What is a DDoS attack - Anti-DDoS - Alibaba Cloud Documentation Center

A distributed denial-of-service (DDoS) attack uses multiple computers to launch a coordinated attack against one or more targets. These computers use malicious programs and remote connections to consume the target server's resources or network bandwidth, which prevents the server from providing services.

How DDoS attacks work

A DDoS attack is a coordinated attack that uses a botnet:

An attacker builds a large botnet by illegally controlling many devices on the Internet.
During an attack, the attacker issues commands from a control server. These commands direct all zombie hosts in the botnet to simultaneously send a massive flood of requests or traffic to a specific target, such as a website or server.
This sudden traffic spike quickly exhausts the target server's system resources or network bandwidth, causing the service to slow down or crash completely. As a result, the server cannot process requests from legitimate users, which achieves the goal of a denial-of-service attack.

Risks of DDoS attacks

Significant financial and brand damage: An attack can cause service interruptions and prevent users from accessing your services. This leads to direct financial losses from lost orders and customer churn, and severely damages your brand's reputation.
Note
Example: An e-commerce platform is targeted by a DDoS attack, causing its website to become inaccessible or temporarily shut down. As a result, legitimate users cannot place orders.
Risk of data breaches: A DDoS attack can act as a tactical cover. While creating network chaos, an attacker might take the opportunity to infiltrate the system and steal sensitive or core data.
Malicious business competition: DDoS attacks are used as an unfair competitive tactic. Attackers paralyze a competitor's services to disrupt their business, capture market share, and damage the industry ecosystem.
Note
Example: A game service is targeted by a DDoS attack, causing the number of players to drop sharply. The attack may cause the game service to go completely offline within a few days.

How to determine if your service is under a DDoS attack

To determine if your service is under a DDoS attack, watch for the following signs:

Important

To determine whether an asset is under attack, check the asset status on the Assets page in the Traffic Security console. For more information, see Asset Center.

Service quality degradation: Your service lags, responds slowly, or many users are disconnected.
Abnormal server resources: The CPU or memory utilization spikes.
Network traffic surge: The outbound or inbound traffic spikes unexpectedly.
Massive unknown access: Your website or application is flooded with requests from unknown sources.
Difficulty with remote management: You cannot log on to the server, or the server responds very slowly.

How Alibaba Cloud provides DDoS protection

Note

For more information about how to choose a suitable Anti-DDoS product, see Selection guide.

Anti-DDoS Origin Basic (Free)
Provides 500 Mbps to 5 Gbps of DDoS mitigation capability for Alibaba Cloud products that you use, such as ECS, Server Load Balancer, EIP (including EIPs attached to NAT Gateways), , Global Accelerator, and Web Application Firewall. For more information, see the documentation for the specific cloud product.
Anti-DDoS Origin
Anti-DDoS Origin is a transparent protection service for resources deployed on Alibaba Cloud. For more information, see What is Anti-DDoS Origin?.
Anti-DDoS Proxy
Anti-DDoS Proxy uses a proxy model to protect ports and domain names. It can protect hosts that are not on Alibaba Cloud. For more information, see What is Anti-DDoS Proxy?.

Common types of DDoS attacks

DDoS attack classification	Attack subclass	Description
Malformed packet	Malformed packet attacks include Frag Flood, Smurf, Stream Flood, Land Flood, and attacks that use malformed IP, TCP, or UDP packets.	A malformed packet attack sends defective IP packets to a target system. When the system attempts to process these packets, it may crash, which results in a denial-of-service attack.
Transport layer DDoS attack	Transport layer DDoS attacks include SYN Flood, ACK Flood, UDP Flood, ICMP Flood, and RST Flood attacks.	Take a SYN Flood attack as an example. This attack exploits the TCP three-way handshake. When a server receives a SYN request, it must use a listener queue to hold the connection for a period of time. An attacker sends a continuous stream of SYN requests but does not respond to the SYN+ACK packets from the server. This consumes the server's resources until the listener queue is full. At that point, the server cannot accept requests from legitimate users, which results in a denial-of-service attack.
DNS DDoS attack	DNS DDoS attacks include DNS Request Flood, DNS Response Flood, DNS Query Flood from both spoofed and real sources, authoritative server attacks, and local server attacks.	Take a DNS Query Flood attack as an example. This attack uses real query requests, which appear to be normal service behavior. However, if multiple zombie machines simultaneously send a massive number of domain name queries, the server cannot respond to legitimate queries. This results in a denial of service.
Connection-based DDoS attack	Connection-based DDoS attacks include slow-rate attacks such as TCP slow connection attacks, connection exhaustion attacks, Loic, Hoic, Slowloris, Pyloris, and Xoic.	Take a Slowloris attack as an example. The goal of this attack is to exhaust the concurrent connection limit of a web server. A web server can handle only a limited number of concurrent connections. A Slowloris attack attempts to keep as many connections open for as long as possible. When all available connections are in use, the web server cannot accept new requests from legitimate users. A Slowloris attack exploits a feature of the HTTP protocol. An HTTP request uses `\r\n\r\n` to mark the end of the headers. If the web server receives only `\r\n`, it assumes that the HTTP headers section is incomplete. The server then keeps the connection open and waits for the remaining request content.
Application layer DDoS attack	Application layer attacks include HTTP GET Flood, HTTP POST Flood, and CC attacks.	Application layer attacks often closely simulate user requests, similar to search engines and web crawlers. The behavior of these attacks is difficult to distinguish from normal business traffic, which makes them difficult to identify. Some transactions and pages in a web service consume a large amount of resources. For example, in web applications with paging and table sharding, if the parameters that control the page are too large, frequent page turning consumes a large amount of web service resources. In high-concurrency scenarios with frequent calls, transactions like these are common targets for CC attacks. Because most attacks today are hybrid, frequent operations that simulate user behavior can be considered CC attacks. For example, a ticket-buying bot that repeatedly accesses a website can be considered a CC attack. CC attacks target the backend services of web applications. In addition to causing a denial of service, they directly affect the functionality and performance of the web application, such as the web response time, database services, and disk read/write operations.