Understanding DDoS Attacks: Types, Mitigation, and Notorious Groups
A Distributed Denial-of-Service (DDoS) attack is a cyber-offensive where an attacker attempts to make an online service unavailable by overwhelming it with traffic from numerous sources-radware.com-. In essence, the target (such as a website or API) is flooded with so much bogus traffic that real user requests cannot get through. DDoS attacks use multiple machines – often a botnet of malware-infected computers or IoT devices – to generate exponentially more traffic than a single-source attack, making them far more powerful than traditional DoS attacks. This distributed nature also makes defense and attribution difficult, since malicious traffic comes from thousands of different IPs simultaneously.
DDoS threats are on the rise. Recent years have seen surging frequency and scale of attacks – for example, Cloudflare reported blocking around 21.3 million DDoS attacks in 2024, a 53% increase compared to 2023- blog.cloudflare.com -. The peak volumes are also reaching record levels (one late-2024 attack peaked at 5.6 Tbps, the largest ever reported- blog.cloudflare.com -. These attacks affect organizations of all sizes, from banks and game servers to government websites. Motivations range from cybercriminals extorting money, to state-sponsored actors and hacktivists protesting or retaliating. Geopolitical conflicts in recent years have even fueled spikes in DDoS activity as hacktivist groups target opposing governments and infrastructure- securitybrief.co.uk -. In short, DDoS remains one of the most prominent threats to Internet availability.
Types of DDoS Attacks
Not all DDoS attacks are alike – attackers can target different layers of the network stack. The main categories include volumetric, protocol, and application-layer attacks:
Volumetric Attacks: These attacks focus on exhausting the bandwidth of the target or its network by sending an overwhelming volume of traffic. The goal is to clog the network pipes. For example, an attacker might launch a UDP flood or DNS amplification attack that generates gigabits or even terabits of data per second, saturating the target’s Internet link - radware.com -. Volumetric attacks are the most common form of DDoS and rely on pure quantity of traffic to grind services to a halt.
Protocol Attacks: Also known as network-layer attacks, these exploit weaknesses in network protocols to consume server or firewall resources- radware.com -. A classic example is the SYN flood – the attacker sends a barrage of TCP handshake requests but never completes them, overwhelming the target’s ability to handle new connections. Other protocol attacks include Ping of Death or SMURF (ICMP amplification) which misuse protocol behaviors. By targeting network layer (Layer 3/4) protocols, these attacks can incapacitate routers, load balancers, or servers by filling up connection tables or causing excessive packet processing- radware.com -.
Application-Layer Attacks: These attacks (Layer 7 DDoS) aim at the application or service itself – the interface that users interact with. Rather than brute-force the network, an application-layer attack sends legitimate-looking requests to the target web server or application, but in massive volumes or in an asymmetric way that overwhelms the back-end. Examples include HTTP GET/POST floods – effectively hitting refresh on a webpage millions of times – or more subtle “slow” attacks (like Slowloris) that tie up resources by keeping connections open- radware.com -. Because they resemble normal user traffic (albeit at high volume), application-layer attacks can be harder to detect. They target specific services (web pages, login APIs, DNS lookup services, etc.) to exhaust the application’s capacity.
It’s worth noting that attackers often combine multiple vectors in a single campaign. These multi-vector DDoS attacks might, for instance, blast a target with a UDP flood (volumetric) while simultaneously hitting the web application with HTTP requests (application-layer). Defenders then have to counter attacks on several fronts at once- darkreading.com -. Recent botnets have made multi-vector attacks more common, requiring a mix of mitigation techniques (as discussed next).
Mitigation Strategies
Defending against DDoS attacks requires a layered approach and preparation. Key DDoS mitigation strategies include:
Rate Limiting: This involves placing limits on the rate of incoming requests or connections to your server. By capping how many requests a client (or an IP address) can make per second, you can prevent any single source from flooding you too quickly. For example, an API endpoint might be configured to accept only a certain number of queries per second from one client – excess requests are dropped or throttled. Rate limiting can thus blunt simple volumetric attacks, especially those coming from a limited set of sources- darkreading.com -. While it won’t stop a massive distributed flood by itself, it’s a useful first line of defense to dampen spikes in traffic.
Web Application Firewalls (WAFs): A WAF is a firewall specifically for HTTP/HTTPS traffic, sitting in front of a web server and filtering requests. It inspects inbound web requests and blocks those that are malicious or violate rules. During a DDoS, a WAF can automatically recognize and block common attack patterns (e.g. a flood of identical requests or known malicious user-agent strings) before they hit the actual application- radware.com -. Many WAFs can also present challenges like CAPTCHAs or JavaScript puzzles to suspect clients – forcing bots to reveal themselves. By using a WAF, organizations add a layer of protection for application-layer attacks, ensuring that the web server only deals with traffic that appears legitimate.
Cloud-Based DDoS Protection: Given the scale of modern attacks, many organizations offload DDoS defense to cloud providers. Cloud DDoS protection services (such as those from Cloudflare, Akamai, AWS, etc.) absorb attack traffic on a globally distributed network of edge servers. They use techniques like anycast routing, which spreads incoming traffic across many data centers around the world, so that no single location is overwhelmed- radware.com -. Malicious traffic gets filtered out in the cloud (using sophisticated detection algorithms and massive capacity), and only clean traffic is forwarded to the customer’s site. Essentially, the provider’s backbone acts as a giant “shock absorber” for DDoS floods. This cloud-based approach has proven effective against hyper-volumetric attacks that would far exceed a typical organization’s own bandwidth or hardware capabilities.
Traffic Scrubbing Centers: Traffic scrubbing is a technique where incoming traffic is re-routed through a cleaning center before reaching the target. All traffic (legitimate and attack traffic) is diverted to a scrubbing center – typically a data center with high-capacity filters and deep packet inspection – that removes malicious packets and then forwards the filtered, legitimate traffic to the destination- radware.com -. Scrubbing centers maintain racks of DDoS filtering equipment and can handle enormous volumes. This approach can be always-on or activated on demand when an attack is detected (often via BGP redirection of the IP range to the scrubber). Many DDoS mitigation providers run global scrubbing networks, and large enterprises can also have on-premise scrubber appliances. The goal is to “wash out” the attack traffic and let only clean traffic through, minimizing impact on the target service- radware.com -. Often, cloud CDN protection and scrubbing go hand-in-hand – the CDN network deflects and disperses traffic, and scrubbing filters out the bad packets.
No single mitigation is a silver bullet. In practice, organizations employ layered defenses – e.g. basic firewall rules and rate limits at the network edge, a cloud DDoS service for volumetric attacks, and a WAF for application-layer attacks. Preparation is also key: having a DDoS response plan, over-provisioning bandwidth when possible, and enabling emergency procedures with your ISP or cloud provider can dramatically reduce downtime when under attack.
DDoSia – A Hacktivist DDoS Collective
DDoSia (sometimes stylized “DDosia”) is a crowdsourced DDoS tool and project associated with the pro-Russian hacktivist group NoName057(16). Active since around the start of the Russia-Ukraine war in 2022, NoName057(16) uses DDoSia to rally volunteers in launching attacks against websites deemed hostile to Russia Targets are often government, media, or infrastructure sites of countries supporting Ukraine or otherwise “anti-Russian” in the group’s view. For example, in November 2024 NoName057(16) (along with affiliated groups like “Cyber Army of Russia Reborn”) bombarded several South Korean government websites with DDoS attacks – an operation triggered by South Korea’s officials voicing support for Ukraine- asec.ahnlab.com -. These politically motivated attacks aim to disrupt the targeted services and send a propaganda message. In effect, the hacktivists are using cyber attacks as an extension of real-world conflict, trying to sow chaos and apply pressure via online disruption- asec.ahnlab.com -.
How DDoSia works: The campaign is organized via Telegram channels. NoName057(16) maintains a Telegram channel with tens of thousands of subscribers where they actively share target lists and updates on attack progress in real time- asec.ahnlab.com -. They also distribute the DDoSia malware client through this channel. Volunteers who want to participate download the DDoSia program and also receive a unique identifier file (client_id.txt) from the group’s Telegram (this file links the volunteer to the project)- asec.ahnlab.com -. When a volunteer runs the DDoSia tool on their computer, the following occurs:
The DDoSia client connects to the operation’s central command-and-control (C&C) server over the internet. It authenticates itself using the provided client ID and sends basic info about the volunteer’s system- asec.ahnlab.com -.
The C&C server then provides the volunteer’s DDoS client with a list of target URLs/IPs to attack (this is essentially the current hit list)- asec.ahnlab.com -.
The DDoS client immediately begins to generate traffic towards those targets – for example, firing off waves of HTTP GET requests, UDP packets, or other attack traffic as instructed.
Meanwhile, the client also reports back to the C&C periodically (e.g. via a “/set_attack_count” API) with stats on how many packets/request it has sent, contributing to an overall picture of the attack’s progress- asec.ahnlab.com -.
The organizers use this feedback to measure the attack and possibly reward the participants. Notably, NoName057(16) incentivizes volunteers by offering cryptocurrency rewards for successful attacks, encouraging more people to join in the DDoS campaigns- asec.ahnlab.com -. This dynamic – political motivation plus a gamified reward system – has led to a significant number of willing participants in DDoSia operations. On the technical side, DDoSia has been evolving. Earlier versions of the tool (written in Python) could launch network-layer attacks like TCP SYN floods, but newer versions are written in Go and focus on HTTP/HTTPS floods and similar application-layer attacks- asec.ahnlab.com -.
The DDoSia client supports multiple attack modes (the C&C can instruct it to do an HTTP flood, HTTP/2 flood, etc.). To make the attack traffic harder to filter, the malware randomizes aspects of the requests – for instance, it will vary the User-Agent strings and other HTTP headers for each volunteer, so that the flood traffic doesn’t all have an identical signature- asec.ahnlab.com -. The group also adapts its infrastructure on the fly: the C&C server address is frequently changed, and if a C&C IP gets blocked, they will announce a new one via Telegram to keep the attack going- asec.ahnlab.com -. All these measures make DDoSia a resilient crowd-powered DDoS platform. It leverages human volunteers plus custom malware to create a sort of “flash mob” that can take down targeted websites. As long as the community of supporters exists and the organizers can stay one step ahead of defenders (by moving servers and tweaking tactics), DDoSia remains an ongoing threat to its chosen targets.
GorillaBot – A Mirai-Variant DDoS Botnet
In contrast to DDoSia’s volunteer-based model, GorillaBot is an example of a malware-driven botnet used for DDoS. Discovered in late 2024, GorillaBot is a new strain of the infamous Mirai botnet malware- darkreading.com -. Mirai’s source code (leaked in 2016) has spawned many variants over the years; GorillaBot is one of the latest and most potent. It infects vulnerable Internet-of-Things devices – such as home routers, security cameras, and other Linux-based gadgets – and enrolls them into a botnet army. The malware is cross-platform, capable of running on ARM, MIPS, x86_64, and x86 architectures, among others- darkreading.com -, which means it can take over a wide range of IoT devices. GorillaBot’s creators even left a quirky signature in the code: a message stating “gorilla botnet is on the device ur not a cat go away” (sic). This unique string, a cheeky taunt to anyone inspecting the device, is what led researchers to name the malware family “GorillaBot”- darkreading.com -.
What makes GorillaBot particularly notable is the scale and ferocity of its attacks. In September 2024, GorillaBot was observed launching an unprecedented 300,000 DDoS attacks in the span of just a few weeks- darkreading.com -. These attacks together impacted about 20,000 organizations worldwide, including nearly 4,000 organizations in the United States alone- darkreading.com -. Essentially, once GorillaBot’s botnet reached critical mass, its operators initiated an onslaught of attack commands, directing different clusters of bots to hit various targets around the globe.
GorillaBot’s infrastructure includes multiple command-and-control servers to coordinate its herd of compromised devices. Researchers from NSFocus noted that the malware had five built-in C2 servers and would randomly select one to connect to, ensuring the botnet isn’t reliant on a single point of failure- darkreading.com -. Through these C2 servers, the botnet controllers were issuing a steady stream of attack instructions – at the peak, about 20,000 attack commands in a single day were sent out to the bot network- darkreading.com -. Each command could specify a target and an attack method, causing swarms of infected devices to immediately start flooding that target. Over the course of the September 2024 campaign, victims were recorded in 113 countries, with organizations in China being the hardest hit, followed by those in the U.S., Canada, and Germany- darkreading.com -. The geographic spread indicates how botnets like GorillaBot can strike anywhere on the Internet, leveraging globally dispersed devices. In terms of attack vectors, GorillaBot is highly versatile. It comes loaded with 19 different DDoS attack methods (far more than the original Mirai)- darkreading.com -.
Analysis of GorillaBot’s activity showed that about
41% of its attacks were UDP floods, attempting to overwhelm targets with massive volumes of UDP packets- darkreading.com -.
Another ~24% of the attacks were TCP ACK floods- darkreading.com -, a tactic where the botnet floods a target (often a specific server port) with spoofed TCP ACK packets to disrupt stateful firewalls or servers.
Additionally, GorillaBot can perform TCP SYN floods,
various UDP and TCP mixed floods,
and likely application-layer attacks as well (given Mirai variants often have HTTP flood capabilities).
By switching between vectors or using multiple types of floods concurrently, GorillaBot mounts multi-vector DDoS attacks that are harder to defend against- darkreading.com -. Each attack vector might require a different mitigation technique – for instance, filtering a UDP flood vs. handling an ACK flood are distinct challenges – so a mixed attack can strain a target’s defenses. This behavior underscores why having layered DDoS protection is crucial; GorillaBot’s onslaughts won’t be stopped by a single firewall or filter alone. Security teams need broad visibility and countermeasures at network and application layers to cope with such botnet-driven attacks.
It’s unclear who exactly operates GorillaBot (unlike DDoSia, which is openly operated by a hacktivist group, GorillaBot is a covert cybercrime tool), but the sheer number of attacks suggests it may be used as a DDoS-for-hire service or by multiple threat actors. Its emergence led to a spike in overall DDoS numbers in late 2024 and is a reminder that attackers continue to develop new botnets capable of pushing the limits of DDoS scale.
Conclusion
DDoS attacks remain a potent and evolving threat to online services. From volunteer-driven campaigns like DDoSia to malware-fueled botnets like GorillaBot, attackers have a variety of means to amplify their destructive power. The common theme is the ability to harness strength in numbers – whether human or machine – to overwhelm targets. At the same time, the defensive toolkit for DDoS is improving, with better detection algorithms, larger mitigation networks, and more widespread use of best practices. As the data shows, however, the overall trend is that DDoS attack frequency and size are increasing (one security report noted a 265% surge in DDoS incidents amid global tensions in early 2024- securitybrief.co.uk -. This calls for vigilance and continual investment in DDoS defenses. Organizations should ensure they have basic safeguards (like rate limiting and up-to-date systems) as well as robust DDoS mitigation services in place. By understanding the attack types and the tactics of groups like DDoSia and GorillaBot, defenders can better anticipate and prepare for the next wave of attacks. In the ongoing cat-and-mouse game of cybersecurity, staying informed and ready is key to keeping critical services online in the face of ever-larger DDoS onslaughts.
