHub Attack (2018) – 1.35 Tbps

Attack Type: Amplified DDoS via Memcached servers.
Impact: Short outage, record-breaking traffic.
Response: GitHub used Akamai’s DDoS mitigation service, which neutralized the attack in minutes.

2. Dyn DNS Attack (2016)

Attack Tool: Mirai Botnet.
Target: Dyn (DNS provider).
Impact: Took down major platforms — Twitter, Netflix, Spotify, Reddit, Airbnb.
Cause: Vulnerable IoT devices like DVRs and cameras infected with Mirai malware.

3. Estonia Cyberattacks (2007)

Motive: Politically motivated (allegedly by Russian hackers).
Impact: Targeted banks, media, and government websites.
Significance: First major cyberwar-style DDoS campaign.

Detecting DoS and DDoS Attacks

Early detection is crucial for minimizing impact. Here are key indicators:

1. Traffic Anomalies

Huge spikes in traffic, especially from a single IP range or geography.
Increased volume of requests to specific endpoints or ports.

2. Performance Degradation

Slow application load times.
Sudden application crashes or 503 errors (Service Unavailable).

3. Security Monitoring Tools

Wireshark: Packet analysis to identify unusual packet flows.
NetFlow/sFlow: Network traffic behavior analysis.
SIEM (e.g., Securonix, Splunk): Real-time monitoring and correlation of security events.

4. Threat Intelligence Integration

Detect traffic from known botnets.
Integrate with services like AbuseIPDB, AlienVault OTX, or GreyNoise.

Preventing and Mitigating DoS & DDoS Attacks

1. Infrastructure Hardening

Use CDNs (like Cloudflare, Akamai) to distribute traffic.
Implement load balancers to handle spikes gracefully.
Deploy rate limiting and connection throttling on APIs.

2. Network-Level Protection

Enable IP reputation filtering.
Configure firewalls and routers to drop suspicious traffic automatically.
Use Geo-blocking for non-business critical regions.

3. Application-Level Defenses

Implement WAFs (Web Application Firewalls) to detect HTTP-based floods.
Secure APIs with OAuth tokens, CAPTCHA, and API gateways.

4. Cloud-Based DDoS Mitigation Services

Cloudflare DDoS Protection
AWS Shield (Standard & Advanced)
Google Cloud Armor
Azure DDoS Protection

These services absorb and filter malicious traffic before it hits your core infrastructure.

5. Regular Testing and Simulation

Perform DDoS simulation drills (e.g., via Red Teaming or Pen Testing).
Review incident response plans regularly.
Educate your IT and DevOps teams.

Best Practices Checklist

Best Practice	Purpose
Rate Limiting	Prevents abuse of API or services
IP Blacklisting & Whitelisting	Filters known bad actors
CDN Usage	Distributes traffic, adds redundancy
Logging & Monitoring	Aids in forensic investigation
Regular Patch Management	Reduces attack surface
Redundancy & Failover Systems	Ensures high availability

Conclusion

DoS and DDoS attacks remain one of the most common and devastating threats to businesses worldwide. With attackers leveraging botnets, vulnerable IoT devices, and amplification techniques, the scale and impact of these attacks have reached unprecedented levels.

For Individuals

Secure your home IoT devices.
Keep systems patched and protected.

For Organizations

Build a layered defense strategy.
Partner with professional DDoS mitigation vendors.
Prepare an incident response plan — don’t wait for an attack to learn how to react.

Remember, availability is a core pillar of cybersecurity. Protecting your systems from disruption is just as important as guarding against data breaches.

Learn About DoS and DDoS Attacks Through Real-World Examples

Table of contents