Can a DDoS attack yield any information?

A DDoS will certainly give an attacker information about response times, load capability and routing.

It may also give information about how incidents are handled internally and externally, as well as how they are reported to the public.

But this is not what the main uses are.

Generally the two key reasons for DDoS are to:

  • take a service or website offline
  • distract from a wider attack, exploit or intrusion

The first is well known, very popular, and is relatively straightforward to carry out, with the only defence against a large attack being a high volume DDoS mitigation service.

The second is more rarely used, but is being seen as a part of an attacker's toolset. Loading the incident response team can make it harder for them to detect an intrusion, can hide the real reason for the attack, and can hide evidence of an intrusion in amongst large numbers of log entries from the DDoS.


A full answer would be depending on the attack and what would be attacked, so I will keep it general.

A DoS can leak information as a side-effect. In earlier times switches were used in networks to prevent machines to listen to the communication between 2 other machines. Due to a design problem you could turn it into a big collision domain again by launching a DoS attack against the switch and you can listen to any communication again. Explanation of the attack: Switches learn which machine is connected to which port. When a machine sends a packet to another machine the switch looks up in his memory at which port this machine is and forwards the traffic to only this port. A machine on another port wouldn't see the traffic. A problem arises when there are more machines on the network then what would fit in the memory of the switch. Common behaviors are:

  • The would send all traffic to all ports
  • The switch would stop learning new machines
  • The switch would forget the oldest machines

Especially common were the first type. A attacker would let his machine to pretend to have a hugh amount of machines to be at this port by DoSing it with announcement-broadcasts.

Another attack related to DoS is a security downgrade attack. You have a system consisting of 2 sub-systems, A and B. B is used by A to do additional security checks. If B doesn't respond in time, A would skip this check and consider it successfull. If the attacker can DoS system B he has an easier game because he only needs to pass the security checks on system A. Some systems are designed this way because availibility of system A is important and nobody thought some attacker might DoS system B or would accept the risk. I can't give you the details of an actual attack but some anti-spam blacklists work this way.

It is also known that some advanced groups/organizations launch (D)DoS attacks to distract from their real attack by attracting the focus of the security staff on the target of the DDoS or hide the attack traffic between the DDoS traffic.

Another option is that you need that amount of traffic but don't need to (D)DoS it. For example some attacks on SSL require enough packets to recover/manipulate information. Here the DoS would be a side effect of the amount of traffic.


Identify shared resources

A Denial of Service attack, distributed or not, can be used to successfully identify machines which share resources. If you want to hack a service, you can launch an attack against it, while monitoring other services. If those also disappear, it is likely that they are hosted on the same machine. These other services may be more prone to hacking, and can be used as a "crowbar" to gain access to the service you want.

Hidden services

This can be devastating when used against hidden services in the Tor network. If you have reasons to believe that a certain individual is hosting a hidden service, you can test this by launching an attack against an open service on the same hardware or in the same data center. If the hidden service goes down, you may have confirmed that your guess is correct, and the identity behind the hidden service has been compromised.

Each time you test this, you will get one sample, which may be a false positive. Doing it enough times at random intervals, you can increase the probability of being right.