How Hackers Make Money from DDoS Attacks

Written by orjaneweb

What is DDoS attack ? What happens during a DDos attack?

DDos attack can leave system down for days.

DDOS attack are one of the common forms of cyber attack with the number of global DDos attacks increasing to 50 million annually according to Verisign

A distributed denial- of-service (DDos) attack is one of the most powerful weapons on the internet. when you hear about a website is being “bought down by hackers”, it generally means it has become a victim of a DDos attack . in short , this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.

What arre distributed denial-of-service attacks (DDos)?

Distribured denial-of-service attacks target websites and online services . the aim is to overwhelm them with more traffic than the server or network can accomodate. the goal is to render the website or service inoperable

The traffic can consist of incoming messages requests for connections , or fake packets. in some cases the targeted victims are threatened with a DDos attack or attacked at a low  level. this may be combined withe an extortion threat of a more devastrating attack unless the company pays a cryptocurrency ransome

In 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted banks, web host providers, and others in this way.

Examples of DDoS attacks

Here’s a bit of history and two notable attacks.

In 2000, Michael Calce, a 15-year-old boy who used the online name “Mafiaboy,” launched one of the first recorded DDoS attacks. Calce hacked into the computer networks of a number of universities. He used their servers to operate a DDoS attack that crashed several major websites, including CNN, E-Trade, eBay, and Yahoo. Calce was convicted of his crimes in the Montreal Youth Court. As an adult, he became a “white-hat hacker” identifying vulnerabilities in the computer systems of major companies.

More recently, in 2016, Dyn, a major domain name system provider — or DNS — was hit with a massive DDoS attack that took down major websites and services, including AirBnB, CNN, Netflix, PayPal, Spotify, Visa, Amazon, The New York Times, Reddit, and GitHub.

The gaming industry has also been a target of DDoS attacks, along with software and media companies.

DDoS attacks are sometimes done to divert the attention of the target organization. While the target organization focuses on the DDoS attack, the cybercriminal may pursue a primary motivation such as installing malicious software or stealing data.

DDoS attacks have been used as a weapon of choice of hacktivists, profit-motivated cybercriminals, nation states and even — particularly in the early years of DDoS attacks — computer whizzes seeking to make a grand gesture.

How do DDoS attacks work?

The theory behind a DDoS attack is simple, although attacks can range in their level of sophistication. Here’s the basic idea. A DDoS is a cyberattack on a server, service, website, or network floods it with Internet traffic. If the traffic overwhelms the target, its server, service, website, or network is rendered inoperable.

Network connections on the Internet consist of different layers of the Open Systems Interconnection (OS) model. Different types of DDoS attacks focus on particular layers. A few examples:

  • Layer 3, the Network layer. Attacks are known as Smurf Attacks, ICMP Floods, and IP/ICMP Fragmentation.
  • Layer 4, the Transport layer. Attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
  • Layer 7, the Application layer. Mainly, HTTP-encrypted attacks.


The primary way a DDoS is accomplished is through a network of remotely controlled, hacked computers or bots. These are often referred to as “zombie computers.” They form what is known as a “botnet” or network of bots. These are used to flood targeted websites, servers, and networks with more data than they can accommodate.

The botnets may send more connection requests than a server can handle or send overwhelming amounts of data that exceed the bandwidth capabilities of the targeted victim. Botnets can range from thousands to millions of computers controlled by cybercriminals. Cybercriminals use botnets for a variety of purposes, including sending spam and forms of malware such as ransomware. Your computer may be a part of a botnet, without you knowing it.

Increasingly, the millions of devices that constitute the ever-expanding Internet of Things (IoT) are being hacked and used to become part of the botnets used to deliver DDoS attacks. The security of devices that make up the Internet of Things is generally not as advanced as the security software found in computers and laptops. That can leave the devices vulnerable for cybercriminals to exploit in creating more expansive botnets.

The 2016 Dyn attack was accomplished through Mirai malware, which created a botnet of IoT devices, including cameras, smart televisions, printers and baby monitors. The Mirai botnet of Internet of Things devices may be even more dangerous than it first appeared. That’s because Mirai was the first open-source code botnet. That means the code used to create the botnet is available to cybercriminals who can mutate it and evolve it for use in future DDoS attacks.

Traffic flood

Botnets are used to create an HTTP or HTTPS flood. The botnet of computers is used to send what appear to be legitimate HTTP or HTTPS requests to attack and overwhelm a webserver. HTTP — short for HyperText Transfer Protocol — is the protocol that controls how messages are formatted and transmitted. An HTTP request can be either a GET request or a POST request. Here’s the difference:

  • A GET request is one where information is retrieved from a server.
  • A POST request is one where information is requested to be uploaded and stored. This type of request requires greater use of resources by the targeted web server.

While HTTP floods using POST requests use more resources of the web server, HTTP floods using GET requests are simpler and easier to implement.

DDoS attacks can be purchased on black markets

Assembling the botnets necessary to conduct DDoS attacks can be time-consuming and difficult.

Cybercriminals have developed a business model that works this way: More sophisticated cybercriminals create botnets and sell or lease them to less sophisticated cybercriminals on the dark web — that part of the Internet where criminals can buy and sell goods such as botnets and stolen credit card numbers anonymously.

The dark web is usually accessed through the Tor browser, which provides an anonymous way to search the Internet. Botnets are leased on the dark web for as little as a couple of hundred dollars. Various dark web sites sell a wide range of illegal goods, services, and stolen data.

In some ways, these dark web sites operate like conventional online retailers. They may provide customer guarantees, discounts, and user ratings.

What are the symptoms of a DDoS attack?

DDoS attacks have definitive symptoms. The problem is, the symptoms are so much like other issues you might have with your computer — ranging from a virus to a slow Internet connection — that it can be hard to tell without professional diagnosis. The symptoms of a DDoS include:

  • Slow access to files, either locally or remotely
  • A long-term inability to access a particular website
  • Internet disconnection
  • Problems accessing all websites
  • Excessive amount of spam emails

Most of these symptoms can be hard to identify as being unusual. Even so, if two or more occur over long periods of time, you might be a victim of a DDoS.

Types of DDoS attacks

DDoS attacks generally consist of attacks that fall into one or more categories, with some more sophisticated attacks combining attacks on different vectors. These are the categories:

  • Volume Based Attacks. These send massive amounts of traffic to overwhelm a network’s bandwidth.
  • Protocol Attacks. These are more focused and exploit vulnerabilities in a server’s resources.
  • Application Attacks. are the most sophisticated form of DDoS attacks, focusing on particular web applications.

Here’s a closer look at different types of DDoS attacks.

TCP Connection Attacks

TCP Connection Attacks or SYN Floods exploit a vulnerability in the TCP connection sequence commonly referred to as the three-way handshake connection with the host and the server.

Here’s how. The targeted server receives a request to begin the handshake. In a SYN Flood, the handshake is never completed. That leaves the connected port as occupied and unavailable to process further requests. Meanwhile, the cybercriminal continues to send more and more requests overwhelming all open ports and shutting down the server.

Application Attacks

Application layer attacks — sometimes referred to as Layer 7 attacks — target applications of the victim of the attack in a slower fashion. That way, they may initially appear as legitimate requests from users, until it is too late, and the victim is overwhelmed and unable to respond. These attacks are aimed at the layer where a server generates web pages and responds to http requests.

Often, Application level attacks are combined with other types of DDoS attacks targeting not only applications, but also the network and bandwidth. Application layer attacks are particularly threatening. Why? They’re inexpensive to operate and more difficult for companies to detect than attacks focused on the network layer.

Fragmentation Attacks

Fragmentation Attacks are another common form of a DDoS attack. The cybercriminal exploits vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller packets, transferred across a network, and then reassembled. In Fragmentation attacks, fake data packets unable to be reassembled, overwhelm the server.

In another form of Fragmentation attack called a Teardrop attack, the malware sent prevents the packets from being reassembled. The vulnerability exploited in Teardrop attacks has been patched in the newer versions of Windows, but users of outdated versions would still be vulnerable.

Volumetric Attacks

Volumetric Attacks are the most common form of DDoS attacks. They use a botnet to flood the network or server with traffic that appears legitimate, but overwhelms the network’s or server’s capabilities of processing the traffic.

Types of DDoS Amplification

In a DDoS Amplification attack, cybercriminals overwhelm a Domain Name System (DNS) server with what appear to be legitimate requests for service. Using various techniques, the cybercriminal is able to magnify DNS queries, through a botnet, into a huge amount of traffic aimed at the targeted network. This consumes the victim’s bandwidth.

Chargen Reflection

A variation of a DDoS Amplification attack exploits Chargen, an old protocol developed in 1983. In this attack, small packets containing a spoofed IP of the targeted victim are sent to devices that operate Chargen and are part of the Internet of Things. For instance, many Internet-connected copiers and printers use this protocol. The devices then flood the target with User Datagram Protocol (UDP) packets, and the target is unable to process them.

DNS Reflection

DNS Reflection attacks are a type of DDoS attack that cybercriminals have used many times. The susceptibility to this type of attack is generally due to consumers or businesses having routers or other devices with DNS servers misconfigured to accept queries from anywhere instead of DNS servers properly configured to provide services only within a trusted domain.

The cybercriminals then send spoofed DNS queries that appear to come from the target’s network so when the DNS servers respond, they do so to the targeted address. The attack is magnified by querying large numbers of DNS servers.

Check out the DDoS Digital Attack Map

The Digital Attack Map was developed by Arbor Networks ATLAS global threat intelligence system. It uses data collected from more than 330 ISP customers anonymously sharing network traffic and attack information

Take a look at the Digital Attack Map. It enables you to see on a global map where DDoS attacks are occurring with information updated hourly.

Is your computer vulnerable?

If you run an older version of Windows that is no longer supported by Microsoft, you will be vulnerable to WannaCry, according to Microsoft’s blog. This includes Windows 8 and Windows XP, which the majority of NHS England trusts are using.

But if you are using Windows 10 or any of the other version such as, Windows Vista, Windows 7 and Windows 8.1 systems, you’ll be protected as long as your automatic updates are enabled, which is set ‘on’ as standard.

How to protect your computer from ransomware

Once your system has ransomware, your choices are limited: pay or don’t pay. Those are your options.

If you do choose to pay, you need to make sure that they will release your data, and there really isn’t a guarantee of that. In fact, in reality, by paying the attackers, you’re really only fuelling the ransomware culture.

Once they know you’ll pay, they’ll know others will too.

Your best option for protecting yourself from ransomware is to backup your files, invest in some decrypters and create a best practice guide for such attacks.

About the author


Leave a Comment