What is DDos attack and why?

Started by akeelow, Jul 08, 2022, 05:28 AM

Previous topic - Next topic

akeelowTopic starter

Please tell me who is the subject of the matter. There's a website that has been consistently receiving what seems to be a DDos attack for the last couple of months. The attack comes in the form of 300-400 thousand calls from different IP addresses within about 5 minutes, followed by a 70-minute break, and then the process repeats for a day or two before the attacker goes silent again.

The server is affected by the attack, but not for very long as Google does not have enough time to catch 503 errors. However, another side effect has been observed: in analytics, the source of traffic from search engines completely disappears, with all traffic being counted as internal transitions. This raises the following questions:

1. Why does this happen, causing the search engine to confuse the traffic source?

2. What is the purpose behind these attacks?

3. With up to 35 million hits per day, it is highly unlikely that this is just idle chatter. Is someone deliberately spending money to cause this disruption?

Thank you all in advance!


It's possible that a hacked site may initiate a job through a GET request. This could range from counting bitcoins to launching a DDOS attack on another site. Alternatively, a hacker could determine which GET parameter would lead to a result and exploit it to perform a hack.

Instances of strange modules, nulled themes, and nulled CMS being installed on the current user's hosting are not uncommon.

To investigate such attacks, one could analyze script activity during the attack, as well as outgoing connections and mail service activity.


An interesting situation that I have already somehow encountered. If we exclude the "order from competitors", I would consider the option of someone testing a technique for attacking sites like yours.
Also, I would try to somehow measure the load on the CPU or GPU at the time of the attack, maybe someone is mining...


Common targets of website attacks include stealing confidential and secret information, disabling or deleting websites, replacing website content, and placing advertising information. Web server attacks can be divided into two categories: local and global. Local attacks typically steal information or intercept control on a separate web server, while global attacks target multiple sites with the goal of infecting all their visitors.

The most dangerous types of network attacks include phishing, which involves sending fake emails containing links to known resources and redirecting users to fake pages where they enter their personal and confidential information. Spoofing is a type of phishing attack that replaces a known URL page with an attacker's page via DNS. Trojan Horse (Spyware) is software that records all keystrokes and takes screenshots to transmit the data to a remote host. Spyware programs track the actions of hosts where they are embedded, allowing attackers to gain access to confidential information.

Web servers can be hacked using several different methods, such as SQL injection, malicious advertising, redirects of search results, virtual web hosting vulnerabilities and cross-site scripting. Protection from internet attacks requires server-side protection through careful programming, checking incoming http requests and client-side protection through regularly updated antivirus software.

Zhess Flatcher

It looks like you have either not encountered or rarely encountered DDoS attacks before. Your story is a prime example of a DDoS attack. I won't describe what types of attack, but I'll say that traffic is not always obvious even for Google - it goes through proxy channels and can appear both through a direct link and through an advertising campaign. To avoid further server freezes, you need to use a good firewall. Cloud services with filters do this task best of all.


Most likely these are your competitors and in this way they want to harm you. You can google about protection against DDoS attacks on the Internet, useful thing in such cases. In addition, it is desirable to reduce the number of links to external resources, because they create an additional load on the server.


This attack involves a large number of calls from various IP addresses within a short period of time, followed by a break before the process repeats. The server is affected by the attack, although Google doesn't have enough time to catch 503 errors. Additionally, the attack has caused a disappearance of traffic sources in analytics, with all traffic being counted as internal transitions.

Now, let's address your questions:

1. The reason that the search engine may be confused about the traffic source is that the DDoS attack floods the website with a massive number of requests, making it difficult for the search engine to identify the legitimate traffic sources amidst the attack.

2. The purpose behind these attacks can vary. Some potential motives include attempting to disrupt the website's operations, cause financial losses, or hinder the website's reputation. It's not possible to determine the exact intention without further information.

3. Given the high volume of hits per day and the sustained nature of the attack, it is unlikely that this is just random idle chatter. It suggests that someone may be intentionally investing resources and money to orchestrate this disruption.

DDoS attacks, short for Distributed Denial of Service attacks, are designed to overwhelm a website or online service by flooding it with a massive amount of traffic. The goal is to make the target system or network inaccessible to legitimate users. In the case you described, the attack involves hundreds of thousands of calls from different IP addresses within a short time frame, followed by intervals of silence before the attack resumes.

The reason for the 70-minute break between the attack intervals is unclear. It could be that the attacker takes breaks to avoid detection or to regroup resources for the next wave of attacks.

As for the impact on analytics, the DDoS attack is likely causing the search engine to misattribute the source of the traffic. Since the attack floods the website with requests, the search engine may struggle to accurately determine the actual referral sources. Instead, all traffic is counted as internal transitions within the website, leading to the disappearance of traffic sources from search engines in the analytics data.

Determining the purpose behind these attacks can be challenging without more information. Possible motivations include competitor sabotage, activism, extortion attempts, or simply causing disruption for the sake of it. Investigating the motives behind the attack would require a more detailed analysis and potentially involving law enforcement if necessary.

Given the scale of the attack, it is reasonable to assume that someone is deliberately spending resources, such as botnets or networks of compromised computers, to carry out this disruption. The attacker may have access to significant computing power or may have enlisted a network of compromised devices to generate the high volume of traffic.

It is important to note that dealing with DDoS attacks can be complex and requires expertise in network security and mitigation techniques. Seeking assistance from cybersecurity professionals or specialized DDoS mitigation services can help mitigate the impact of such attacks and protect the website from further damage.