What is a DDoS attack?
A distributed denial-of-service (DDoS) attack uses many compromised devices – a botnet – to flood a target and exhaust its capacity to serve real requests. Types include volumetric (raw traffic), protocol (network-layer weaknesses), and application-layer (functions like login pages). The distributed nature defeats source-based blocking.
How DDoS works and where it intersects with identity threats
DDoS is fundamentally an availability attack – it disrupts service rather than stealing data. But it touches the identity threat landscape in two ways worth understanding:
- As cover: Attackers use a DDoS as a loud distraction, consuming the security team’s attention and degrading monitoring visibility while a quieter credential-based intrusion runs in parallel – a pattern documented in multiple ransomware campaigns.
- Shared infrastructure: DDoS is launched from botnets, and the same botnet harvesting credentials and session cookies may be flooding your perimeter. The organization under a DDoS may also have its users’ identity data moving in that botnet’s stream.
How do I check if my organization’s exposed identities could be used in attack infrastructure?
Run Check Your Exposure to see exposed credentials and malware-infected devices tied to your domain that could be conscripted into botnet or attack infrastructure. SpyCloud matches your domain against recaptured darknet data to surface these exposures.
Why an identity signal matters during a DDoS
Don’t let an availability incident tunnel your attention – that’s exactly when credential-based access slips past:
- Attention is the target. While network defenses and responders absorb the flood, authentication anomalies get missed.
- An identity signal works independently. Exposure monitoring doesn’t rely on network-layer visibility, so it keeps running even when the flood is degrading everything else.
- It surfaces the quiet intrusion. Monitoring exposed credentials tied to your domain keeps working when the perimeter is saturated.
The three types of DDoS attack
DDoS attacks are categorized by which resource they exhaust, and the category shapes both how you mitigate and what the attack can mask:
- Volumetric – raw traffic floods that saturate bandwidth. The most common and most visible.
- Protocol – attacks on network-layer state, like SYN floods, that exhaust connection tables on firewalls and load balancers.
- Application-layer – low-volume, targeted requests against expensive functions like login, designed to look legitimate. The hardest to filter and the best cover for a parallel credential-based intrusion.
Compromised devices are someone else’s attack tools.
See which identities tied to your domain are exposed.
Frequently Asked
It floods a target with traffic from many compromised devices at once, overwhelming capacity so real requests fail. Types include volumetric, protocol, and application-layer attacks. Because traffic comes from a distributed botnet, source-based blocking is ineffective.
Yes – DDoS is increasingly used as cover, creating disruption that consumes responder attention while a separate credential-based intrusion proceeds. In documented ransomware cases, a DDoS degraded visibility while access brokers used stolen credentials to get in. Identity-exposure monitoring keeps working independently of network-level defenses.
No. DDoS mitigation defends availability – it absorbs or filters flood traffic but has no visibility into stolen credentials or hijacked sessions. The credential-based intrusion a DDoS is covering for needs a separate detection layer: monitoring for your exposed credentials and sessions in criminal markets.