What is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a website, server, or network by overwhelming it with a flood of internet traffic. The "distributed" nature of these attacks means the traffic comes from multiple sources, making them harder to stop by simply blocking a single source.

The attack works by consuming the target's resources, resulting in poor performance, or completely shutting it down. DDoS attacks are illegal and can cause significant financial losses, reputational damage, and operational disruption for the targeted organization.

How a DDoS attack works

A DDoS attack is carried out using a "botnet," a network of internet-connected devices (like computers, phones, and IoT devices) that have been infected with malware.

• Infection: Attackers infect thousands, or even millions, of devices with malicious software, often without the owners' knowledge.
• Coordination: The attackers can then command the botnet to send a massive flood of requests to a single target.
• Overload: The overwhelming traffic causes the target's bandwidth and resources to be consumed, resulting in slow performance or a complete crash.

1. Targeting and Overwhelming

Attackers identify a target, such as a website, and then generate a massive amount of malicious traffic aimed at exhausting its resources.

2. Botnet Involvement

This traffic usually comes from a botnet, which is a network of compromised devices (like smartphones, PCs, or IoT devices) that have been infected with malware.

3. Disruption of Service

The sheer volume of incoming traffic overwhelms the target's server or network, making it slow or completely unresponsive to legitimate users.

Why DDoS Attacks Are Launched

• Rivalry: Competitors might launch attacks to take a rival offline.
• Financial Gain: Attackers sometimes demand payment in cryptocurrency to stop the attack.
• Political or Ideological Reasons: Groups may use DDoS attacks as a tool for political protest or to target opponents.
• Distraction: A DDoS attack can also serve as a diversion for another, more subtle cyberattack, allowing the attackers to steal data or gain unauthorized access.

The Impact of DDoS Attacks

Business Disruption

Websites and online services can become inaccessible, leading to lost sales and productivity.

Reputational Damage

A prolonged or frequent DDoS attack can erode customer trust and damage a company's brand.

Financial Costs

Organizations may incur significant costs from responding to the attack, such as hiring security experts and upgrading their network infrastructure.

Legal Consequences of DDoS Attacks

Participating in DDoS attacks constitutes a cybercrime and may lead to severe legal consequences, including the seizure of electronic devices, under the laws of numerous countries worldwide.

Examples of Legal Frameworks

• United States: The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access and disruption of computer systems, including DDoS attacks.
• United Kingdom: Under the Computer Misuse Act 1990, launching a DDoS attack is considered illegal and punishable by imprisonment.
• India: The Information Technology Act, 2000 (Section 66F) treats cyberterrorism and denial-of-service attacks as serious offenses.
• European Union: The Directive on Attacks against Information Systems mandates member states to penalize intentional disruption of IT systems.

Enforcement agencies such as the FBI, Europol, and national cybercrime units actively investigate and prosecute individuals involved in DDoS activities.

Types of DDoS attacks

DDoS attacks can be categorized by which component of the network they target:

Volumetric attacks

These are the most common and simple type of DDoS attack. They flood the network with a high volume of traffic to consume all available bandwidth.

• UDP floods: Overwhelm the target with User Datagram Protocol packets.
• ICMP floods: Also known as a "ping flood," this attack sends massive amounts of Internet Control Message Protocol (ICMP) echo requests to the target.
• DNS amplification: An attacker sends a small DNS query to open DNS servers with a spoofed IP address, causing the servers to flood the victim with a much larger response.

Protocol attacks

These attacks exploit vulnerabilities in network protocols (like TCP or ICMP) to consume server resources and network equipment like firewalls.

• SYN floods: An attacker exploits the TCP handshake process by sending a large volume of "SYN" (synchronization) packets, but never completing the handshake. This leaves the server with a large number of half-open connections that exhaust its resources.

Application layer attacks

These attacks target specific applications or services at Layer 7 of the OSI model, overwhelming them with seemingly legitimate but resource-intensive requests.

• HTTP floods: An attacker sends a flood of HTTP GET or POST requests to a web server, mimicking many users repeatedly refreshing a webpage.
• Slowloris: This attack keeps many HTTP connections open for as long as possible by sending partial requests, eventually exhausting the server's connection pool.

How to prevent and mitigate a DDoS attack

While it's impossible to prevent all DDoS attacks, a multi-layered defense strategy can significantly reduce the risk and impact.

• Create a DDoS response plan: Have a plan ready detailing the steps, responsibilities, and communication protocols for an attack.
• Know your traffic: Understand your network's normal traffic patterns to more easily spot unusual spikes or anomalies that signal an attack.
• Increase network capacity: Over-provisioning bandwidth or using cloud-based services can help absorb larger volumes of traffic.
• Use DDoS protection services: Specialized third-party services can monitor traffic and filter out malicious requests before they reach your network.
• Employ web application firewalls (WAFs): A WAF can help protect against application-layer attacks by filtering malicious HTTP/HTTPS requests.
• Practice good cyber hygiene: Educate employees, keep software updated, and use strong authentication to prevent devices from being added to a botnet.
• Consider a content delivery network (CDN): A CDN can help distribute traffic loads across many servers, making it harder for an attacker to overwhelm a single one.
• Use blackhole routing (last resort): As a final option, divert all traffic to a "black hole" where it is dropped. This will take your site offline, but can protect the rest of your network.

Mitigation Strategy in .NET Core

One effective way to mitigate DDoS at the application level is by using the built-in RateLimiter middleware in .NET Core 7+. This limits the number of requests per user or IP within a time window.

Implementation Steps

1. Create a new ASP.NET Core Web API project.
2. In Program.cs, configure the global rate limiter.
3. Apply the middleware to the request pipeline.

Code Example

// Program.cs
builder.Services.AddRateLimiter(options =>
{
    options.GlobalLimiter = PartitionedRateLimiter.Create(httpContext =>
        RateLimitPartition.GetFixedWindowLimiter(
            partitionKey: httpContext.Connection.RemoteIpAddress?.ToString() ?? "anonymous",
            factory: partition => new FixedWindowRateLimiterOptions
            {
                PermitLimit = 20,
                Window = TimeSpan.FromMinutes(1),
                QueueLimit = 0,
                AutoReplenishment = true
            }));
});

var app = builder.Build();

app.UseHttpsRedirection();
app.UseAuthorization();
app.UseRateLimiter(); // Apply rate limiting
app.MapControllers();
app.Run();
  

Testing Strategy

• Use tools like Apache JMeter or wrk to simulate traffic.
• Monitor response codes—requests beyond the limit will receive 429 Too Many Requests.
• Log and analyze IP addresses to detect patterns.

Pros and Cons

Pros	Cons
Simple to implement in .NET Core	Limited to application-level protection
Customizable per user/IP	Does not protect against volumetric attacks
Works well with APIs and microservices	Requires .NET 7+ for built-in support

Additional Recommendations

• Use Web Application Firewall (WAF) for Layer 7 protection.
• Integrate with Azure Front Door or Cloudflare for edge-level filtering.
• Monitor logs and metrics continuously.