All these steps are highly automate

All these steps are highly automated. A cautious intruder will begin by breaking in to just a few sites, then using them to break into some more, and repeating this cycle for several steps. By the time they are ready to mount the attacks, they have taken over thousands of computers and assembled them into a DDoS network. Once the attacker has installed the DDoS software, the attacker runs a single command that sends command packets to all the captured computers, instructing them to launch an attack (from a menu of different varieties of flooding attacks) against a specific victim. When the attacker decides to stop the attack, he or she sends another single command.
The controlled computers being used to mount the attacks send a stream of packets. For most of the attacks, these packets are directed at the victim computer. For one variant (called "smurf," after the first circulated program to perform this attack), the packets are aimed at other networks, where they provoke multiple echoes all aimed at the victim as described earlier.
The packets used in DDoS attacks use forged source addresses or spoofed IP addresses. If a packet arrives at the first router, and the source IP address doesn't match the IP network it's coming from, the router should discard the packet. This style of packet checking is called ingress or egress filtering, depending on the point of view; it is egress from the customer network, or ingress to the heart of the Internet.
The first signs of an attack may be when thousands of compromised systems all over the world begin to flood the victim's network with traffic all at once. The first symptom is likely to be a router crash, or something that looks a lot like one; traffic simply stops flowing between the victim and the Internet.