A distributed denial-of-service (DDoS) attack is a cyberattack in which a network of multiple machines or computers floods a target with requests (or just packets during a SYN or volumetric DDoS attack). This differs from a denial-of-service (DoS) attack, where a single machine overwhelms a resource with requests. Attackers can organize bots across numerous geographical locations, making this type of threat harder to pin down and counteract.
From one "head" machine, an attacker pushes attack instructions to their network of bots, which together send massive amounts of web requests (or other packets) to resources like servers. The idea is to block legitimate traffic from getting through and cause service interruptions for applications, websites, and the databases that support them. We often refer to the devices used in DDoS attacks as "zombies" since they've been commandeered by bots to carry out flood attacks.
To cripple their targets, bots work in unison to consume system resources. Servers have a finite capacity to serve clients, limited CPU resources, and limited memory to work with. On the networking side, the bandwidth needed to handle subsequent requests is also limited. When a DDoS botnet successfully performs an attack, it generally consumes one or more of these resources completely, rendering the service unreachable. If your traffic was utilizing a multi-lane highway before, a DDoS attack essentially strips those extra lanes away and forces all "vehicles" (requests) to share one clogged lane.
DDoS attacks come in three different forms:
Application layer – A Layer 7 attack in which attackers attempt to overwhelm a site's or application's resources, consume available bandwidth, and trigger server errors using multiple reload requests.
Protocol-based – Connection requests from various IP addresses exploit specific server weaknesses, leading to resource consumption.
Volumetric – Bots send large amounts of total data to a resource and seek responses. Responses can quickly grow too lengthy or fail entirely, disrupting service. Volumetric attacks also amplify data payloads to cause larger impacts more rapidly.
Why are DDoS attacks dangerous?
We've discussed how DDoS attacks can cripple backend resources, and therefore block access to websites and applications. This might be a mild annoyance for those trying to access YouTube or do non-critical activities, but the real impacts are felt when DDoS attacks bring down critical resources. Attacks against government services, healthcare entities, and financial services providers can have far-reaching effects—financially, reputationally, or otherwise.
First, distributed denial-of-service attacks are expensive to mitigate, and those expenses rise when DDoS protections aren't in place. In 2023, these attacks lasted an average of 68 minutes at a cost of $6,000 per minute. Unprotected organizations paid over $408,000 on average to thwart these attacks, which is a hard pill to swallow for many businesses. In many cases, a successful DDoS attack can shutter a vulnerable company.
Second, DDoS attacks can erode user trust. By causing disruptions, data breaches, and data loss, these threats may lead users to move to different platforms. A company's response and transparency directly impact any fallout.
Third, attacks can lead to revenue loss (similar to point #1). If an attacker were to bring down a large eCommerce platform, even an hour of downtime can cause massive impacts. Amazon experienced these effects firsthand during Prime Day 2018, in which an hour-long outage led to roughly $75 million in lost sales.
Can HAProxy help mitigate DDoS attacks?
Yes! HAProxy's multi-layered security approach includes numerous protections for web applications and APIs. Features like Global Rate Limiting, the HAProxy Enterprise WAF, and HAProxy Enterprise Bot Management Module combine to prevent bad actors from disrupting service.
Access control lists, client fingerprinting, and PacketShield also shield your backend systems from harmful traffic. You can learn more about our DDoS protections and more on our Security solution page.