DDoS Attacks and IP Addresses: Complete Guide

Distributed Denial of Service (DDoS) attacks are among the most disruptive cyber threats, using IP addresses to overwhelm targets with massive traffic volumes. Understanding DDoS attacks, how they work, and how to protect against them is crucial for anyone managing internet-facing services. This comprehensive guide explains everything you need to know about DDoS attacks and IP addresses.

What is a DDoS Attack?

A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt normal traffic to a targeted server, service, or network by overwhelming it with a flood of internet traffic from multiple sources. Unlike a DoS (Denial of Service) attack from a single source, DDoS attacks use many compromised systems to generate attack traffic.

How DDoS Attacks Work

Basic concept: Attacker controls botnet (thousands of compromised devices) Commands botnet to send traffic to target Target overwhelmed by volume Legitimate users can't access service Service unavailable

Attack flow: Attacker → Command & Control (C&C) Server ↓ Botnet (infected devices) ↓ Target Server (overwhelmed)

DDoS vs DoS

DoS (Denial of Service): Single source attack One IP address Easier to block Limited scale Less common

DDoS (Distributed Denial of Service): Multiple source attack Thousands of IP addresses Hard to block Massive scale Very common

Types of DDoS Attacks

Volume-Based Attacks

Goal: Consume bandwidth

Methods:

UDP Flood: Send massive UDP packets Random or specific ports Overwhelm network capacity Consume all bandwidth

ICMP Flood (Ping Flood): Send massive ICMP echo requests Overwhelm with ping packets Consume bandwidth Exhaust resources

DNS Amplification: Spoof victim's IP Send DNS queries to open resolvers Small query → Large response Amplification factor: 28-54x Victim flooded with responses

NTP Amplification: Exploit NTP monlist command Amplification factor: 556x Small request → Huge response Devastating bandwidth consumption

Characteristics: Measured in: Gbps (Gigabits per second) Attack size: 10-1000+ Gbps Duration: Minutes to hours Impact: Network saturation

Protocol Attacks

Goal: Exhaust server resources

Methods:

SYN Flood: Send massive SYN packets Spoof source IP addresses Server allocates resources Waits for ACK that never comes Connection table exhausted

Process: Attacker: SYN (spoofed source) Server: SYN-ACK (to spoofed IP) Server: Waits for ACK Server: Resources tied up Repeat millions of times

Ping of Death: Send oversized ICMP packets Exceeds maximum packet size Causes buffer overflow System crash or hang

Smurf Attack: Spoof victim's IP Send ICMP to broadcast address All hosts respond to victim Amplification attack Network congestion

Characteristics: Measured in: Packets per second (PPS) Attack size: 10-100+ million PPS Duration: Minutes to hours Impact: Resource exhaustion

Application Layer Attacks (Layer 7)

Goal: Exhaust application resources

Methods:

HTTP Flood: Send massive HTTP requests GET or POST requests Appear legitimate Overwhelm web server Application crashes

Slowloris: Open many connections Send partial HTTP requests Keep connections alive Never complete requests Exhaust connection pool

DNS Query Flood: Massive DNS queries Overwhelm DNS server Prevent legitimate lookups Service unavailable

Application-Specific: WordPress XML-RPC attacks API endpoint flooding Database query floods Resource-intensive operations

Characteristics: Measured in: Requests per second (RPS) Attack size: 10,000-1,000,000+ RPS Duration: Hours to days Impact: Application unavailability Hardest to detect and mitigate

DDoS Attack Vectors

Botnets

What is a botnet? Network of infected devices Controlled by attacker Used for DDoS attacks Can be rented/sold

Common botnet types:

Mirai: Targets IoT devices Default credentials Cameras, DVRs, routers Massive DDoS capability

Emotet: Banking trojan turned botnet Email-based infection Modular architecture DDoS functionality

Botnet size: Small: 1,000-10,000 bots Medium: 10,000-100,000 bots Large: 100,000-1,000,000+ bots Record: 2.4 million (Mirai)

Amplification Attacks

How amplification works: Attacker sends small request Spoofs victim's IP as source Server sends large response to victim Amplification factor multiplies attack

Common amplification protocols:

| Protocol | Amplification Factor | Default Port | |----------|---------------------|--------------| | Memcached | 51,000x | 11211 | | NTP | 556x | 123 | | DNS | 28-54x | 53 | | SSDP | 30x | 1900 | | CharGen | 358x | 19 | | SNMP | 6x | 161 |

Example DNS amplification: Attacker query: 60 bytes DNS response: 3,000 bytes Amplification: 50x 1 Gbps attack → 50 Gbps at victim

Reflection Attacks

How reflection works: Attacker spoofs victim's IP Sends requests to third-party servers Servers respond to victim Victim receives unwanted traffic Hides attacker's identity

Reflection + Amplification: Most powerful combination Small attack → Massive impact Hard to trace Common in modern DDoS

Notable DDoS Attacks

Record-Breaking Attacks

Google (2020): Size: 2.54 Tbps Method: CLDAP reflection Duration: 6 months (campaign) Mitigated successfully

Amazon AWS (2020): Size: 2.3 Tbps Method: CLDAP reflection Duration: 3 days Mitigated successfully

GitHub (2018): Size: 1.35 Tbps Method: Memcached amplification Duration: 20 minutes Peak: 126.9 million PPS

Dyn DNS (2016): Size: 1.2 Tbps Method: Mirai botnet Impact: Major internet outage Affected: Twitter, Netflix, Reddit, etc.

Impact Examples

Dyn Attack Impact: DNS provider overwhelmed Major websites unreachable East Coast US affected Lasted several hours Mirai botnet responsible

Spamhaus (2013): Size: 300 Gbps (at the time, record) Method: DNS amplification Impact: Internet slowdown Cloudflare helped mitigate

IP Addresses in DDoS Attacks

Source IP Spoofing

Why spoof IPs: Hide attacker identity Enable amplification Bypass IP-based blocking Complicate attribution

How it works: Attacker modifies packet headers Sets false source IP Victim's IP used in amplification Responses flood victim

Detection: Impossible source IPs Geographic inconsistencies TTL anomalies Packet timing

Distributed Sources

Attack characteristics: Thousands of source IPs Global distribution Residential IPs Mobile IPs IoT devices Cloud instances

Makes blocking difficult: Can't block all sources Legitimate IPs mixed in Constantly changing Overwhelming volume

Target IP Addresses

Single IP target: Specific server Website API endpoint Game server

Multiple IP targets: Entire subnet Multiple servers Infrastructure Distributed attack

Detecting DDoS Attacks

Traffic Anomalies

Volume spikes: Sudden traffic increase 10x-1000x normal Sustained high volume Unusual patterns

Geographic anomalies: Traffic from unexpected countries Unusual distribution Concentrated sources Bot-like patterns

Protocol anomalies: Unusual protocol mix Malformed packets Unexpected packet sizes Protocol violations

Performance Indicators

Server symptoms: Slow response times Timeouts High CPU/memory usage Connection exhaustion Service crashes

Network symptoms: Bandwidth saturation Packet loss High latency Network congestion Router/firewall overload

Monitoring Tools

NetFlow/sFlow: Traffic flow analysis Source/destination tracking Volume monitoring Pattern detection

SNMP: Interface statistics Bandwidth utilization Error rates Device health

IDS/IPS: Snort Suricata Attack signatures Anomaly detection

DDoS-specific: Arbor Networks Cloudflare Analytics Fastly Real-time Stats Custom dashboards

Mitigating DDoS Attacks

Network-Level Mitigation

Rate limiting: Limit connections per IP Limit requests per second Threshold-based blocking Gradual degradation

IP filtering: Blacklist known attackers Whitelist legitimate sources Geo-blocking ASN blocking

Traffic shaping: Prioritize legitimate traffic QoS policies Bandwidth allocation Connection limits

Application-Level Mitigation

Web Application Firewall (WAF): Filter malicious requests Rate limiting Bot detection Challenge-response (CAPTCHA)

Caching: CDN caching Reduce origin load Serve static content Edge caching

Load balancing: Distribute traffic Multiple servers Auto-scaling Failover

Infrastructure Protection

Overprovisioning: Excess bandwidth Extra server capacity Redundant infrastructure Absorb attack traffic

Network segmentation: Isolate critical services DMZ configuration Internal firewalls Limit attack spread

Anycast: Distribute traffic globally Multiple PoPs Closest server responds Attack distributed

DDoS Protection Services

Cloud-based scrubbing:

Cloudflare: Global network Automatic mitigation Free tier available Enterprise solutions

Akamai: Massive capacity Scrubbing centers Enterprise-focused High-volume protection

AWS Shield: Standard (free) Advanced (paid) Integration with AWS Automatic protection

Fastly: Edge cloud platform Real-time mitigation Developer-friendly Modern architecture

On-premise solutions: Arbor Networks Radware F5 Networks Cisco

DDoS Attack Prevention

Network Hardening

Disable unnecessary services: Close unused ports Remove amplification vectors Disable DNS recursion Secure NTP Disable SSDP

Implement BCP 38: Ingress filtering Prevent IP spoofing Verify source addresses ISP-level filtering

Rate limiting: Connection limits Request rate limits Bandwidth limits Per-IP limits

Application Hardening

Input validation: Validate all input Reject malformed requests Limit request size Timeout long requests

Resource limits: Connection timeouts Request timeouts Memory limits CPU limits

Caching: Cache aggressively Reduce database load Static content CDN API response caching

Monitoring and Alerting

Baseline normal traffic: Establish patterns Know normal volumes Geographic distribution Protocol mix

Set up alerts: Traffic spikes Error rate increases Response time degradation Resource exhaustion

Incident response plan: Detection procedures Escalation path Mitigation steps Communication plan

Response to DDoS Attack

Immediate Actions

1. Confirm attack: Verify it's DDoS Not legitimate traffic spike Not infrastructure failure Identify attack type

2. Activate DDoS protection: Enable cloud scrubbing Activate WAF rules Implement rate limiting Contact DDoS provider

3. Communicate: Notify stakeholders Update status page Inform customers Coordinate with ISP

4. Log everything: Capture traffic samples Save logs Document timeline Preserve evidence

During Attack

Monitor continuously: Track attack metrics Measure mitigation effectiveness Watch for attack evolution Monitor infrastructure health

Adjust mitigation: Tune rules Add filters Scale resources Optimize configuration

Maintain communication: Regular updates Stakeholder briefings Customer notifications Team coordination

Post-Attack

Analysis: Attack vectors used Peak volumes Duration Mitigation effectiveness Lessons learned

Improvements: Update defenses Patch vulnerabilities Enhance monitoring Improve response plan

Documentation: Incident report Timeline Actions taken Recommendations

Legal and Ethical Considerations

DDoS is Illegal

Laws: Computer Fraud and Abuse Act (US) Computer Misuse Act (UK) Cybercrime laws worldwide Severe penalties

Penalties: Criminal charges Fines Imprisonment Civil liability

Legitimate Testing

Authorized testing only: Written permission Controlled environment Professional services Compliance with laws

DDoS testing services: Legitimate providers Authorized testing Controlled attacks Measure resilience

Conclusion

DDoS attacks represent a significant threat to online services, using IP addresses and network protocols to overwhelm targets with traffic. Understanding attack types, detection methods, and mitigation strategies is essential for protecting internet-facing services.

Related Articles

Security and Attacks

• IP Spoofing - Address forgery in DDoS
• IP Blacklisting - Blocking attack sources
• Firewall Basics - First line of defense
• IP Reputation - IP reputation systems

Network Protocols

• ICMP - ICMP flood attacks
• TCP/IP Model - Protocol vulnerabilities
• BGP - BGP hijacking
• Routing - Route manipulation

Infrastructure

• CDN - DDoS mitigation via CDN
• Load Balancing - Traffic distribution
• Anycast - DDoS resilience
• Internet Service Providers - ISP protection

Monitoring

• Network Troubleshooting - Detecting attacks
• IP Logging - Attack analysis

Explore More

• Security & Privacy - Complete security hub
• Enterprise - Enterprise security

Key takeaways: - DDoS uses distributed sources to overwhelm targets - Three main types: volume, protocol, application - IP spoofing enables amplification attacks - Botnets provide attack infrastructure - Detection requires monitoring and baselines - Mitigation needs multiple layers - Cloud scrubbing services highly effective - Prevention includes hardening and rate limiting - Incident response plan essential - DDoS attacks are illegal - Professional protection services recommended

Bottom line: DDoS attacks are a persistent threat that requires proactive preparation, robust defenses, and professional mitigation services. No organization is immune, but proper planning, monitoring, and protection significantly reduce risk and impact. Invest in DDoS protection before you need it—recovery from an unprepared attack is far more expensive than prevention.