General types of DDoS attacks

General types of DDoS attacks

(Part 1)

Distributed denial of service (DDoS) is a broad class of cyber attack that disrupts online services and resources by overwhelming them with traffic. This renders the targeted online service unusable for the duration of the DDoS attack. The hallmark of DDoS attacks is the distributed nature of the malicious traffic, which usually originates from a botnet, a network of compromised machines controlled by criminals spread across the globe.

Over the years, cybercriminals have developed a number of technical approaches to take down online targets through DDoS attacks. The individual techniques tend to fall into three general types of DDoS attacks:

Volumetric attacks.

The classic type of DDoS. These attacks employ methods to generate massive volumes of traffic to completely saturate bandwidth, creating a traffic jam that makes it impossible for legitimate traffic to enter or leave the target site.

Protocol attacks

Protocol attacks are designed to consume the processing power of network infrastructure resources, such as servers, firewalls and load balancers, by targeting Layer 3 and Layer 4 protocol communications with malicious connection requests.

Application attacks

Some of the most sophisticated DDoS attacks exploit weaknesses in the application layer, Layer 7, by opening connections and initiating processes and transaction requests that consume finite resources such as disk space and available memory.

It should be noted that, in real-world attack scenarios, criminals like to mix and match these types of attacks to increase the pain. Therefore, a single DDoS campaign can overlay application and protocol attacks in addition to volumetric attacks.

Review of specific DDoS attack styles

UDP and ICMP floods

Some of the most common volumetric attacks are those that flood host resources with User Datagram Protocol (UDP) packets or Internet Control Message Protocol (ICMP) echo requests, or pings, until the service overflows. Attackers tend to drive the overwhelming flow of these floods through reflection attacks, which spoof the victim’s IP address to make the UDP or ICMP request. That way, the attacker saturates both inbound and outbound bandwidth. The malicious packet appears to come from the victim, so the server sends the response to itself.

DNS amplification

DNS amplification attacks are volumetric DDoS attacks that use a technique that is essentially a supercharged reflection attack. Amplification attacks cripple bandwidth by increasing the flow of outbound traffic. They do this by making requests for information from the server that generate large amounts of data and then routing that information directly to the server by spoofing the response address.

Thus, in a DNS amplification attack, the malicious actor sends many relatively small packets to a publicly accessible DNS server from many different sources in a botnet. Each of them are requests for a very detailed response, such as DNS name lookup requests. The DNS server then responds to each of these distributed requests with response packets containing many orders of magnitude more data than the initial request packet, and all of that data is sent directly to the victim’s DNS server.

SYN flooding

This is one of the most common protocol attacks. SYN flooding attacks bypass the three-way binding process required to establish TCP connections between clients and servers. These connections are typically made with the client making an initial synchronization request (SYN) from the server, the server responding with an acknowledgement response (SYN-ACK) and the client completing the link protocol with a final acknowledgement (ACK). SYN floods work by performing a rapid succession of these initial synchronization requests and leaving the server hanging by never responding with a final acknowledgement. Ultimately, the server is asked to keep open a bunch of half-open connections that eventually overwhelm resources, often to the point where the server fails.

Ping of death

This is another type of protocol attack. Ping of death attacks vary from ICMP echo ping flood attacks in that the contents of the packet itself are maliciously designed to cause a malfunction of the server-side system. The data contained in a normal ping flood attack is almost immaterial, simply intended to crush bandwidth with its volume. In a ping of death attack, the criminal seeks to exploit vulnerabilities in the target system with packet content that causes it to freeze or crash. This method can also be extended to other protocols beyond ICMP, including UDP and TCP.

HTTP flooding

HTTP flooding attacks are one of the most common types of application layer DDoS attacks. With this method, the offender makes what appear to be normal interactions with a web server or application. All interactions come from web browsers to look like normal user activity, but are coordinated to use as many server resources as possible. The request the attacker could make includes anything from calling URLs for images or documents with GET requests to having the server process database calls from POST requests.

Share this post