AV-09 · DDoS and service exhaustion attacks

DDoS and service exhaustion attacks degrade availability by overwhelming network paths, applications, or supporting infrastructure like DNS and load balancers. The most painful incidents are the ones where mitigation services exist but slow recognition and bad runbooks prolong the outage.

$ action: Establish upstream scrubbing relationships, define rate limits and thresholds in advance, map service dependencies, and drill availability response before an incident forces improvisation.

1. Why Availability Attacks Exist

Disrupting availability is cheaper and faster than breaching systems. Extortion, distraction during another attack, retaliation, political signaling, competitive disruption — the motivations vary but the mechanism is consistent: make the service unreachable or unusable long enough to cause real harm.

The attack layer matters for the response. Bandwidth saturation at the edge requires different mitigation than a SYN flood exhausting connection tables, which is different again from a targeted request flood against an expensive API endpoint. Defenders who apply the wrong mitigation to the wrong layer slow themselves down.

Many organizations have scrubbing relationships and CDN protections, but still experience prolonged outages during attacks because recognition is slow, escalation paths aren't practiced, and runbooks assume conditions that don't match reality under pressure.

2. What Attackers Can Do in DDoS Scenarios

Attackers can flood edge links, exhaust firewall and load balancer connection state tables, saturate application worker pools, or target specific expensive endpoints — like a search function or authentication API — with lower bandwidth that still causes service failure.

Lower-volume attacks are particularly effective when they target asymmetric processing: a request that costs the attacker little but requires significant server-side computation. A well-crafted application-layer attack can take down a service that would survive a much larger volumetric flood.

Watch for concurrent suspicious activity during availability events. DDoS is sometimes a distraction technique while a separate intrusion attempt targets a service that defenders aren't watching closely because they're focused on the traffic flood.

3. How Defenders Mitigate and Respond

Layered mitigation is the only realistic approach. Upstream scrubbing for volumetric attacks, CDN and WAF protections for application-layer requests, rate limiting and autoscaling for burst traffic, and targeted rate limits on expensive endpoints. No single control handles every attack pattern.

Clear escalation thresholds matter more than most teams realize. Define in advance: at what traffic volume do you call the ISP? At what error rate do you enable emergency rate limits? Which services get prioritized if capacity is constrained? Those decisions made under pressure during an outage are reliably worse than the same decisions made calmly beforehand.

After recovery, review what failed first — capacity, filtering logic, runbook timing, or observability — and improve instrumentation and procedures before the next event. DDoS resilience is as much about operational discipline as it is about technical controls.

detection-signals

$Traffic volume to a public service spikes sharply, accompanied by rising 5xx error rates and latency — consistent with connection pool or bandwidth exhaustion.
$Load balancer health checks start failing for backends while network traffic to the edge is still high — suggests backend resource exhaustion rather than pure bandwidth attack.
$Requests cluster heavily on one endpoint or URI — characteristic of application-layer flooding rather than a broad volumetric attack.
$SYN state tables fill on edge firewalls or load balancers while established-connection counts stay low — classic SYN flood pattern.
$DNS resolution failures or increased query latency appears alongside application service degradation — suggests the attack includes DNS as a supporting target.

telemetry-sources

$Firewall/load balancer/CDN/WAF metrics and logs.
$NetFlow/sFlow/Zeek/Suricata for traffic composition and protocol behavior.
$Application metrics (latency, error rates, worker saturation, queue depth).
$DNS and upstream provider dashboards/alerts.
$System metrics (CPU, memory, sockets, connection tables) on edge services.

recommended-tools-and-guides

open Zeek Characterize traffic behavior and connection patterns during service stress. open tcpdump Capture short packet samples to validate protocol behavior and flood composition. open Wireshark / TShark Inspect sampled traffic for application/protocol signatures and anomalies. open hping3 Lab-only tool to understand protocol behavior and how flood-like traffic looks in controlled testing. open /learning/alert-triage-false-positives-detection-tuning Build reliable escalation thresholds and reduce noisy availability alerts.

related-learning-modules

Build fundamentals and workflows that directly support defending against this threat pattern.

open /learning/subnetting-nat-firewall-policy-segmentation Subnetting, NAT, Firewall Policy Logic, and Segmentation Basics open /learning/network-security-monitoring-zeek-suricata Network Security Monitoring with Zeek and Suricata open /learning/incident-response-playbooks-framework-functions Incident Response Playbooks Aligned to Recognized Cybersecurity Framework Functions

related-tool-pages

Use these detailed tool guides to practice safe validation, evidence collection, and triage workflows for this threat.

open /learning/tools/zeek Zeek open /learning/tools/tcpdump tcpdump open /learning/tools/wireshark-tshark Wireshark / TShark open /learning/tools/hping3 hping3 open /learning/tools/suricata Suricata

lab-safe-detection-workflows

These commands are for learning, validation, and defensive triage in your own lab or authorized environment. Adapt to your tooling and log locations.

Traffic composition sampling during an availability event (authorized)

sudo tcpdump -ni any -c 500 'host 203.0.113.20 and (tcp or udp)' -w ddos-sample.pcap
tshark -r ddos-sample.pcap -q -z io,phs
tshark -r ddos-sample.pcap -z conv,tcp -q

$ why: Packet samples help determine whether the issue is SYN-heavy, UDP-heavy, app-layer request concentration, or mixed behavior requiring different mitigation steps.

Service health and incident tracking (ops-oriented)

printf "time,service,latency_ms,error_rate,traffic_signal,mitigation_action,owner\n" > ddos-response-log.csv
ss -s
netstat -ant 2>/dev/null | awk 'NR>2 {print $6}' | sort | uniq -c | sort -nr | head -20 || true

$ why: Availability response requires both traffic analysis and service health tracking to know whether mitigations are improving user impact.

triage-questions

?What is failing first: edge bandwidth, load balancer state tables, application worker pools, DNS, or a downstream dependency?
?Is the attack primarily network-layer volume, protocol-state exhaustion, or application-layer request flooding — and does your current mitigation match the attack type?
?Who owns the escalation to upstream ISP, CDN, or WAF provider, and have you made that call yet?
?Which business services must stay available if you can't protect everything, and what's the containment plan for the rest?
?Is there any concurrent suspicious activity — login attempts, exploit probes — that suggests the DDoS is a distraction for something else?

defender-actions.checklist

$Document DDoS escalation paths with ISP/CDN/WAF providers.
$Define emergency rate-limit and filtering options in runbooks.
$Monitor traffic composition and application health, not just bandwidth.
$Practice availability incident drills and communication workflows.
$Review dependencies (DNS, auth, APIs) for single-point exhaustion risks.

study-workflow

Learn what normal behavior looks like for this area (auth, exposure, config, or internal traffic).
Identify the logs and telemetry that should show the behavior.
Practice one safe validation in a lab or authorized environment.
Write a short playbook for detection, triage, and response.
Review the related tool guides under /learning/tools.

<- previous threat AV-08 · Ransomware and data extortion operations -> next threat AV-10 · Cloud misconfiguration and identity abuse