What is a Volumetric Attack?

A volumetric attack is a type of Distributed Denial of Service (DDoS) attack that attempts to consume all available bandwidth of a target’s network or service. The goal is to create congestion by sending a massive volume of traffic, overwhelming the target’s capacity and making it inaccessible to legitimate users.

This method is fundamentally a brute force approach to disruption. Instead of exploiting a subtle software vulnerability, a volumetric attack simply throws an overwhelming amount of data at a target. The aim is to clog the digital ‘pipe’ that connects the target’s network to the wider internet.

When this pipe is full, legitimate traffic has nowhere to go. Customer requests, API calls, and internal communications all get dropped. The result is a complete service outage, even if the servers themselves are running perfectly fine.

The origins of these attacks are tied to the growth of the internet itself. Early versions were simple ‘packet floods’ from a handful of machines. As internet connection speeds increased, so did the potential scale of these attacks, evolving into the massive, distributed threats we see today.

Their significance lies in their relative simplicity and high impact. An attacker with access to a botnet can launch a devastating attack with minimal technical sophistication. This accessibility makes volumetric attacks a common tool for cybercriminals, hacktivists, and other malicious actors.

How a Volumetric Attack Works: The Technical Mechanics

The core principle of a volumetric attack is saturation. Every network connection has a finite capacity, measured in bits per second (bps). An attacker’s goal is to send more bits per second than the target’s network, or its upstream internet provider, can handle.

These attacks are often measured in Gigabits per second (Gbps) or even Terabits per second (Tbps). To put this in perspective, a standard business internet connection might handle 1 Gbps. Modern volumetric attacks can exceed 1 Tbps, a thousand times more traffic than a typical business line can withstand.

To generate this incredible amount of traffic, attackers rarely use a single computer. Instead, they rely on a botnet. A botnet is a network of thousands or even millions of compromised devices, such as PCs, IoT devices, and servers, controlled by a single attacker.

Each device in the botnet, known as a ‘zombie’, is instructed to send traffic to the victim’s IP address simultaneously. The collective output of these devices creates a flood of data that is impossible for most targets to absorb. The attacker stays anonymous, hidden behind this army of hijacked machines.

Attackers use several specific methods, or vectors, to create this flood. Each vector exploits different aspects of how the internet works. Understanding these methods is key to building a proper defense.

The choice of vector often depends on the attacker’s resources and the specific defenses of the target. Some methods are easier to launch but also easier to block, while others require more setup but can be far more effective at bypassing simple security measures.

This constant evolution of attack vectors creates a continuous challenge for network defenders. What works to stop one type of attack may be completely ineffective against another.

UDP Floods

One of the most common types of volumetric attacks is the User Datagram Protocol (UDP) flood. UDP is a connectionless protocol, meaning it doesn’t require a handshake to establish a connection before sending data. It’s designed for speed over reliability, used in services like video streaming or online gaming.

An attacker exploits this by sending a huge number of UDP packets to random ports on a target server. The server has to check each incoming packet to see if an application is listening on that port. When no application is found, it sends back an ICMP ‘Destination Unreachable’ packet.

Processing this flood of bogus UDP packets and generating responses consumes the server’s resources. More importantly, the sheer volume of the incoming UDP traffic saturates the network’s bandwidth, causing the denial of service.

ICMP Floods

An Internet Control Message Protocol (ICMP) flood, often called a Ping Flood, is another classic vector. ICMP is used for network diagnostics, most famously by the ‘ping’ command, which sends an ‘echo request’ to a target to see if it’s online. The target then replies with an ‘echo reply’.

In an ICMP flood, an attacker uses a botnet to send a massive number of ICMP echo requests to the target. The target server must use its resources to process each request and send a reply. This two-way traffic quickly consumes both incoming and outgoing bandwidth, choking the network link.

Amplification Attacks

Amplification attacks are a more sophisticated and dangerous form of volumetric assault. They allow an attacker to use relatively little of their own bandwidth to generate a much larger volume of traffic directed at the victim. This is achieved by exploiting publicly accessible, poorly configured servers.

The process involves three participants: the attacker, the victim, and the intermediary servers being exploited (called reflectors). The attacker sends a request to these reflectors using a spoofed source IP address. The spoofed address is the IP address of the intended victim.

The key is that the reflectors are chosen because their response to the request is significantly larger than the request itself. This size difference is the ‘amplification factor’. When the reflector sends its large response, it doesn’t go to the attacker; it goes to the spoofed IP address, which is the victim’s.

By sending small requests from thousands of botnet machines to thousands of reflectors, the attacker multiplies their traffic volume many times over. This creates a colossal flood of unsolicited data that slams into the victim’s network.

Commonly exploited services for amplification include:

• DNS (Domain Name System): An attacker can send a small DNS query and receive a very large response, achieving amplification factors of 20x to 70x.
• NTP (Network Time Protocol): This protocol, used for synchronizing clocks, can be exploited to generate responses up to 550x the size of the initial request.
• Memcached: A database caching system that has been notoriously abused, capable of amplification factors exceeding 50,000x in some cases.

Volumetric Attacks in Action: Three Case Studies

Theoretical knowledge is useful, but seeing how these attacks impact real businesses provides a clearer picture of the threat. The following case studies illustrate how different types of organizations were targeted and how they responded.

Case Study 1: The E-commerce Brand

Scenario: ‘ChicPeak Boutique’, an online fashion retailer, was preparing for its biggest sales day of the year: Black Friday. They had invested heavily in advertising to drive traffic to their site, expecting record-breaking sales.

What Went Wrong: At 9:00 AM, just as the sale began, their website became completely unreachable. The IT team discovered their network was being hit with a 200 Gbps UDP flood. Their internet service provider’s link, which had a 10 Gbps capacity, was completely saturated.

The attack was unsophisticated but effective. The massive volume of random UDP packets overwhelmed their infrastructure. With no DDoS mitigation plan in place, they were defenseless. Every minute of downtime meant thousands of dollars in lost sales and immense customer frustration.

How It Was Fixed: The team initiated an emergency onboarding with a cloud-based DDoS mitigation provider. This involved a BGP route change to divert all their website traffic through the provider’s global network of ‘scrubbing centers’. These centers are designed to absorb and filter out malicious traffic.

Within two hours, the provider had filtered the attack traffic, and clean, legitimate customer traffic was once again reaching ChicPeak’s servers. The site was back online, but not before four hours of critical sales time were lost. Following the incident, they contracted for an ‘always-on’ protection service to prevent a recurrence.

Case Study 2: The B2B Lead Generation Company

Scenario: ‘InnovateSoft Solutions’ is a B2B SaaS company that relies on its website for lead generation and as a login portal for existing customers. Their marketing team had just launched a major content campaign to attract new enterprise clients.

What Went Wrong: They were targeted by a DNS amplification attack. The attackers focused on InnovateSoft’s authoritative nameservers, which are responsible for telling the internet where to find their website and services. By flooding these servers, the attackers made it impossible for anyone to resolve ‘innovatesoft.com’.

The result was that their website, customer portal, and even their company email stopped working. The attack was less about bandwidth to their main web servers and more about crippling a critical piece of their infrastructure. The attack persisted for over 48 hours, grinding their entire business to a halt.

How It Was Fixed: The long-term solution was to migrate their DNS hosting to a specialized managed DNS provider. These providers operate highly distributed, resilient networks specifically designed to withstand massive DDoS attacks. The migration spread their DNS records across dozens of global locations, making it much harder for an attacker to take them all down.

As a secondary measure, they worked with their network team to implement stricter rate limiting on their own remaining public-facing servers. This helped reduce the impact of any traffic that might bypass their primary defenses in the future.

Case Study 3: The Online Publisher

Scenario: ‘GadgetGlobe’ is a popular affiliate marketing website that publishes tech reviews. Their revenue comes from affiliate commissions and display advertising, both of which depend entirely on website uptime and traffic.

What Went Wrong: GadgetGlobe received an email demanding a ransom payment in Bitcoin. When they refused to pay, their site was hit by a 500 Gbps Memcached amplification attack. This attack vector is known for its massive amplification factor, and it quickly took their site offline.

The immediate problem was downtime, but a second, more insidious problem emerged. Their hosting was with a major cloud provider where they paid for data transfer. The massive inbound attack traffic, even though it never reached their application, resulted in an enormous data-transfer bill. They were being charged thousands of dollars per hour for the attack traffic being sent to them.

How It Was Fixed: Their first step was to work with the cloud provider’s support team to apply a network Access Control List (ACL). This rule immediately blocked all incoming traffic on UDP port 11211, the port used by Memcached. This stopped the attack from reaching their virtual servers and stopped the billing overages.

Recognizing this was a reactive measure, they then subscribed to their cloud provider’s native DDoS protection service. This service sits ‘in front’ of their resources, automatically detecting and mitigating volumetric attacks before the traffic can incur data transfer costs or impact their applications.

The Financial Impact of a Volumetric Attack

The cost of a volumetric attack extends far beyond the technical inconvenience. The financial repercussions can be severe, impacting revenue, creating unexpected expenses, and causing long-term damage to a brand’s reputation.

Calculating the true cost requires looking at both direct and indirect financial drains. Each contributes to the total impact on the company’s bottom line.

Direct Costs

Direct costs are the tangible expenses that appear on an invoice or a profit-and-loss statement. They are the easiest to quantify but are often just the tip of the iceberg.

The most obvious cost is lost revenue. For any online business, downtime equals zero sales. A simple calculation for an e-commerce site like ChicPeak Boutique could be: `(Average Hourly Revenue) x (Downtime in Hours)`. If they average $50,000 per hour on Black Friday, a 4-hour outage represents a direct $200,000 revenue loss.

Another significant direct cost is bandwidth overage charges, as seen with GadgetGlobe. Cloud providers and data centers bill for data transfer. A 500 Gbps attack running for several hours can transfer Petabytes of data, leading to surprise bills that can run into tens or even hundreds of thousands of dollars.

Finally, there are the costs of mitigation. Emergency DDoS protection services are priced at a premium. The overtime pay for IT staff, fees for external consultants, and the eventual subscription cost for a long-term protection service all add up.

Indirect and Long-Term Costs

Indirect costs are harder to measure but can be even more damaging. The most significant is brand damage. A website that is unavailable appears unreliable to customers. This erodes trust and can permanently drive customers to competitors.

Customer service costs also spike. Support teams are inundated with calls and messages from frustrated users. This diverts them from helping with genuine product issues and adds to overall operational costs.

There can also be an SEO impact. If a website is down for an extended period, search engine crawlers may be unable to access it. This can lead to a temporary or even long-term drop in search rankings, affecting organic traffic and future revenue long after the attack has ended.

Strategic Nuance: Beyond Basic Defense

Defending against volumetric attacks requires more than just buying a protection service. A truly resilient strategy involves understanding common misconceptions and implementing advanced tactics that many organizations overlook.

Myths vs. Reality

Myth: “We are too small to be a target.”
Reality: Attackers often use automated scanners to find vulnerable targets, regardless of size. Small businesses without dedicated security teams can be seen as easy targets for extortion or be used as part of a larger botnet.

Myth: “Our firewall or Intrusion Prevention System (IPS) will protect us.”
Reality: Firewalls and IPS devices are stateful, meaning they track the state of every connection. A volumetric attack is designed to overwhelm these state tables and the device’s processing capacity. These devices are a critical part of security, but they are not built to withstand a massive flood of traffic.

Myth: “DDoS attacks are just about causing downtime.”
Reality: Sophisticated attackers often use a volumetric attack as a smokescreen. While the IT and security teams are scrambling to fight the DDoS fire, the attacker may be attempting a more subtle intrusion, like a data breach or account takeover. The attack serves as a loud, resource-intensive distraction.

Advanced Defensive Strategies

Proactive Monitoring and Baselining: Instead of waiting for an attack to happen, establish a clear baseline of what your normal traffic patterns look like. Use network flow monitoring tools to understand your typical traffic volumes, sources, and protocols. An anomaly from this baseline can provide an early warning that an attack may be starting, allowing for a faster response.

Leverage BGP Flowspec: For organizations with their own network infrastructure, BGP Flowspec is a powerful tool. It allows you to create firewall-like rules and propagate them to your upstream internet provider. This means you can instruct the provider’s routers to drop malicious traffic before it ever reaches your network edge, preserving your own bandwidth for legitimate use.

Controlled Blackhole Routing: Remote Triggered Black Hole (RTBH) routing is often seen as a last resort, as it directs all traffic for a targeted IP into a null route, effectively taking it offline. However, having the ability to trigger this yourself is far better than having your ISP do it for you to protect their network. It gives you control over when and how to stop an attack that exceeds your mitigation capacity, protecting the rest of your network assets.

Abisola

Meet Abisola! As the content manager at ClickPatrol, she’s the go-to expert on all things fake traffic. From bot clicks to ad fraud, Abisola knows how to spot, stop, and educate others about the sneaky tactics that inflate numbers but don’t bring real results.

View all posts by Abisola (Abisola)