Can a ddos attack be traced? (A comprehensive overview)

This blog post will answer the question, Can DDoS attacks be traced. It will also cover what DDoS attacks are and its type. Explaining how such an attack can happen,and discussing the methods used to trace this attack.

Can a DDOS attack be traced?

Yes, DDoS attacks can be traced. Tracing DDoS attacks can be difficult but not impossible. DDoS stands for Distributed Denial of Service and it is a type of attack where the cyber criminals flood the network resources with a colossal amount of malicious traffic, that the network can’t operate normally, eventually paralysed. 

When the network is overwhelmed by such an attack , it is rendered inoperable. 

Tracking down the culprit of a DDoS attack is a particularly vexing problem, and the whole notion of obfuscation and onion routing and finding the source has become extremely significant.  DDoS attacks are carried out using multiple computers, making it very hard to trace it back to its source. 

What are DDos Attacks?

DDoS attack is a malicious attempt to disrupt normal functioning of a server, service or a network. Malicious actors use a combination of multiple connected online devices(botnets) to direct traffic towards the victims network to overwhelm the network’s maximum bandwidth, resulting in breakdown of all normal services. 

DDoS is a simple yet very powerful and an effective method to damage network resources of an organization. It is fueled by less secure devices and bad digital habits of careless people. 

DDos attacks are incredibly difficult to prevent and mitigate, considering its distributed nature and the huge number of devices that are involved in carrying such an attack.

How does a DDoS attack work?

Cybercriminals exploit less secure devices including computers, mobile phones, and other IOT devices by infecting them with malware. Each individual infected device is called bots or zombies. These infected devices form an interconnected network called botnets

The malware installed in these devices allows the hacker to control these botnets remotely. 

Once a huge network of zombies is established the attacker is able to direct traffic to the victims server by utilizing individual devices’ resources. 

When a specific victim has been targeted by the botnet, it sends continuous requests to the target IP address, potentially overwhelming the server or network and disrupting its normal service causing a denial-of-service to its legitimate end users. Since each bot in a botnet is a legitimate internet device, it’s extremely strenuous to differentiate attack traffic and normal traffic. 

Types of DDoS attacks

To understand the different types of DDoS attacks, it is important for us to understand how the network connections work. DDoS attacks are targeted at distinct components of a network connection.

On the internet, a network connection is established using various layers, each of which are integral for a connection to happen. These layers are described by a conceptual framework known as OSI model

 Fig 1. The OSI Model

Application Layer Attack

In application layer attacks, cybercriminals target the top most layer of the OSI model, where applications access the network services. The motive here is to exhaust the victims resources causing a denial of service. 

This attack targets the servers’ layer where web pages are generated and delivered in response to  HTTP requests. When a colossal amount of HTTP requests are made to the server, it gets saturated. This results in an unresponsive server.

This type of attack is difficult to mitigate since it’s hard to differentiate normal traffic from malicious traffic.

Protocol Attack 

This type of an attack is carried out by exploiting the weaknesses in  layer 3 or 4 of the OSI model. The attacker’s goal here is to deplete network resources of the target’s network infrastructure.  The hacker tends to disrupt service by over-consuming the network components  such as firewalls, load balancers or switches/routers. 

Volumetric attack

In a volumetric attack, the cybercriminal attempts to cause congestion between the target and its end users by consuming all the available bandwidth. Large amounts of data is sent to the victim by the botnet by creating massive traffic. This results in bandwidth exhaustion and renders the network inoperable.

How to prevent a DDOS attack

Tracing a DDoS attack

The first step, during a DDoS attack is not to trace the attacker, rather to try and reduce the damage, and the priority should be to mitigate the attack. Redirecting the traffic to a CDN ( Content Delivery Network) reduces the intensity of the network traffic.

Using an intelligent WAF( Web Application Firewall ) that has the capability to take all the traffic in and recognize attack patterns will significantly reduce the power of a DDos attack. 

Tracing back a DDoS attack can be extremely strenuous and would require a tremendous amount of energy and resources. As we discussed above, attackers hide behind a colossal army of bots.

An Ip address traceback can be performed to drill down on suspicious ip addresses and neutralize malicious bots in an hope to reach the source. 

Ip address traceback can be performed in 3 particular ways

Apart from Ip address traceback, analysis of upstream traffic of a specific device  helps in identifying source IP address, destination IP address, source port, destination port, total volume, number of packets, and protocol. This information is critical in identifying the complete botnet.

Performing forensic detection also helps root out much valuable evidence, Forensics uses trace evidence to attempt to reconstruct an attack from beginning to end. Sometimes going as deep as possible into the affected network or server will give forensics valuable information. 

But determining the source of DDoS is not an easy thing to do. Most DDoS-ers are masters at hiding and creating smokescreens to protect their true identity.

Thus it is very significant to be aware of such attacks and take preventative steps.  Having a proactive DDoS mitigation strategy is also an important step in achieving safety from such cyber attacks.


This blog post addressed the question, can DDoS attacks be traced? We understood what a DDoS attack is and how such attacks can be performed. We also talked about the different network layers that can be affected by such attacks. The article also discussed in detail about the types of DDoS attacks. It outlines how to trace a DDoS attack and its methods. 

Please feel free to raise questions or express your opinions about the article in the comments section below. 

Frequently Asked Questions (FAQs): Can a DDoS attack be traced?

Are DDoS attacks traceable?

Yes. DDoS attacks are traceable. It is a very strenuous job to find the source of the DDoS attack or the person who started the attack, but with the right procedures and use of advanced tools, a DDoS attack can be traced back to its source. 

Why is it so difficult to trace DDoS attacks?

It is very difficult to trace DDoS attacks because of its distributed nature. A DDoS attack uses several thousand devices to form a botnet which collectively directs data traffic towards the target. The attacker or the source of this attack hides behind this large army of bots. The devices used in this attack are legitimate internet devices which make it difficult to trace them.

How do you know if you are getting Ddosed?

There are several symptoms that are detected when a network is DDoSed. 

  • An IP address makes many requests over a few seconds.
  • Your server responds with a 503 due to service outages.
  • The TTL (time to live) on a ping request times out.
  • If you use the same connection for internal software, employees notice slowness issues.
  • Log analysis solutions show a huge spike in traffic.

What happens when you get Ddosed?

When you get DDoSed your network resources get depleted and your network renders inoperable. The normal services provided by your network, server, or a service gets disrupted resulting in a denial-of-service to your customers or end users.

How long do DDoS attacks last?

A typical DDoS attack can last from upto 24 hours or until the attacker stops the attack. Sometimes you can be under a DDoS attack whilst running your organization, minimizing losses and as a damage control mechanism. 

Can VPNs stop DDoS attacks?

Yes VPNs can technically stop DDoS attacks. When your IP address is hidden a botnet cannot locate your network, making it much harder for the attacker to find a target. 


A. Chonka, W. Zhou, J. Singh and Y. Xiang, “Detecting and Tracing DDoS Attacks by Intelligent Decision Prototype,” 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom), 2008, pp. 578-583, doi: 10.1109/PERCOM.2008.76.

V. Aghaei-Foroushani and A. N. Zincir-Heywood, “Investigating unique flow marking for tracing back DDoS attacks,” 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), 2015, pp. 762-765, doi: 10.1109/INM.2015.7140370

What Is a DDoS Attack and How to Stay Safe from Malicious Traffic Schemes

Leave a Comment