What Happens During a DDoS Attack?

For over 20 years, cybercriminals have relied on DDoS attacks to inflict targeted damage on institutions and companies. These attacks pose a serious threat -- not least because of their unpredictable scale. Since 2013 in particular, this form of cyberattack has surged, making protection at the enterprise level more important than ever.

What Is DDoS?

DDoS attacks are a form of cybercrime. The acronym stands for Distributed Denial of Service and represents a special case of the classic Denial of Service attack. The key difference is that a DDoS attack is launched from many sources simultaneously. This creates a blockade that renders the CDN or other services unavailable or severely degraded. Criminals exploit this to extort ransoms or carry out other malicious activities. In some variants, legitimate websites are leveraged instead of traditional botnets to generate traffic. Through IP spoofing, attackers can direct a massive volume of requests at the target -- traffic that also serves to disguise the attack itself.

What Happens During a DDoS Attack?

When cybercriminals launch a DDoS attack, they deliberately overload the targeted IT infrastructure. This can mean, for example, that an affected content delivery network (CDN) can no longer serve the requested data. A classic method involves infecting multiple computers with malware. In this scenario, attackers silently take control of PCs or other electronic devices and use them to bombard the target with countless requests.

Who Are the Attackers?

DDoS attacks can stem from various motives. Extortion, competitive sabotage, and envy are among the most common drivers. However, criminal organizations are not always behind these attacks -- political activists or disgruntled users can be responsible as well. Regardless of the motive, man-in-the-browser attacks and similar techniques always pursue the same goal: inflicting maximum damage on the target company. Man-in-the-browser attacks occur, for example, in online banking and on websites that process transactions. They are also regularly observed in social networks. The attacker modifies the logic behind a website or transaction, and these modifications typically go undetected because the site continues to function normally -- users can log in and view all activities as usual. While this approach does not overload the website or CDN, it still causes significant harm.

It is worth noting that under the German Criminal Code (StGB), such attacks constitute cybercrime. Distributed denial-of-service attacks are subject to criminal prosecution -- both their preparation and execution are punishable offenses.

How Do They Attack?

DDoS attacks affect enterprise cybersecurity in many different ways, as various attack forms are employed. An attack targets one or more layers of the OSI model (Open Systems Interconnection), which defines up to seven layers. When attackers aim to overwhelm network bandwidth or system resources in a CDN, the attack occurs at Layers 3 and 4 -- still the most common form. In recent years, however, cybercriminals have increasingly shifted their attacks to Layer 7. Regular security assessments of all three layers are therefore essential.

Important: The bandwidth and patterns of DDoS attacks are nearly impossible to predict. They change daily and vary in both approach and impact. It therefore makes sense to cover all areas during pentesting or when evaluating the Common Vulnerability Scoring System (CVSS).

Why the IoT Exacerbates DDoS Attacks

The Internet of Things (IoT) is an umbrella term for a wide variety of networked devices. They enrich everyday life for users in both private and industrial settings, and even public infrastructure benefits from smart controls and emerging technologies. Yet this very IoT significantly amplifies the impact of DDoS attacks. Connected devices are an attractive target for cybercriminals and lend themselves to a range of attacks, including DDoS. Once a single device is infected with malware, it can spread autonomously throughout the network, compromising numerous systems in a short time. Rather than attacking each device individually, the attacker only needs to find one entry point.

The high complexity of modern systems makes it particularly difficult for smaller companies to maintain strong IT security -- a weakness that attackers readily exploit. Beyond the shortage of IT security professionals, the error culture within IT departments also plays a critical role. Actively searching for vulnerabilities is not always encouraged, yet leaving them unaddressed gives cybercriminals a much easier path into the system. For this reason -- and not only with regard to DDoS attacks -- it is advisable to conduct regular tests in accordance with the Penetration Testing Execution Standard (PTES). Pentests following these standards are an excellent way to uncover potential vulnerabilities.

How JavaScript DDoS Works

Most interactivity in modern websites is powered by JavaScript. Sites embed interactive elements either by inserting JavaScript directly into HTML or by loading it from a remote server via an HTML element. The browser retrieves the code referenced by src and executes it in the context of the website.

The fundamental concept behind the Web 2.0 boom of the mid-2000s was the ability to load content asynchronously through JavaScript. Web pages became far more interactive once new content could be fetched without navigating to another page. However, while the ability to make HTTP(S) requests from JavaScript enhances the user experience, it can also be exploited to turn the browser into an attack weapon.

How to Defend Against a DDoS Attack

A well-conceived cybersecurity concept and an open error culture in the IT department are key to defending against DDoS attacks. The security concept should align with modern cybersecurity standards. Specialized protection technologies can be deployed both on premises and as SFCaaS services.

Effective defense also requires examining your individual web development: What attack surfaces does the application or website expose? What does the underlying IT infrastructure look like? These and similar questions reveal which areas need the most protection. Companies that rely heavily on cloud applications, in particular, require comprehensive defenses against cybercrime. Such protection mechanisms guard not only against DDoS attacks but also against other threats.

Understanding potential risks is just as important as regularly reviewing internal security. Periodic pentests in accordance with the Penetration Testing Execution Standard (PTES) can help strengthen your security posture. The same applies to CVSS analysis based on your organization's specific circumstances. This makes it easier to establish and maintain a sound security concept -- while making it harder for future attackers to cause harm.