What Is Distributed Denial-of-service? Security Definition
Also known as: Distributed Denial-of-service, DDoS attack, DDoS definition, DDoS vs DoS, DDoS exam tips
On This Page
Quick Definition
A Distributed Denial-of-service (DDoS) attack is when a hacker uses a large number of infected computers to send overwhelming amounts of data to a website or online service, causing it to slow down or crash. This prevents real users from accessing the service while the attack is happening. Think of it as a traffic jam created by thousands of fake cars blocking a single highway entrance.
Must Know for Exams
DDoS attacks appear in several CompTIA exams, including A+, Network+, and Security+. In Network+, the term is covered under network security concepts, specifically in domain 4.0 (Network Security). You might see questions about attack types such as SYN floods, UDP floods, or ping floods, and how to mitigate them using tools like firewalls, IDS/IPS, and traffic shaping. The exam expects you to know the difference between a DoS attack (single source) and a DDoS attack (multiple sources), as well as how botnets facilitate distributed attacks.
In Security+, DDoS attacks appear in domain 1.0 (Attacks, Threats, and Vulnerabilities). You need to understand not only the attack itself but also the associated threats like botnets, zombies, command and control (C2) infrastructure, and amplification techniques. Security+ questions may ask you to identify the best defense for a given scenario, such as deploying a web application firewall (WAF) or using a CDN. You may also need to recognize indicators of a DDoS attack, such as a sudden spike in bandwidth usage or a high number of half-open TCP connections.
For A+, DDoS is covered in a more introductory way, usually focusing on the concept of denial of service and how malware can turn a computer into a bot. Questions may be scenario-based, such as a user noticing their computer is slow and sending out many unknown packets. The exam also may test knowledge of basic troubleshooting steps, like running antivirus scans or checking network usage in Task Manager.
Across all exams, you will not be expected to configure DDoS mitigation in depth, but you must understand the principles, common attack vectors, and appropriate responses. Multiple-choice questions often present a scenario and ask you to choose the best course of action or the type of attack being described.
Simple Meaning
Imagine you own a small coffee shop that serves one customer at a time through a single door. Normally, customers arrive one by one, order their coffee, and leave. Now imagine that someone sends a thousand people to your door all at once, but they do not actually want coffee.
They just stand in the doorway, blocking real customers from entering. That is a denial-of-service attack. A Distributed Denial-of-service (DDoS) attack is like that, but much bigger.
Instead of a thousand people coming from one place, they come from hundreds of different streets and buses, making it impossible for you to tell which ones are fake and which ones are real customers. In computer terms, the coffee shop is a web server or an online service, and the fake customers are data packets sent by compromised computers called bots or zombies. These bots are often part of a botnet a network of infected devices that the attacker controls remotely.
The attacker commands the botnet to send huge amounts of traffic to the target, overwhelming its capacity. The target may crash, run extremely slowly, or disconnect from the internet. Real users cannot access the website, send emails, or use the service until the attack stops or defenses kick in.
The attack is distributed because the traffic comes from many different sources, making it harder to block. Just as you cannot simply close one street to stop fake customers from all directions, network defenders cannot just block one IP address to stop a DDoS attack. They need special tools and strategies to filter out malicious traffic while letting real traffic through.
Full Technical Definition
A Distributed Denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. The attack leverages multiple compromised computer systems as sources of attack traffic, forming a botnet. These systems can include computers, IoT devices, routers, and even cameras that have been infected with malware, allowing the attacker to control them remotely. The goal is to exhaust the target's resources such as bandwidth, memory, CPU cycles, or connection tables so that legitimate requests cannot be processed.
DDoS attacks are often categorized by the layer of the OSI model they target. Volumetric attacks, such as UDP floods and ICMP floods, aim to consume all available bandwidth between the target and the internet. Protocol attacks, like SYN floods and Ping of Death, exploit weaknesses in network protocols to exhaust server resources. Application layer attacks, such as HTTP floods and Slowloris, target the web server application itself by sending seemingly legitimate requests that trick the server into allocating resources for incomplete transactions.
In real IT environments, DDoS attacks can be detected using traffic analysis tools that look for sudden spikes in traffic volume, unusual packet patterns, or multiple connections from a single source range. Mitigation often involves a combination of on-premises appliances and cloud-based scrubbing services. On-premises solutions include firewalls, intrusion prevention systems (IPS), and rate limiters that can filter out known malicious patterns. Cloud-based services like AWS Shield, Cloudflare, or Akamai Kona Defender reroute traffic through a global network that absorbs and scrubs malicious data before sending clean traffic to the origin server.
Modern DDoS attacks can exceed several terabits per second, so handling them requires massive infrastructure. Attackers also use techniques like IP spoofing to hide the true source of traffic, and reflection amplification where they spoof the target's IP address and send small queries to publicly accessible servers (like DNS or NTP servers) that then send large responses to the target. This amplifies the traffic by a factor of 50 to 100 times, making even a small botnet capable of creating a devastating flood.
Real-Life Example
Think of a large public library with a single entrance door. Normally, visitors walk through the door one at a time, show their library card, and enter. The library has a security guard who checks each person. Now imagine a group of pranksters decides to disrupt the library. They recruit hundreds of people from different neighborhoods, each person pretending to be a normal visitor. At the same time, all these people rush to the door, pushing and crowding the entrance. The security guard cannot check everyone quickly enough, and the door becomes blocked. Real visitors who want to borrow books cannot get in. The library staff cannot work because they are overwhelmed by the crowd. The library effectively stops functioning for legitimate use.
This is exactly how a DDoS attack works. The library is the web server hosting a website. The entrance door is the network connection. The security guard is the server's ability to process incoming requests. The recruited people are the compromised computers in a botnet. The prankster is the attacker who controls the botnet. The real visitors are legitimate users who want to access the website. In a DDoS attack, the attacker does not break into the server to steal data. Instead, they prevent others from using it by creating a digital traffic jam. The distributed nature of the attack meaning the traffic comes from many different locations makes it difficult to block by simply blocking one IP address or one neighborhood.
Why This Term Matters
DDoS attacks matter because they can knock critical services offline for hours or even days, causing significant financial losses, reputational damage, and safety risks. For businesses that rely on e-commerce, a few hours of downtime can mean losing thousands of dollars in sales plus the cost of remediation. For online services like banking, healthcare portals, or emergency dispatch systems, an outage can delay critical transactions or put lives at risk. In 2020, a major DDoS attack targeted a DNS provider, causing widespread outages for many popular websites including Twitter, Spotify, and Reddit.
In real IT work, network administrators and security professionals must understand DDoS attack patterns and mitigation strategies. They need to configure firewalls, rate limits, and intrusion detection systems to spot unusual traffic. They also need to work with internet service providers and cloud-based DDoS protection services that can absorb large-scale attacks. Knowledge of DDoS helps professionals design resilient architectures, such as using load balancers, multiple data centers, and content delivery networks to distribute traffic and reduce the impact of an attack on any single server.
Moreover, DDoS attacks are sometimes used as a smokescreen for other malicious activities like data breaches. While defenders are busy dealing with the flood of traffic, attackers may try to exploit other vulnerabilities in the network. For system administrators, understanding DDoS is not just about defense but also about incident response planning. Having a procedure for detecting, analyzing, and mitigating an attack is essential for maintaining uptime and protecting data.
How It Appears in Exam Questions
Scenario questions are the most common. For example, a question might describe a company whose website suddenly becomes extremely slow and shows high inbound traffic from many different IP addresses. The question asks: what type of attack is this? The options might include DDoS, phishing, brute force, or man-in-the-middle. The correct answer is DDoS because of the distributed traffic and the effect on availability. Another scenario: a help desk technician receives a call that employees cannot access the internet, and the network logs show thousands of incomplete connection attempts from a single external IP. That would be a DoS attack, not DDoS, because the traffic originates from one source.
Configuration questions appear less frequently, but you might be asked which security control is best for mitigating a DDoS attack at the network perimeter. Options could include a firewall with rate limiting, an access control list, a VPN, or an antivirus. The correct answer is likely a firewall with rate limiting or a web application firewall. You might also see a question about selecting a tool to detect a DDoS attack, such as a network monitoring tool that alerts on unusual bandwidth spikes.
Troubleshooting questions are also common. For instance, a technician notices that a server is unresponsive and the network interface card shows 100% utilization. The question asks what the first step should be. The answer might be to disconnect the server from the network to stop the attack and then analyze traffic logs. Another question could ask: after identifying a DDoS attack, what is the most appropriate immediate response? The correct answer is to contact the ISP or DDoS mitigation service to filter traffic, rather than trying to block individual IP addresses manually.
Architecture questions may ask how to design a network to resist DDoS attacks. Options might include implementing a load balancer, using a CDN, or deploying an IDS. The correct answer is often a CDN because it distributes traffic across many servers, absorbing large volumes of malicious traffic. You may also see questions about redundancy and high availability as defenses against DDoS.
Practise Distributed Denial-of-service Questions
Test your understanding with exam-style practice questions.
Example Scenario
A small online bookstore named PageTurner.com suddenly receives a huge amount of traffic from thousands of different IP addresses around the world. The traffic consists of simple HTTP requests to the homepage, but the volume is so high that the server becomes unresponsive.
Legitimate customers trying to buy books see error messages or very slow load times. The IT administrator checks the server logs and sees that most of the traffic comes from computers that have no browsing history and use outdated operating systems, which suggests they are part of a botnet. The administrator realizes this is a DDoS attack targeting the application layer.
They immediately activate a cloud-based DDoS protection service that starts filtering the malicious requests based on patterns such as unusual user agents and request rates. Within minutes, the attack traffic is blocked, and legitimate users can access the site again. The bookstore later finds that the attack was launched by a competitor trying to disrupt their holiday sales.
Common Mistakes
Thinking that a DDoS attack always requires a large number of computers physically controlled by the attacker.
The attacker does not own the computers. They use malware to infect and remotely control other people's devices without permission. The devices are compromised, not owned by the attacker.
Understand that botnets consist of hijacked devices, and the attacker only controls them through command and control servers, not physical access.
Confusing a DDoS attack with a virus or worm that destroys data on the target.
DDoS attacks do not destroy data or steal information. Their goal is to disrupt availability by overwhelming resources. Data destruction is a different threat like ransomware or malware.
Remember that DDoS is about denying service, not about damaging or stealing data. The target may go offline, but its files remain intact.
Believing that using a firewall alone is enough to stop a large DDoS attack.
Firewalls process traffic in software, which has limited capacity. A large volumetric DDoS attack can easily saturate the firewall's processing power or the internet link itself, rendering the firewall useless.
For large attacks, you need cloud-based scrubbing services or dedicated hardware appliances that can absorb and filter massive traffic volumes before it reaches the firewall.
Thinking that blocking the attacker's IP address is an effective countermeasure during a DDoS attack.
DDoS attacks use thousands of different source IP addresses, many of which are spoofed or belong to innocent users. Blocking one IP does nothing, and trying to block all of them manually is impossible in real time.
Use automated detection and mitigation tools that analyze traffic patterns and apply rules dynamically. Focus on behavioral filtering, not static IP blocking.
Assuming that DDoS attacks only affect large corporations and not small businesses.
Small businesses are often targeted because they have weaker defenses. Attackers may extort them or use them as practice targets. Even a small DDoS attack can take a small website offline completely.
Small businesses should still implement basic DDoS protection, such as using a CDN, enabling rate limiting on the server, and having a response plan.
Exam Trap — Don't Get Fooled
In exam questions, a scenario may describe a server being overwhelmed with traffic from a single IP address, and some learners mistakenly call it a DDoS attack. Read carefully. If the traffic comes from many different IP addresses, it is DDoS.
If it comes from one IP, it is a plain DoS attack. Remember the 'D' stands for 'Distributed' meaning multiple sources.
Commonly Confused With
A DoS attack comes from a single source, while a DDoS attack comes from many sources. DoS is easier to block because you can just block that one IP address. DDoS is far harder to defend against because the traffic originates from thousands of different addresses.
If a single angry customer stands in your coffee shop doorway, that is a DoS. If the angry customer hires hundreds of people from different streets to block the door, that is a DDoS.
A botnet is the network of compromised computers that an attacker uses to launch a DDoS attack. The botnet is the weapon, and the DDoS attack is the action. Not all botnets are used for DDoS some are used for spam or credential stuffing.
Think of a botnet as an army of remote-controlled toy cars. The DDoS attack is when the attacker orders all the cars to crash into a single wall at the same time.
An amplification attack is a technique used within a DDoS attack to multiply the traffic volume. The attacker sends small requests to vulnerable servers that then send much larger responses to the victim. The attack is still distributed if the amplified traffic comes from multiple servers.
If you shout into a megaphone, your small voice becomes a loud noise. An amplification attack uses the megaphone effect of public servers to turn tiny queries into massive floods.
A SYN flood is a specific type of DDoS attack that targets the TCP three-way handshake. The attacker sends many SYN packets but never completes the handshake, exhausting the server's connection table. It is one method of launching a DDoS, not the whole concept.
Imagine a receptionist who starts a conversation with thousands of people who say 'hello' but never respond to the next question. The receptionist's desk gets cluttered with half-open files, and real visitors cannot be helped.
Step-by-Step Breakdown
Compromise and recruit bots
The attacker uses malware, phishing, or exploiting vulnerabilities to infect many devices such as computers, IoT cameras, or routers. Each infected device becomes a bot or zombie that the attacker can control remotely without the owner's knowledge.
Establish command and control (C2)
The infected bots connect to a command and control server, often hidden on the dark web or using encrypted channels. The attacker sends instructions to the C2 server, which relays them to all bots. This allows the attacker to launch coordinated actions.
Select the target and attack type
The attacker chooses a target, such as a website, DNS server, or gaming platform. They also choose the type of attack, such as volumetric, protocol, or application layer, based on the target's vulnerabilities and the resources of the botnet.
Launch the attack
The attacker sends a command through the C2 server to all bots to start sending malicious traffic to the target at the same time. The combined traffic can reach terabit-per-second levels, overwhelming the target's bandwidth or processing capacity.
Target becomes overwhelmed
The target server or network cannot handle the flood of traffic. Legitimate incoming requests cannot be processed. The server may become extremely slow, crash, or disconnect from the network. Users see errors or timeouts.
Detection and mitigation begin
Network administrators or automated systems detect abnormal traffic spikes, high resource usage, or unusual packet patterns. Mitigation steps include traffic filtering, rate limiting, rerouting through a scrubbing center, or contacting the ISP for upstream filtering.
Traffic is filtered and service restored
DDoS mitigation services analyze traffic patterns and drop packets that match the attack signature. Clean traffic is forwarded to the target. Once the attack subsides, normal service resumes. The bots may still be infected, requiring remediation.
Practical Mini-Lesson
To truly understand DDoS attacks, you need to know both the attacker's perspective and the defender's perspective. From the attacker's side, building a botnet is the first step. Botnets can be rented on the dark web as a service for as little as 50 dollars per hour. The attacker does not need to be a technical expert they simply buy access to a botnet and point it at a target. The botnet may consist of thousands of IoT devices like security cameras and routers that have default passwords or unpatched vulnerabilities. The attacker uses a C2 server to issue commands, often using peer-to-peer communication to make the botnet more resilient to takedowns.
From the defender's perspective, the first line of defense is capacity planning. A server with limited bandwidth will fall to even a small attack. Using a content delivery network (CDN) like Cloudflare or Akamai distributes traffic across many edge servers, which can absorb large volumes of attack traffic. For example, if your website is hosted on one server with a 1 Gbps link, a 1 Gbps DDoS flood will saturate it. But if you use a CDN, that traffic hits hundreds of servers worldwide, each handling only a small fraction of the load. The CDN's network can handle many terabits per second, so the attack is absorbed before it reaches your origin server.
Another practical technique is rate limiting. You can configure your web server or firewall to limit the number of requests from a single IP address over a time period. During a DDoS, this helps because each bot typically sends many requests, and rate limiting slows them down. However, sophisticated attackers randomize the rate or use many bots at low rates to evade detection. That is why behavioral analysis is important. Tools like intrusion detection systems (IDS) can learn normal traffic patterns and raise alerts when they deviate.
Professionals also need to understand how to respond to an ongoing attack. The first step is to identify the attack type by looking at logs and traffic captures. Is it a UDP flood, SYN flood, or HTTP flood? Then you can apply the appropriate filter. For example, a SYN flood can be mitigated by enabling SYN cookies on the server, while an HTTP flood may require a web application firewall (WAF) that inspects request headers and blocks those with suspicious user agents or unusual request rates. Finally, document the attack for post-incident analysis and to improve defenses for the future. DDoS defense is a continuous cycle of monitoring, tuning, and responding.
Memory Tip
Distributed = Different sources, Denial = Destination becomes unreachable. Remember the three Ds: Different sources, Down service, Demand mitigation.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
Can a DDoS attack steal my personal information?
No, a DDoS attack only aims to make a service unavailable. It does not steal data. However, attackers sometimes launch a DDoS as a distraction while they attempt other attacks like data breaches.
How can I tell if my computer is part of a botnet?
Signs include unusually high CPU or network usage, slow performance, unexpected pop-ups, or your antivirus detecting malware. You can run a full scan and monitor network activity with tools like Task Manager or netstat.
What is the average duration of a DDoS attack?
Most DDoS attacks last between 30 minutes and a few hours. However, some attacks can persist for days if the target lacks proper mitigation. The duration depends on the attacker's resources and the target's defenses.
Is it illegal to launch a DDoS attack?
Yes, launching a DDoS attack is illegal in most countries. It is considered a computer crime under laws like the Computer Fraud and Abuse Act in the US. Even participating as a bot herder can result in severe penalties.
Can a DDoS attack be stopped by simply restarting the server?
Restarting the server may clear temporary resource exhaustion, but the attack traffic will continue to flood the server once it comes back online. Restarting is not a solution you need to filter the attack traffic at the network level.
What is the difference between a DDoS and a DoS attack in terms of detection?
A DoS attack from a single source is easier to detect because the traffic comes from one IP address. A DDoS attack is harder to detect because traffic comes from many distributed sources, making it appear like legitimate high traffic to an untrained eye.
Do small businesses need DDoS protection?
Yes, small businesses are frequently targeted by DDoS attacks, often for extortion or simply because they are easy prey. Basic protections like using a CDN, enabling rate limiting on web servers, and having a response plan are affordable and effective.
Summary
A Distributed Denial-of-service (DDoS) attack is a cyberattack that uses a network of compromised devices, called a botnet, to flood a target server or network with overwhelming traffic, making it unavailable to legitimate users. Unlike a simple DoS attack from a single source, DDoS attacks come from many distributed sources, making them far more difficult to block. Understanding DDoS is crucial for IT professionals because these attacks can cause significant financial and operational damage, and they appear in several certification exams including CompTIA A+, Network+, and Security+.
In exams, you must know the difference between DoS and DDoS, recognize common attack types like SYN floods and amplification attacks, and understand basic mitigation strategies such as rate limiting, CDNs, and cloud-based scrubbing services. For real-world practice, always plan for redundancy, use up-to-date security patches to prevent devices from becoming bots, and have a DDoS response plan in place. Remember the three Ds: Different sources, Down service, and Demand mitigation.