DDoS Attack Strategies Explained

Distributed denial of service (DDoS) attacks can have huge impacts on companies and even average consumers. Though the actual way these attacks function is fairly technologically advanced, these attacks aren’t always done by smart, sophisticated hackers cracking systems and breaking into networks. In fact, with a rented botnet and a little bit of social engineering, cybercriminals don’t need much technical know-how at all to carry out a DDoS attack. That’s why it’s so crucial to know how and why they can happen.

See DDoS Attacks with Dr. Jared Smith for a complete transcript of the Easy Prey podcast episode.

Jared Smith is a distinguished threat researcher on the threat research group at SecurityScorecard, a company that helps people address and mitigate supply chain risks. They monitor the internet, companies, and their vendors to help secure networks. He is also the founder of Uncat, a b2b accounting technology company, and spent time in government as a national security researcher with a high clearance. Before that, he got a PhD in computer science from the University of Tennessee, where he focused on border gateway protocol (BGP) and how it can be used to mitigate DDoS attacks.

Anyone can Fall for It

Jared was recently the victim of a phishing attack that really shows the sophistication of phishing these days. He’s had his startup, Uncat, for over five years now. Uncat has a Stripe account (Stripe is one of the companies that processes card transactions online). It has a lot of important data, like customer information and payment data.

Jared got an email from stripe. The branding was spot-on – it looked so good that he didn’t think to check the domain to see if it was spoofed. The email said he needed to do his FinCEN registration. FinCEN, financial ownership of a company, is something Stripe has pushed heavily recently. Jared assumed he forgot to do it and clicked the link. It went to what looked exactly like Stripe’s login page. He entered his username and password and clicked “log in.” The site didn’t respond. He tried to click on another page and it didn’t work. That’s when he looked at the URL and realized he wasn’t on Stripe’s site at all.

Luckily, he uses unique and random passwords for every critical service, so the phishers wouldn’t be able to get into anything else. But he changed his password immediately and contacted Stripe to make sure there was no unusual activity on his account. Jared does phishing simulation tests every month for his job and helps customers protect against phishing. But all it took was a well-written and correct-looking email with a relevant topic, and even he clicked.

I help my own customers protect themselves against phishing … and yet all it took was them having a perfectly written email with a perfectly relevant topic. … [Phishing] is getting very sophisticated.

Jared Smith

Phishing is a Huge Cybersecurity Problem

If you look at the trends on how much people spend on cybersecurity and how many breaches there are, you’d hope for an inverse relationship. Ideally, as people spend more on security, incidents should go down. But both are going way up. And this is almost entirely due to the fact that phishing, various scams, and social engineering are such a huge problem.

Breaches [are] going up year over year … that is almost entirely due to the fact that we have not completely solved the phishing and scamming side of things.

Jared Smith

Jared used to teach pentesting to graduate students at NYU. Being on the hacker side, you don’t have to deal with real people. Some hackers would rather break into a system and never have to talk to someone. So there are reasons we still see those attacks. But if you are willing to actually contact people and trick them out of their credentials, it’s much easier than breaking into a system. And with the accessibility of generative AI these days, criminals can craft effective phishing messages even without a native grasp of English. All of this means that a criminal doesn’t have to be a hacker to cause a data breach or run a DDoS attack. They just have to have the desire to do it and find the right phishing victim.

It’s far easier to phish somebody than it is to find a zero day and break into a network.

Jared Smith

A DDoS Attack Uses BGP

Border gateway protocol, or BGP, is fundamental to how the internet works. Water gets from your well or city water line to your faucets through pipes – BGP is like the plumbing of the internet. If you want to go to a website, your device uses DNS to get the IP address of the website. Then BGP establishes a path from your device to that IP address. Once the path is established, you see the website on your device.

The internet actually has a global map that BPG uses to figure out how to get places. It maps out the most efficient route, and that’s the route it uses. Jared’s PhD research was on how to break up that map so that everything still works how it’s supposed to. He built a system where you could choose your own path to avoid something bad in the most efficient path. This is helpful in some cases, one of which is avoiding DDoS attacks.

There are a lot of varieties of DDOS attack. One more sophisticated way is link flooding. Attackers identify BGP links with a certain bandwidth and flood that specific link to segment the internet. If traffic can’t get through that link, the internet is effectively cut off. A massive DDoS attack on an ISP could cascade through the internet. If you wanted to bring down the internet in a specific area, you’d just have to identify one or two BGP links upstream and flood them. This could take out internet to half a continent.

How Criminals Run a DDoS Attack

There is a whole business to help criminals run a DDoS attack. People distribute and run infostealers to create botnets. Criminals can then rent out these botnets to do large-scale campaigns or DDoS attacks. This comes back to the phishing aspect, as well. To create a DDoS attack, you need a botnet. To get a botnet, you need inflected boxes. And to get those boxes, you can get the credentials from someone, get leaked credentials from the internet, or compromise the box yourself. For two of those three methods, the credentials can come from phishing – either phishing that you do or that someone else did and posted online.

How do you produce a DDoS attack? You need infected boxes. How do you get infected boxes? … I can phish someone and get credentials, or I can find existing phished and posted credentials.

Jared Smith

Lots of threat actors trying to run a DDoS attack know that most large sites have a CDN protecting them. They’re looking to figure out what the IP address is behind the CDN. That’s where social engineering tactics can come in. CDNs are great, but they still only catch about 95% of malicious traffic. It’s no wonder that big services like Facebook and AWS have their own routers and networks. They need the ability to handle that much traffic and mitigate any DDoS attack that might come their way.

Jared has a 1-gigabit connection on his home internet. It used to take a million machines to take down a network. With those kinds of speeds, it now may only take a few dozen compromised machines to take something down. And some DDoS attacks don’t even require fast or overwhelming traffic, just enough to fill up the buffers and make the servers constantly restart.

Internet Infrastructure and DDoS attacks

Can you think about the last time a big DDoS attack was in the news? Before the one on Twitter/X in March 2025, it’s been a bit. They don’t happen as often because the internet may be held together by duct tape and hope, but it’s worked for so long because it is well-designed, open, and self-healing for the most part. Lots of academics want to redeploy the whole internet with a new protocol. That’s great, and Jared supports it. But ISPs aren’t going to spend the money to move to IPv6 until they have to. They don’t want to invest a lot of money into deploying a new protocol and then have to wait for their peers to deploy it too.

If Jared were to rank how he felt about the state of the internet’s network infrastructure routing on a scale of 0 to 100, he’d give it a solid 85. It’s solid. There are cases where a route change could brick a whole network – we saw it with CrowdStrike, and Cloudflare has done it a few times. Jared is honestly surprised that all those issues have been someone messing up a configuration and not from phishing. You wouldn’t even need a DDoS attack for that, just a Cloudflare admin login.

The internet and the systems that hold it up are highly connected. If you knock the right ones out, we could have a stone age-level disaster. To Jared, this all goes back to people. We can put in great security tools to protect from hackers. But because we still haven’t solved phishing, people are the weak points in any system.

Find Jared Smith on LinkedIn (username jaredthecoder because there are a lot of Jared Smiths). You can also find SecurityScorecard at securityscorecard.com and sign up for free to see your own scorecard.