Visit us at it-sa in Nuremberg from October 7 to 9. Get your free ticket now!

What is "DDoS"?

What is a DDoS attack?

Q: What is a DDoS attack?

DDoS stands for Distributed Denial of Service. It refers to cyber attacks that disrupt websites by sending fake requests. Unlike regular DoS attacks, DDoS attacks come from many sources, usually a large botnet. This makes them harder to defend against.

Q: Is a DDoS attack punishable by law?

In Germany, DoS/DDoS attacks on online services are seen as computer sabotage. This is under Section 303b of the German Criminal Code (StGB). Such attacks are subject to criminal prosecution. It does not matter if the attack aims for ransom or is part of a political protest.

Q: What does a DDoS attack achieve?

In a DDoS attack, cyber criminals cause a large number of artificial requests to a targeted service on the internet. As soon as the victim's web servers are overloaded by the incoming requests, there are delays and outages of the affected service. If no countermeasures are initiated (activation of DDoS protection), the problems continue until the attacker stops the attack.

Q: What happens during a DDoS attack?

DDoS attacks cause malicious load on websites and data centers. The attackers aim to cause delays or complete failures. Cyber criminals usually use botnets for the attacks, which bombard the intended target with huge numbers of requests.

“Almost every second cyberattack (46%) on European financial firms is a DDoS attack" – Myra Cybersecurity Report H1 2025

For more than 20 years, criminals have been using DDoS attacks to deliberately harm companies and institutions. Due to their immensely powerful nature, they are an incalculable and very serious threat. Thanks to Myra DDoS protection, your IT infrastructure is safe.

Explore the Myra DDoS Protection

Explanation graphic in which 3 layers DDoS attacks are defended against by Myra.

What is „DDoS“?

A DDoS attack is a special type of cybercrime. As its name says, a Distributed Denial of Service (DDoS) attack is a Denial of Service (DoS) attack that is “distributed.” This means that a requested service is no longer available or only to a very limited extent. In most cases, this is caused by an intentional overloading of the IT infrastructure. Attackers use this type of cybercrime to extort money from vulnerable organizations. They may also carry out, cover up, or plan other criminal activities.

What Does a DDoS Attack Look Like?

A DDoS attack follows a typical pattern in which attackers usually use botnets to build up and trigger massive data traffic against a target. Cyber criminals usually proceed as follows:

Compromise devices: Attackers infect many computers and devices with malware.
Build a botnet: The compromised devices are linked together and remotely controlled.
Launch the attack: The botnet floods the target server or service with countless requests.
Overload the infrastructure: Servers and internet connections become saturated and can’t process legitimate traffic.
Cause disruption: Websites and applications slow down drastically or go completely offline.

What Methods Do Attackers Use?

Cybercriminals use different kinds of DDoS attacks. The methods can be grouped by the layers they target. This is based on the Open Systems Interconnection (OSI) model for network protocols.

One of the most common methods is to overload system resources or network bandwidths (layers 3 and 4). In the last few years, there has been a trend among cybercriminals to shift attacks to the user level (layer 7). But the patterns and bandwidths of DDoS attacks change on a daily basis. With the right DDoS security measures, you are protected against all attack patterns.

DDoS Attacks on Layers 3 and 4

CP SYN floods and UDP-based reflection attacks are among the most frequent attacks on the network and transport layer (layers 3 and 4). Other common attack methods are:

ICMP flood
UDP fragmentation
UDP amplification through DNS
NTP
rpcbind
SSDP
ACK flood
RST flood

All of these attacks either overload the target with very high bandwidth or enormous packet rates. Legitimate attempts to access the data channel to establish communication are no longer possible.

In a SYN-ACK flood attack (or SYN and ACK floods), for example, a botnet remotely controlled by attackers bombards a server with SYN packets. They are usually part of a three-way handshake. This happens when a TCP connection is set up between a client and a server.A SYN/ACK attack creates many half-open connections. It does this by sending lots of SYN packets but no ACK packets to complete the connection. As a result, no new connections can be established and the website is no longer accessible.

Myra Network DDoS Protection defends IT infrastructure from volumetric attacks at the network and transport layers. Detailed traffic analyses are provided by automatic flow monitoring. The failover of affected networks in case of an attack is fully automated.

DDoS Attacks on Layer 7

DDoS attacks on the application layer (layer 7) target existing connections. They are now one of the most common attack types. HTTP GET, POST, and other flood attacks as well as low and slow attacks are particularly popular with cybercriminals. They seek to penetrate the weakest component of an infrastructure, causing an overload of the web application.

An attacker might launch an HTTP GET flood attack. This sends a huge number of requests to a web server, targeting pages that have high load volumes. This causes the server to overload and it is no longer able to process legitimate requests. As a result, the website is no longer accessible to users.

Attacks on the application layer are usually not detected by the sensors used to protect the network and transport layers. Since they consist of standard URL requests, flood attacks are difficult to distinguish from normal traffic. Layer 3 and 4 protection systems, for example, cannot distinguish between an HTTP GET flood attack and a valid download. Accordingly, securing a web application requires IT security on all relevant layers. Specifically, attacks aimed at stealing sensitive data can only be detected and fended off by using Layer 7 protection.

Myra DDoS Protection protects web applications on layer 7 fully automatically. Myra offers complete traffic visibility. This allows for smart load balancing and reliable site failover. As a result, response times are fast and dependable.

Case Study: DDoS Attack Wave Before Austrian National Elections

In September 2024, DDoS attacks on Austrian organizations rose sharply due to the national elections. On 16 September, the Austrian Computer Emergency Response Team (CERT.at) issued a warning about a major DDoS attack campaign targeting authorities and organizations in the country.

Websites of ministries, administrative authorities, energy suppliers, public transport systems, and political parties were hit hard. The attacks caused temporary outages at key institutions. This included the ÖVP and SPÖ party websites, the Ministry of Defense, the Austrian Court of Audit, and the Public Employment Service (AMS), as reported by the media.

Thanks to Myra's protection systems, a central state authority was able to fend off a 24-hour attack so that no consequences were recorded. The graphic on the left shows how the attack flows. The attackers try to paralyze the servers in waves and use different attack methods.

05. Who Are the Attackers?

The motives of the attackers are varied. They range from blackmail and destruction to political protest or boredom. The goal is always the same: slow down and paralyze targeted applications and infrastructures with fake requests.

Script Kiddies

The term “script kiddies” refers to cyber attackers with basic skills. They rely on ready-made tools and free scripts to carry out their attacks. Even though they’re called “amateurs,” their actions can lead to serious harm. This is especially true if the targeted applications and infrastructures lack proper protection systems.

Cybercriminals & Hacktivists

The absolute majority of all DDoS attacks are carried out by cybercriminals and hacktivists. Cybercriminals mainly aim for money, like extorting ransom. In contrast, hacktivists want to create damage and gain public attention to push their political agenda. This often leads to uncertainty among people.

State-Sponsored Cyber Actors

In hybrid warfare, cyber actors from authoritarian states use DDoS attacks. They aim to destabilize the infrastructure of enemy countries. For example, attacks on energy suppliers and government networks are rising. This trend follows recent geopolitical tensions.. Such attacks are often part of larger cyber warfare strategies.

Targets of DDoS Attacks

DDoS attacks are not just a technical challenge; they are often part of a larger strategy by cybercriminals. The targets of these attacks can vary. It's important to know the motives behind them. This understanding helps in taking effective security measures.

Blackmail and financial motivation

A widespread aim of DDoS attacks is to blackmail companies. Attackers often use DDoS attacks as leverage to demand a ransom. They threaten to disrupt a company's services for a certain period of time unless they receive payment. This can be particularly devastating for companies that rely on their online presence.

Damage to reputation and crowding out competition

DDoS attacks can also be used to damage a company's reputation. If a company is offline during an attack, this can deter potential customers and damage credibility. In highly competitive industries, some companies use DDoS attacks. They do this to hurt their rivals or take away market share.

Spreading political or activist messages

Sometimes DDoS attacks are a tool of activism. Groups campaigning for social or political change use DDoS attacks to draw attention to their causes. These so-called “hacktivists” see their actions as forms of protest, even if in many cases they enter legal and ethical gray areas.

Distraction for other attacks

DDoS attacks can also be used as a distraction to carry out other, more subtle attacks. As the IT department works to stop the DDoS attack, attackers might try to break into the network and steal sensitive data. This tactic underscores the need for a holistic approach to security that does not view DDoS protection in isolation.

Exploring vulnerabilities

Another reason for DDoS attacks can be the intention to test a company's defense mechanisms. Cybercriminals can use DDoS attacks as a way to find out how well a company responds to such threats and what vulnerabilities may exist.

Which Industries Are Affected?

Any industry and any company can be the victim of a DDoS attack, regardless of its size. The question is when—not whether—an attack will be leveled against your company and how quickly it will be discovered. Cybercriminals and extortionists mainly target:

Banks and financial service providers
Public administration
Institutions in the healthcare sector
Insurance companies
Critical infrastructure (KRITIS) operators
Manufacturing industry
E-commerce companies
Media

Data centers are also preferred targets of DDoS attackers. Criminals have motives that go beyond just money. They aim to paralyze production plants, disrupt energy supply, and influence reporting.

08. What Are the Consequences of an Attack?

An attack always harms affected companies and institutions, regardless of which method is chosen. Victim organizations still suffer from the consequences even years later. It is therefore extremely important to be adequately protected against DDoS attacks.

Economic Damages

A few minutes offline can quickly cost thousands of euros. Lost profits and wasted marketing budgets are only one example of the financial damages suffered.

Image Damage

The extent of damage to a company’s reputation caused by a successful DDoS attack is incalculable. Recovery costs a great deal of resources and may take years.

Data Theft

During a DDoS attack, systems no longer operate normally. The heavy load or overload causes some systems to suddenly become vulnerable and opens up new vectors of attack.

How to prevent DDoS attacks

DDoS mitigation requires the use of special protection technologies. These are available both as an appliance for use on premises as well as a SECaaS service. The latter variant is not throttled by the available bandwidth of the company’s own connection and can therefore be used much more agilely. Anti-DDoS solutions filter incoming traffic. They help tell valid requests from harmful ones. Frequent targets of DDoS attacks keep their security measures on all the time. Other companies, however, use these solutions only when needed to save costs and effort.

To the Myra DDoS Protection

Myra uses automatic packet inspection to block malicious traffic in the event of an attack.

DDoS Protection on the application level

Malicious traffic flows are blocked by multi-level filter layers. Valid requests, on the other hand, continue to reach your infrastructure as usual via a redundant HTTP/S reverse proxy.

DDoS Protection on the application level

Malicious traffic flows are blocked by multi-level filter layers. Valid requests, on the other hand, continue to reach your infrastructure as usual via a redundant HTTP/S reverse proxy.

Person on laptop and with cell phone in hand writing code

When is DoS/DDoS a criminal offense?

In Germany, DoS and DDoS attacks on internet services count as computer sabotage. This falls under Section 303b of the Criminal Code (StGB) and is punishable by law. It is irrelevant whether the attack has a criminal intent (e.g. for ransom demands) or takes place as part of a politically motivated act of protest. In some countries, downloading or possessing DoS or DDoS software is itself a criminal offense. Such attacks may generally only be within the law when applied to one’s own hardware on one’s own network. Exceptions apply to hired security auditors as part of penetration testing.

Evolution of DDoS attacks

DDoS attacks are becoming increasingly intensive, specialized and automated. In the past, DDoS attacks were simply designed to flood data. Today, they are technically sophisticated, automated multi-vector attacks.

Here is an overview of the three most relevant DDoS trends:

1. Technological Development and Escalation

The recent record attacks with load peaks of up to 11.5 TBit/s show how much the level has risen. Modern attacks use various methods to circumvent protection mechanisms and achieve maximum impact. Typical approaches include reflection and amplification techniques (e.g. via open DNS or NTP services) or carpet bombing. This involves overloading many ports at the same time.

2 AI and Automation

Artificial intelligence plays a central role when it comes to attacks. With the help of AI tools, attackers can find vulnerabilities and adapt their attacks to the target's defenses. Botnets often consist of thousands of devices such as IoT, server and router devices. They are the technical basis for gigabit and terabit attacks.

3. DDoS-as-a-Service

Another trend is DDoS-as-a-Service. This enables complex and scalable attacks even for less technically experienced players. Politically motivated attacks, hacktivism and attacks on critical infrastructures and financial service providers are increasing significantly due to DDoS-as-a-Service.

Fundamental Impact and Challenge of DDoS

There are more and more attacks. They are getting bigger and bigger and lasting longer and longer. The most massive attacks already exceed the 10 TBit/s mark. They reach a packet rate in the multi-billion range. The attacks are often orchestrated in waves that last several days or weeks. In addition to websites, the target now also includes APIs, authentication servers and backend infrastructures. This leads to major disruptions and service interruptions.

Attack techniques are getting better and better. It is therefore no longer enough to protect yourself reactively. It's about arming yourself against attacks and constantly improving security. In this way, companies and infrastructures can better deal with the dangers from the Internet.

AI Botnets and AI Operators Increase DDoS Risk

Large language models (LLMs) and other AI tools are making cyber threats worse. Attackers are using advanced technologies to hide DDoS attacks. They change their methods to get around existing defenses. Also, they look for weaknesses in applications and infrastructures.

The use of AI-supported attack tools is exacerbating the DDoS threat situation immensely. Cybercriminals are increasingly using AI-optimized amplification attacks (intelligent amplification attacks) to ensure that attacks have maximum impact with minimal use of resources - for example, by dynamically adapting attack vectors in a matter of seconds. In addition, cyber actors benefit from the use of AI-supported solutions through largely automated and more efficient orchestration of attacks, botnets and attack vectors.

Intelligent attack systems are also able to specifically bypass defense mechanisms such as rate limiting and firewalls. They recognize vulnerabilities and flexibly adapt their attack patterns, which enables the development of auto-evasive attack tactics. In addition, particularly complex and difficult-to-detect attacks can be carried out that increasingly undermine traditional protective measures. Last but not least, AI ensures the autonomous and effective management of botnets, significantly increasing their resilience and attack potential

Why the IoT is a DDoS accelerator

The term IoT (Internet of Things) includes many connected devices. These range from home items like IP cameras to industrial systems and smart controls in public infrastructure. Because these devices connect to the internet, they attract cybercriminals. They can be used for DDoS attacks and more. To take control of IoT devices, cybercriminals use malware that spreads on its own through networks. The goal is usually to compromise as many systems as possible in order to use them for botnet attacks. One popular example of this kind of malicious software is the malware Mirai, used by cybercriminals to set up botnets. Mirai is associated with the attack on the internet service provider Dyn in 2016. A network of thousands of IP cameras, printers, smart TVs, and other devices launched a DDoS attack. This crippled Dyn's servers for hours.

Insights from the Myra Security Operations Center

Myra, as a specialist protection service provider for organizations in highly regulated industries, provides an accurate picture of traffic developments in areas such as finance and insurance, healthcare, the public sector and critical infrastructure (KRITIS).

In the first half of 2025, Myra’s Security Operations Center (SOC) recorded:

An overall decline of 18.5% in malicious requests compared to the previous year.
Despite the decline, massive attack waves in February (+6%) and June (+6.6%), exceeding the already high levels of 2024.
Increasing attack sophistication and targeting, with financial institutions (40% of all attacks) and technology companies (38%) most frequently affected.
The longest documented attack lasting nearly two days (46 hours), highlighting the growing persistence of attackers.

The malicious traffic observed included not only DDoS attacks, but also bot attacks and targeted attempts to exploit applications via techniques such as SQL injection (SQLi) and cross-site scripting (XSS).

These findings underscore a clear trend: while the quantity of attacks has slightly decreased, the quality, intensity, and duration of attacks continue to rise — requiring resilient, multi-layered defenses.

Download the full report

FAQ on DDoS attacks

What is a DDoS attack?

Is a DDoS attack punishable by law?

What does a DDoS attack achieve?

What happens during a DDoS attack?

Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.

Go to download section

About the author

Stefan Bordel

Senior Editor

About the author

Stefan Bordel has been working as an editor and technical writer at Myra Security since 2020. In this role, he is responsible for creating and maintaining website content, reports, whitepapers, social media content and documentation. This role allows him to bring his extensive experience in IT journalism and technical knowledge to an innovative cyber security company. Stefan previously worked at Ebner Verlag (formerly Neue Mediengesellschaft Ulm) for 7 years and joined the online editorial team at com! professional after working for Telecom Handel. He gained his first journalistic experience during various internships, including at the IT website Chip Online. As a passionate Linux user, he follows the IT scene closely, both privately and professionally.

Made in Germany.

Responsible Disclosure Legal notice Privacy policy Privacy Settings Terms and Conditions