What are DDoS Attacks and How to Protect Against Them?

DDoS Attacks: The Essence of the Threat and Its Growing Relevance

DDoS attacks are deliberate attempts by malicious actors to render web resources, services, or entire network infrastructures of companies and organizations inoperable. Their primary goal is to overwhelm the targeted resources with such an immense flood of requests or data that they become unavailable to legitimate users. Imagine a bustling restaurant designed for 50 patrons. Suddenly, hundreds, or even thousands, of fake “guests” simultaneously occupy all tables, block the entrance, and completely paralyze the staff’s work. As a result, genuine customers wanting to order food cannot even get inside. DDoS works similarly in cyberspace: fake, excessive requests displace legitimate traffic, creating a complete denial of service.

To carry out such attacks, malicious actors typically employ botnets — large networks of thousands or even millions of infected devices (computers, servers, IoT devices) that they control remotely. These “zombie devices,” upon command from the attacker, simultaneously begin generating a massive volume of requests to the target, completely exhausting its resources: channel bandwidth, server processing power, memory, connections, or application logic. As a result, the infrastructure collapses, and real customers lose access to websites, online stores, banking services, government portals, or other critical services.

DDoS Landscape in Ukraine and Central Asian Countries: Current Threats

Regardless of where your business operates — be it Ukraine, Kazakhstan, Georgia, or Azerbaijan — cyberattacks, including DDoS, are becoming increasingly sophisticated and frequent. Recent years have shown an unprecedented increase in the number and power of DDoS attacks, especially in conditions of geopolitical instability. In the Eastern European and Central Asian regions, in particular, there has been an intensification of activity by hacktivist groups and state-sponsored cybercriminals who use DDoS as a powerful tool to disrupt critical infrastructure, destabilize businesses, and even conduct information operations.

For companies of all sizes — from small and medium-sized businesses to large banks, telecommunication providers, online marketplaces, media resources, and government agencies — DDoS attacks carry colossal risks. Losses can be not only financial (direct damages from downtime, recovery costs, penalties) but also reputational. In an environment of high competition and reliance on online services, even temporary unavailability can lead to a mass exodus of clients, loss of partner trust, and long-term damage to the company’s image.

If your organization needs anti-DDoS consultation, development of a DDoS protection strategy, or implementation of comprehensive solutions to ensure business continuity, you can contact NWU. NWU is an official distributor of advanced NETSCOUT (formerly Arbor Networks) solutions in Ukraine, Kazakhstan, Georgia, and Azerbaijan. Our specialists are ready to provide comprehensive support: from selecting optimal protection products to organizing their seamless integration into existing IT infrastructure and providing professional support at all stages.

Types of DDoS Attacks: A Diversity of Attack Vectors

DDoS attacks are not limited to a single scenario. Attackers constantly invent new methods to bypass protection systems, and today there are several main types of attacks, each using its own approaches to overload the target network, server, or service. Understanding these differences is critical for building an effective multi-layered defense.

1. Volume-based Attacks

Volume-based DDoS attacks aim to saturate the victim’s network bandwidth or consume all available communication channel resources. Their goal is to create such a massive flood of traffic that it completely fills the channel, preventing legitimate requests from passing through. This typically involves botnets of thousands or millions of infected devices that generate a colossal volume of data.

• UDP Flood

  One of the most common types of volume-based DDoS attacks. Attackers flood the target server with random UDP (User Datagram Protocol) packets, often with spoofed sender IP addresses. The server is forced to send back ICMP “Destination Unreachable” messages (port unreachable) for each received packet. This exhausts not only network resources but also server processing power, as it spends them generating responses, which can severely overload the infrastructure and prevent it from serving real requests.

• DNS Amplification

  This is a specific type of volume attack that exploits vulnerable or misconfigured DNS servers to amplify the attack volume. The attacker sends small DNS queries to numerous open DNS resolvers across the internet, spoofing the sender’s IP address to the victim’s IP address. In response, these DNS servers send much larger replies (tens to hundreds of times larger than the original query) to the victim’s address, creating a gigantic flood of unwanted traffic that quickly exhausts its channel bandwidth.

• NTP Amplification

  Similar to DNS amplification, NTP (Network Time Protocol) amplification uses publicly available NTP servers to amplify traffic. The attacker sends a small request to an NTP server, spoofing the victim’s IP address, and asks it to send a large amount of data (e.g., a list of the last 600 commands) to the spoofed address. The NTP server responds to the victim’s address, significantly increasing the volume of malicious traffic.

• SSDP Amplification

  Simple Service Discovery Protocol (SSDP) is used to discover devices on a local network. Attackers can use it similarly to DNS and NTP amplification, by sending small requests to vulnerable devices (often IoT devices or routers with UPnP) which then send large responses to the victim’s IP address, overloading its communication channel.

2. Application-Layer Attacks

These attacks are much more insidious because they target specific web applications that require significant computing resources to process requests. Attacks of this type often masquerade as legitimate user traffic, allowing them to bypass basic cybersecurity systems focused on volume. They exhaust server resources (CPU, memory, database connections) by simulating real user actions.

• HTTP Flood

  A botnet or attacker sends a huge number of seemingly normal HTTP requests (GET or POST) to a website or web application, simulating requests from ordinary users. Each such request requires the server to process, access a database, execute scripts, and generate a response. The server expends colossal resources processing them, quickly exhausting available connections or computing power. As a result, legitimate traffic cannot be served due to excessive load, and the service becomes unavailable.

• Slowloris

  This attack is an example of a “slow” application-layer attack. Instead of overwhelming the server with a large volume of traffic, Slowloris keeps multiple HTTP connections to the target web server open for as long as possible. It sends partial HTTP requests and then slowly, one byte at a time, sends headers. The server waits for each request to complete, keeping connections open and consuming its resources. When all available server connections are occupied by such “slow” requests, it stops responding to legitimate requests, leading to a denial of service.

• RUDY (R-U-Dead-Yet?)

  RUDY is another variation of the Slowloris attack that also aims to exhaust the web server’s connection pool. It works by sending legitimate HTTP POST requests but very slowly sending the request body, using small but numerous data packets. This forces the server to constantly wait for the POST request to complete, keeping connections open and exhausting resources. It is effective against servers that expect data uploads to complete before closing connections.

3. Protocol Attacks

These types of attacks exploit vulnerabilities or features of communication protocols (e.g., TCP, ICMP) by initiating unnecessary operations on a server or router and preventing the processing of normal requests. They aim to exhaust connection state tables or other network equipment resources.

• SYN Flood

  One of the classic types of protocol-level attacks. The attacker sends many SYN packets (the first step in the three-way TCP handshake) to the target server but never completes the “handshake” (does not send an ACK packet in response to SYN-ACK). The server creates entries for each “half-open” connection in its state table, waiting for the handshake to complete. These entries remain open until a timeout expires, quickly leading to the server’s state table overflowing. As a result, the server cannot accept new legitimate connections initiated by users, leading to a denial of service.

• ICMP Flood

  This attack, also known as “Ping Flood,” overwhelms the target network or server by sending a huge number of ICMP Echo Request packets (ping requests). If the attacked network’s bandwidth is lower than the attacker’s, or if the target system is forced to generate responses to each request, this leads to resource exhaustion and slowdown or complete shutdown of operations. Although modern networks usually have protection against simple ICMP floods, massive attacks can be effective.

4. Multi-Vector DDoS Attacks: A Complex Strike

Increasingly, attackers use not one but several attack vectors simultaneously. Multi-vector DDoS attacks combine elements of volume-based attacks, protocol-layer attacks, and application-layer attacks. For example, a target might be hit with a combination of SYN flood (to exhaust network resources), HTTP flood (to overload the web server), and DNS amplification (to saturate the channel). Such complexity makes them extremely difficult to repel, as protection systems must be able to effectively counter threats at different levels of the protocol stack and quickly adapt to changing attacker tactics.

Large-Scale DDoS Attacks: Case Studies and Modern Trends

Cybersecurity history is rife with examples of devastating DDoS attacks that demonstrate their potential and evolution. These incidents serve as vivid reminders of the need for robust protection.

• Attack on Amazon Web Services (AWS), 2020

  In February 2020, AWS faced one of the largest recorded DDoS attacks at the time. Peak traffic reached a colossal 2.3 Tbps, resulting from a UDP flood. While the attack did not lead to catastrophic failures thanks to the massive infrastructure of AWS Shield, the costs of maintaining stability and the resources involved in repelling it were quite substantial. This incident showed that even the largest cloud providers are constantly under threat, and their clients depend on their ability to scale protection.

• Attack on GitHub, 2018

  In February 2018, GitHub, a popular developer platform, suffered a massive DDoS attack with a peak of 1.35 Tbps. The attack used the Memcached amplification method, which attackers actively exploited during that period. The service temporarily became unavailable to millions of users worldwide. Thanks to a swift response and cooperation with the protection provider, functionality was quickly restored, avoiding long-term reputational and financial losses. However, this case demonstrated how quickly and effectively a new attack technique can be used to paralyze large resources.

• Record HTTP Flood Attack via Cloudflare, 2023

  In early 2023, Cloudflare reported repelling a series of record HTTP flood DDoS attacks, one of which reached an astonishing 71 million requests per second (RPS). These attacks were 54% more powerful than previous recorded records and were used by hacktivist groups. Cloudflare successfully repelled the attack thanks to its distributed infrastructure and advanced traffic filtering mechanisms. This incident served as a clear example of how the power of DDoS attacks continues to grow exponentially, and also showed the importance of using advanced cloud solutions for protection.

• Attacks on Critical Infrastructure in 2022-2024 (Global and Regional)

  The period since 2022 has been characterized by a significant increase in the number and intensity of DDoS attacks, often associated with geopolitical conflicts. Continuous, massive attacks have been observed against energy companies, government agencies, the financial sector, and telecommunication providers in many countries, including Ukraine. These attacks reached many hundreds of gigabits and even terabits per second, using a variety of multi-vector approaches. The goal was not only to disrupt availability but also to create chaos, divert attention from more hidden cyberattacks (e.g., malware deployment or data theft), and demoralize the population. This highlights that DDoS today is not just “noise” but part of a more complex cyber warfare strategy.

Modern Trends in the DDoS Landscape: What Awaits Us?

The DDoS landscape is constantly changing, and it is important to stay aware of the latest trends to adequately respond to new threats:

• Increased Attack Power: The average and maximum power of DDoS attacks continues to increase, requiring protection systems to constantly build up their capabilities for traffic absorption and filtering.
• Increased Attack Frequency: DDoS is becoming increasingly accessible thanks to “DDoS-as-a-Service” offerings on the black market, leading to an increase in incidents.
• Multi-vector Attacks: The prevalence of complex attacks using a combination of different methods complicates protection and requires multi-layered solutions.
• Application-Layer Attacks: These remain the most insidious, as they are difficult to distinguish from legitimate traffic. Attackers actively seek vulnerabilities in application logic.
• IoT Botnets: Millions of unprotected “Internet of Things” devices (cameras, routers, smart devices) become easy prey for creating huge botnets capable of generating massive attacks.
• “Low-and-Slow” Attacks: Methods similar to Slowloris, which do not generate a large volume of traffic but effectively exhaust server resources, are becoming increasingly popular because they are harder to detect with traditional methods.
• Use of AI in Attacks and Defense: Artificial intelligence is beginning to be used by attackers for automation and bypassing defenses, and by defense systems for faster and more accurate anomaly detection.

Consequences of DDoS Attacks: Deep Damage to Business

A successful DDoS attack can inflict multi-layered and long-term damage on an organization, extending far beyond temporary service unavailability. These consequences can be catastrophic for any business that critically depends on an online presence.

• Financial Losses and Direct Damages

  This is the most obvious consequence. The shutdown of online services, unavailability of payment systems, web platforms, online stores, or critically important corporate systems leads to direct profit losses. Every minute of downtime means lost transactions, unfulfilled orders, and lost sales. In addition to direct damages, the company is forced to incur significant additional costs for emergency infrastructure recovery, enhanced protection, engaging cybersecurity experts, and sometimes paying compensation to affected customers. The cost of such operations can amount to tens and hundreds of thousands of dollars, and for large companies, millions.

• Reputational Damage and Loss of Trust

  In today’s information space, news of cyberattacks spreads instantly. Customers quickly switch to competitors if a service becomes unstable, unavailable, or unreliable. Reputational losses can be even more devastating than direct financial ones. In sectors such as finance (e.g., banks in Ukraine or Kazakhstan), customer trust in a bank directly depends on the uninterrupted and secure operation of online banking. The inability to ensure service availability undermines trust, reduces loyalty, and can lead to a mass exodus of the customer base, which will be extremely difficult to restore. Public statements about disruptions also negatively affect relationships with partners, investors, and regulators.

• Data Leaks and Accompanying Cyberattacks

  One of the most dangerous aspects of DDoS attacks is their use as a diversion. While the attention of security services is focused on restoring functionality and repelling traffic floods, attackers can use this “smokescreen” to conduct other, more hidden and dangerous intrusions. Under the guise of a DDoS attack, attempts may be made to steal confidential information (customer data, trade secrets, intellectual property), install malware, gain unauthorized access to systems, or compromise internal networks. This significantly increases the overall risk and complexity of recovery after an incident, as it requires not only mitigating the DDoS but also conducting a full investigation for data leaks and other security breaches, which entails additional legal and regulatory risks.

• Reduced Productivity and Operational Costs

  Even if an attack did not lead to complete failure, a significant slowdown in service and application performance due to partial overload can seriously impact employee productivity, customer service quality, and overall business efficiency. Staff are forced to spend time troubleshooting problems rather than on core tasks, leading to additional operational costs.

Comprehensive Approaches to DDoS Protection: Multi-Layered Defense

Effective DDoS protection requires not a single solution, but a comprehensive strategy that combines technological tools, proactive measures, and thoughtful architectural planning. Modern approaches aim to detect, absorb, and filter malicious traffic at various levels, minimizing harm to the business.

1. Technological Approaches to Anti-DDoS

• Traffic Scrubbing

  Traffic Scrubbing is a cornerstone of modern DDoS protection. The principle of operation is that all incoming traffic destined for a protected resource is redirected through specialized scrubbing centers. These high-performance platforms analyze each data packet in real-time. Suspicious or clearly malicious traffic (e.g., that which matches known DDoS attack signatures or exhibits anomalous behavior) is immediately separated and blocked, or sent for further in-depth analysis. Only clean, legitimate traffic is passed to the target servers and applications. This allows services to remain available to real users even during massive attacks.

  Advantages: Services remain available to legitimate users, and systems such as NETSCOUT Arbor Cloud can automatically adapt to new attack scenarios using a global threat database.

• Specialized DDoS Protection Solutions (On-Premise Appliances)

  For companies that require maximum control and minimal latency, on-premise hardware or software solutions are used, installed directly within the network infrastructure. These systems are designed for rapid detection and neutralization of attacks at various levels (network, transport, application) before malicious traffic can penetrate deep into your internal infrastructure and cause damage. They analyze network traffic, detect anomalies, and apply filters to block malicious packets. Examples of such solutions include NETSCOUT Arbor Edge Defense (AED) and NETSCOUT Arbor Threat Mitigation System (TMS), which will be discussed in more detail below.

  Advantages: Full control over traffic, high reaction speed, possibility of deep integration with internal infrastructure, and customization for specific business requirements. Ideal for protecting critical assets.

2. Proactive Strategies and Architectural Solutions

• Proactive Threat Intelligence

  Modern DDoS protection cannot be reactive. A proactive approach includes regular security audits, penetration testing (pentests), vulnerability analysis, and continuous updating of protection systems. Organizations that apply this method continuously improve their DDoS resilience. Experts regularly conduct “attack scenarios” or training to track how quickly the system and personnel react to DDoS incidents. Notification systems for unusual traffic spikes or network behavior anomalies are also configured. This allows “weak points” to be identified before an attacker can exploit them. In the event of a real attack, the defense mechanisms are already “trained” for similar scenarios, significantly reducing reaction time and minimizing damage.

• Backup Communication Channels and Geographically Distributed Servers

  One of the key principles of reliability is the absence of a Single Point of Failure. By reserving key resources such as internet channels, servers, and data centers, during a DDoS attack it becomes possible to quickly redirect traffic to alternative, unaffected nodes. For example, if the main data center in Georgia receives an excessive load, the system automatically switches to a backup data center located, say, in Ukraine. This ensures uninterrupted service operation, distributing the load and minimizing the risk of complete shutdown. The use of CDNs (Content Delivery Networks) also helps distribute traffic and absorb part of the attack before it reaches the main server.

• Cloud-Based Solutions

  Cloud platforms inherently possess a distributed infrastructure, which significantly increases their resilience to DDoS attacks. When traffic sharply increases due to an attack, cloud providers can scale computing power and bandwidth in real-time, absorbing huge volumes of malicious traffic. Requests arriving at the protected resource are distributed among many geographically dispersed data centers. This allows the attack’s impact to be “scattered,” preventing the overload of a single point, and maintaining service stability. Clients do not need to spend money on constantly updating physical servers, and cloud providers (including NETSCOUT through its cloud services) often offer built-in DDoS countermeasures, allowing payment only for the necessary resources on a “DDoS-as-a-Service” model.

NETSCOUT: Advanced Solutions for DDoS Protection

Choosing NETSCOUT (formerly Arbor Networks) solutions for DDoS protection is an investment in the reliability and resilience of your business. Their products offer a number of critically important advantages:

1. Arbor Edge Defense (AED)

Description: AED is a high-performance, on-premise solution that acts as the “first line of defense” at your network’s edge (perimeter). It is designed to automatically detect and block a wide range of DDoS attacks – volume, protocol, and application-layer attacks – before malicious traffic can penetrate deep into your internal infrastructure and cause damage. AED provides “always-on” protection.

Functionality and Technical Details:

• Edge Traffic Filtering: AED scans all incoming and outgoing data streams at the highest speeds, instantly detecting and blocking packets that show signs of a DDoS attack or unwanted traffic.
• Integration with NETSCOUT Threat Intelligence: The system constantly receives up-to-date information on the latest threats, attack signatures, and lists of malicious IP addresses from NETSCOUT’s global threat intelligence network ASERT (ATLAS Security Engineering and Response Team). This significantly reduces the reaction time to new and evolving types of DDoS activity.
• Multi-Level Attack Analysis: AED is capable of filtering attacks at both low levels of the network stack (protocol and volume) and higher levels (application-layer attacks), using behavioral analysis and signature matching. This provides comprehensive and deep protection.
• Protection from Outbound Threats: In addition to inbound attacks, AED can also detect and block outbound malicious traffic, which may indicate that your internal systems have been compromised and are now participating in a botnet.

Advantages:

• Reduced Load on Internal Servers: Most malicious traffic is filtered at the perimeter, before reaching your main servers and applications, preserving their resources for legitimate operations.
• Flexible Configuration: The system easily adapts to your business specifics and unique network requirements, which is especially important for organizations with branches in diverse regions like Kazakhstan, Georgia, or Azerbaijan, where attack characteristics may vary.
• Quick Return on Investment (ROI): Preventing downtime and reducing recovery costs quickly pay for the investment in protection.

2. Arbor Threat Mitigation System (TMS)

Description: Arbor TMS is a high-performance, scalable traffic management platform designed to detect and remove unwanted packets from the data stream in real-time. This solution is ideal for large enterprises, data centers, and internet service providers where maximum service availability must be ensured even during the most powerful and complex DDoS attacks.

Functionality and Technical Details:

• Intelligent Traffic Management and Scrubbing: TMS constantly analyzes network traffic, detects anomalous patterns, and, upon attack detection, automatically redirects malicious requests to remote or local Traffic Scrubbing Centers. After scrubbing, clean traffic is returned to the target resources.
• Flexible Filtering Settings: The system allows configuring various operational scenarios against specific types of attacks, such as SYN flood, HTTP flood, UDP flood, and others, ensuring precise and effective neutralization.
• Integration with Arbor Sightline: TMS integrates closely with the Arbor Sightline platform (formerly Peakflow), which provides network monitoring and flow analysis data (NetFlow, IPFIX). This increases the accuracy and speed of threat detection, allowing the identification of attacks that may be invisible to other systems.
• Automated Response: TMS can automatically apply attack mitigation measures, reducing the need for manual intervention and ensuring the fastest possible recovery.

Advantages:

• Uninterrupted Service Operation: Legitimate traffic passes to the server without delay, while malicious packets are filtered “on the fly,” ensuring continuous availability.
• Scalability and High Performance: TMS is suitable for both medium-sized businesses in Azerbaijan and the largest telecommunication companies and international corporations with many offices worldwide, capable of handling terabits of traffic.
• Deep Analytics and Visibility: Provides detailed information about attacks, their sources, and vectors, which helps in further strengthening protection.

Advantages of NETSCOUT Solutions for Modern Business

Choosing NETSCOUT (formerly Arbor Networks) solutions for DDoS protection is an investment in the reliability and resilience of your business. Their products offer a number of critically important advantages:

• Response Speed and Automation

  NETSCOUT systems use high-speed traffic analysis mechanisms that allow almost instantaneous detection of anomalies and DDoS attack patterns. Thanks to advanced algorithms and automation, solutions can begin threat mitigation within seconds of detection, minimizing downtime and damage to services. This is critically important when every millisecond counts.

• Adaptability to New Threats and Global Intelligence

  Arbor Networks solutions from NETSCOUT are constantly learning based on new threats and attack vectors that emerge. They receive regular updates through NETSCOUT’s global intelligence network ASERT, which collects and analyzes information about cyberattacks from around the world. This allows systems to effectively counter even the newest and most sophisticated types of DDoS, ensuring that your protection is always current and ready for the changing threat landscape.