Distributed Denial of Service (DDoS) Attack – Akhil Bhartiya Cyber Suraksha Sangathan (Regd.)

💻 DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK — OVERVIEW

A Distributed Denial of Service (DDoS) attack is a highly advanced and devastating form of cyber attack where the attacker uses thousands or even millions of compromised computers, IoT devices and servers — collectively called a botnet — to simultaneously flood a target server, website or network with massive volumes of traffic. The sheer scale of traffic completely overwhelms the target's capacity, making it unavailable to legitimate users. Unlike a regular DoS attack launched from a single source, DDoS attacks are launched from thousands of distributed locations worldwide — making them extremely difficult to detect, block or mitigate. Banks, hospitals, e-commerce platforms, government portals, telecom infrastructure and stock exchanges are prime targets. DDoS attacks are a grave cyber crime under Indian law, punishable with life imprisonment in cases involving national security infrastructure.

3.8 Tbps

Largest DDoS Attack Ever Recorded (2023)

₹11 Cr+

Avg Cost Per DDoS Attack on Enterprise

54,000+

DDoS Attacks Per Day Globally

Life Imp.

Max Punishment Under IT Act 66F India

⚙️ HOW A DDoS ATTACK WORKS — STEP BY STEP

😈

Attacker Builds Botnet

→

🤖

Sends Command to Bots

→

🌊

Thousands of Bots Flood Target

→

🖥️

Server Collapses

→

🚫

Service Completely Down

The attacker first infects thousands of computers, smartphones and IoT devices with malware — creating a botnet (network of zombie devices). These devices' owners are usually unaware they are part of a botnet. On the attacker's command, all botnet devices simultaneously send enormous volumes of requests to the target. The distributed nature — traffic arriving from thousands of different IP addresses across the world — makes it impossible to simply block one IP. The target's servers, bandwidth and infrastructure are overwhelmed in seconds, crashing the service entirely for all legitimate users.

🤖 WHAT IS A BOTNET? — HOW DEVICES GET INFECTED

💻

Infected Computers

PCs and laptops infected via phishing emails, malicious downloads or pirated software become silent bots without the owner's knowledge.

📱

Compromised Phones

Smartphones infected through fake apps, malicious APKs or unsecured Wi-Fi are silently recruited into botnets and used in DDoS campaigns.

📷

IoT Devices (CCTV, Routers)

Poorly secured smart devices — cameras, routers, smart TVs — with default passwords are easily hijacked and form the largest share of modern botnets.

🌐

Cloud & Server Resources

Hackers also compromise poorly secured cloud instances and web servers to use their massive bandwidth in high-volume DDoS amplification attacks.

Mirai Botnet — one of the most notorious botnets ever — infected over 600,000 IoT devices (CCTV cameras, routers, DVRs) in 2016 and launched the then-largest DDoS attack in history (1.2 Tbps), taking down major websites including Twitter, Netflix and Reddit. In India, lakhs of unsecured CCTV cameras and home routers have been found to be part of global botnets. Is your router or camera secure? Change default passwords immediately and update firmware regularly.

⚠️ How DDoS Attacks Are Launched

Using botnets of infected devices to flood target simultaneously
DNS amplification — small requests create massive response traffic
NTP amplification — exploiting time servers to multiply attack volume
Memcached amplification — 51,000x traffic amplification factor
HTTP/S floods — overwhelming web servers with fake page requests
BGP hijacking — redirecting internet traffic routes to cause disruption
Purchasing DDoS-as-a-Service on dark web markets for as low as ₹500/hour
Using reflection attacks to hide attacker's identity and amplify impact

✅ How to Protect Against DDoS Attacks

Subscribe to a dedicated DDoS mitigation service (Cloudflare, Akamai, AWS Shield)
Deploy Anycast network diffusion to spread attack traffic across global servers
Configure rate limiting and IP reputation filtering at network edge
Use a Content Delivery Network (CDN) to absorb and distribute traffic load
Enable traffic scrubbing centres to clean malicious traffic before it reaches servers
Change all IoT device default passwords — update router and device firmware
Set up real-time traffic monitoring with automated alert and response systems
Prepare and rehearse a DDoS incident response plan with ISP and hosting provider

🔍 Types of DDoS Attacks

🌊

Volumetric Attack (Bandwidth Exhaustion)

The most common form — attackers flood the target with massive volumes of UDP, ICMP or spoofed-packet traffic to completely saturate the network bandwidth. Modern volumetric DDoS attacks can reach terabits per second (Tbps), making them impossible to absorb without specialised mitigation infrastructure.

📡

DNS Amplification DDoS

Attackers send small DNS queries to open DNS resolvers with the source IP spoofed to the victim's address. DNS servers respond with much larger replies directed at the victim — amplifying attack traffic by 28–54 times. A single botnet can generate hundreds of Gbps of traffic using DNS amplification without using much of its own bandwidth.

⏱️

NTP Amplification DDoS

Attackers exploit Network Time Protocol (NTP) servers using the monlist command — which responds with a list of recent connections. A small request generates a response up to 556 times larger, directed at the victim. NTP amplification attacks have generated some of the largest recorded DDoS volumes globally.

💾

Memcached Amplification DDoS

By exploiting misconfigured Memcached servers (a caching system), attackers achieve an amplification factor of up to 51,000 times — turning a 1 Mbps attack into 51 Gbps. The 2018 GitHub DDoS attack (1.35 Tbps) used this technique and is one of the largest recorded attacks in internet history.

🔗

Protocol / State Exhaustion Attack

These attacks consume the connection state tables of network infrastructure — firewalls, load balancers, routers — rather than bandwidth. SYN floods, ACK floods and fragmented packet attacks are common examples. They can bring down even high-capacity infrastructure by exhausting the connection tracking capacity.

🧠

Application Layer DDoS (Layer 7)

These sophisticated attacks target specific application functions — login pages, search APIs, checkout processes — with requests that look legitimate but each trigger complex, resource-intensive backend operations (database queries, file reads). Low in volume but extremely effective, they often bypass traditional DDoS protection.

🔄

Multi-Vector DDoS Attack

Advanced attackers combine multiple DDoS techniques simultaneously — volumetric, protocol and application layer attacks launched at the same time. Multi-vector attacks are designed to overwhelm mitigation systems that can only handle one attack type at a time, making them the most difficult to defend against.

🕹️

Ransom DDoS (RDDoS)

Attackers launch a brief demonstration DDoS attack on the target, then send a ransom demand — threatening a sustained, full-scale attack unless cryptocurrency payment is made within a deadline. Ransom DDoS attacks have surged in recent years targeting financial institutions, healthcare systems and e-commerce platforms globally including in India.

💥 IMPACT OF A DDoS ATTACK ON ORGANISATIONS

💸

Massive Financial Loss

Downtime costs enterprises lakhs to crores per hour in lost revenue, emergency mitigation costs, SLA penalties and customer compensation claims.

📉

Brand & Reputation Damage

Customers lose faith in organisations unable to maintain service availability, leading to long-term customer attrition and revenue loss.

🏥

Critical Infrastructure Failure

DDoS attacks on hospitals, power grids or emergency services can endanger human lives by disrupting critical systems at critical moments.

🔓

Security Distraction

DDoS attacks are often used as a smokescreen — while IT teams fight the flood, attackers simultaneously breach the network to steal data or plant malware.

📋

Regulatory Penalties

Regulated sectors (banking, healthcare, telecom) that fail to maintain service continuity under attack may face heavy fines from RBI, TRAI or SEBI.

🔌

Extended Recovery Time

Complex multi-vector DDoS attacks can take hours to days to fully mitigate — causing prolonged outages that are extremely costly for businesses and government services.

🛡️ DDoS MITIGATION — TECHNICAL DEFENCE STEPS

Deploy a Cloud-Based DDoS Scrubbing Service

Services like Cloudflare, Akamai Prolexic or AWS Shield Advanced route all incoming traffic through scrubbing centres that filter malicious packets before they reach your servers — absorbing even multi-Tbps attacks.

Enable Anycast Network Diffusion

Anycast distributes incoming DDoS traffic across a network of globally distributed servers — diluting the attack volume so no single server is overwhelmed. This is used by major CDN providers to absorb massive volumetric attacks.

Configure Rate Limiting and IP Blacklisting

Implement rate limiting rules on web servers and routers to automatically restrict the number of requests per IP per second. Maintain and update IP reputation blacklists to block known malicious sources before they reach your network.

Use Web Application Firewall (WAF) for Layer 7 Protection

A WAF inspects HTTP/HTTPS traffic in real time to identify and block malicious application-layer DDoS requests, including HTTP floods and slowloris attacks, without blocking legitimate user traffic.

Secure All IoT Devices and Network Equipment

Change default passwords on all routers, CCTV cameras and IoT devices immediately. Keep firmware updated. Segregate IoT devices on a separate network VLAN to prevent them from being recruited into botnets that attack others.

Coordinate with ISP for Upstream Traffic Filtering

Contact your ISP immediately during an attack to request upstream null routing or black-hole filtering of attack traffic before it enters your network. Most ISPs have emergency DDoS response protocols for business customers.

🚨 If Your Organisation is Under DDoS Attack — Immediate Action

Stay calm — activate your Incident Response Plan immediately and notify the IT security team
Contact your ISP at once — request emergency upstream null routing or traffic filtering
Enable your DDoS mitigation service or activate emergency firewall and rate-limiting rules
Collect and preserve all attack logs — source IPs, traffic volumes, timestamps — as legal evidence
Report to CERT-In at incident@cert-in.org.in or call 1800-11-4949 for national-level response
File a complaint at cybercrime.gov.in with all technical evidence
File FIR at the nearest Cyber Crime Cell — bring server logs, traffic analysis reports, ISP records
If a ransom demand is received — do NOT pay — contact law enforcement immediately
Inform affected customers, partners and regulators as required by law and contractual obligations
After the attack — conduct a full post-incident audit and upgrade defences to prevent recurrence

📰 MAJOR DDoS ATTACK INCIDENTS — INDIA & GLOBAL

2023 — India — Government & Banking Portals

Coordinated DDoS Attacks on Indian Financial Infrastructure

In 2023, CERT-In reported a significant increase in DDoS attacks targeting Indian banking, financial services and government e-governance portals. Multiple state government websites and payment gateways were briefly taken offline. Attack traffic originated from botnet infrastructure spread across 40+ countries, with peak traffic exceeding 100 Gbps in some incidents.

2022 — India — AIIMS Delhi & Healthcare

DDoS Used in Coordinated Attack on Healthcare IT Systems

The cyberattack on AIIMS Delhi in November 2022 included DDoS components alongside ransomware — overwhelming the hospital's IT infrastructure and taking down patient management, appointment systems and lab records for weeks. The attack disrupted healthcare services for thousands of patients and highlighted the vulnerability of critical health infrastructure to complex cyber attacks.

2016 — Global — Mirai Botnet DDoS

1.2 Tbps Attack — Took Down Twitter, Netflix, Reddit

The Mirai botnet — built from 600,000+ infected IoT devices including CCTV cameras and home routers — launched a 1.2 Tbps DDoS attack on Dyn (a major DNS provider) in October 2016, taking down dozens of major websites including Twitter, Netflix, Reddit, Airbnb and PayPal for hours. Thousands of Indian IoT devices were found to be part of the Mirai botnet, unknowingly participating in the attack.

2018 — Global — GitHub DDoS (1.35 Tbps)

Largest DDoS Attack in History at the Time

GitHub was hit by a 1.35 Tbps DDoS attack using Memcached amplification — the largest recorded DDoS attack at that time. The attack lasted only 20 minutes before Akamai's scrubbing service absorbed and mitigated it, but it demonstrated the devastating potential of amplification-based DDoS attacks that could be launched with relatively small botnet resources.

⚖️ APPLICABLE LAWS

IT Act Sec 43 IT Act Sec 66 IT Act Sec 66F IT Act Sec 70 BNS Sec 111 BNS Sec 308 NCIIPC Guidelines CERT-In Directions 2022

IT Act Section 43: Whoever without permission causes denial of access to any computer resource to any authorised person, or disrupts any computer resource shall be liable to pay compensation up to ₹1 crore. DDoS attacks that take down business or personal websites are directly covered under this civil liability provision.

IT Act Section 66: Dishonest or fraudulent acts under Section 43 — including intentional DDoS attacks — are criminal offences punishable with imprisonment up to 3 years or fine up to ₹5 lakh or both. Primary criminal provision for DDoS attacks on private systems.

IT Act Section 66F — Cyber Terrorism (Most Serious): If a DDoS attack is launched with intent to threaten the unity, integrity, security or sovereignty of India — or to disrupt critical national infrastructure — the offender is guilty of Cyber Terrorism and shall be punished with imprisonment which may extend to life. This applies to attacks on power grids, defence systems, banking networks, telecom and government servers.

IT Act Section 70 — Protected Systems: If the DDoS attack targets a "Protected System" (government and defence infrastructure designated by Central Government) the punishment is imprisonment up to 10 years and fine. Unauthorised access or disruption of protected systems is an aggravated, non-bailable offence.

BNS Section 111 — Organised Crime: DDoS attacks coordinated by criminal groups or syndicates using botnets — including Ransom DDoS extortion operations — are prosecutable as organised crime with imprisonment ranging from 5 years to life and heavy fines.

BNS Section 308 — Extortion (Ransom DDoS): Ransom DDoS attacks — where the attacker demands payment to stop the assault — constitute criminal extortion under BNS Section 308, punishable with imprisonment up to 3–10 years and fine depending on severity.

CERT-In Directions 2022: All service providers, data centres, VPNs and cloud providers must report cyber security incidents including DDoS attacks to CERT-In within 6 hours of detection. Failure to report is a regulatory offence. Organisations must also maintain logs for 180 days and make them available to CERT-In on request.

📝 Report This Crime

📝 Report DDoS Attack to ABCSS

Cyber Links

Important Links