Types of DDoS Attacks

The common types of DDoS Attacks

As covered before in the DDoS Attacks article, a distributed denial-of-service attack, abbreviated as DDoS attack, is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the hosting server's services.

Over the years, cybercriminals have developed a number of technical approaches to eliminate online targets via DDoS. An attacker may use one or more different attack vectors in response to countermeasures taken by the target or loop attack vectors.



Application Layer Attacks

Some of the complicated DDoS attacks exploit weaknesses in the application layer by opening connections, initiating processes and requests that consume limited resources such as disk space and available memory. Consisting of seemingly legitimate and innocent requests, the purpose of these attacks is to crash the web server, and their size is measured in Requests Per Second (RPS).

Protocol Attacks

Protocol attacks are designed to consume the processing capacity of network infrastructure resources such as servers, firewalls, and load balancers by targeting Layer 3 and Layer 4 protocol communications with malicious connection requests. This type of attack consumes real server resources or the resources of intermediate communication equipment such as firewalls and load balancers and is measured in Packets Per Second (PPS).

Volumetric Attacks

Being the classic type of DDoS, these attacks use methods to generate large volumes of traffic to completely saturate the bandwidth, creating a traffic jam that makes it impossible for legitimate traffic to enter or exit the targeted site. The purpose of the attack is to saturate the bandwidth of the attacked site, and the magnitude is measured in Bits Per Second (BPS).

Some of the DDoS Attack Styles

UDP and ICMP floods

Some of the most common volumetric attacks are those that flood host resources with User Datagram Protocol (UDP) packets or Internet Control Message Protocol (ICMP) echo requests or pings until the service is exhausted. Attackers tend to increase the overwhelming flow of these floods through reflection attacks that mimic the victim's IP address to request UDP or ICMP. This way the attacker saturates both inbound and outbound bandwidth. The malicious packet appears to be coming from the victim and therefore the server sends the response back to itself.

DNS amplification

DNS boost attacks are volumetric DDoS attacks that use a technique that is essentially a supercharged reflection attack. Amplification attacks magnify the outgoing traffic flow, which corrupts the bandwidth. They do this by making requests for information that generates large amounts of data from the server and then routing that information directly back to the server, simulating the spoofing address.

Therefore, in a DNS hardening attack, the bad actor sends many relatively small packets from many different sources in a botnet to a public DNS server. Each of these are very verbose response requests, such as DNS name lookup requests. The DNS server then responds to each of these distributed requests with response packets containing much more data than the original request packet - all this data is sent back to the victim's DNS server.

SYN floods

One of the most common protocol attacks, SYN flood attacks circumvent the three-way handshake process required to establish TCP connections between clients and servers. These connections are normally made by the client making an initial synchronization (SYN) request from the server, the server responding with an acknowledgment (SYN-ACK) response, and the client completing the handshake with a final acknowledgment (ACK). SYN floods work by quickly sequencing these initial sync requests, leaving the server hanging without ever responding with a final acknowledgment. Ultimately the server is invoked to keep a bunch of half-open connections open, often choking resources to the point where the server crashes.

Ping of death 

Another type of protocol attack, ping of death attacks, differs from garden variant ICMP echo ping flood attacks in that the contents of the packet are maliciously designed to cause a server-side system failure. The data found in a normal ping flood attack is almost insignificant; it's just to squash bandwidth with volume. In a ping-of-death attack, the culprit attempts to exploit vulnerabilities in the targeted system with packet contents causing the system to freeze or crash. This method can be extended to other protocols beyond ICMP, including UDP and TCP.

HTTP floods

HTTP flood attacks are one of the most common types of application layer DDoS attacks. With this method, the criminal provides seemingly normal interactions with a web server or application. All interactions come from web browsers to look like normal user activity, but they are coordinated to use as many resources from the server as possible. The request the attacker can make includes everything from calling URLs for images or documents with GET requests, to the server process's POST requests to calls to a database.

Mitigation Methods for DDoS Attacks

According to research, DDoS attacks are fast becoming the most common type of cyber threat and have grown rapidly in both numbers and volume in recent years. DDoS attack trends are also towards shorter attack time but larger packet attack volume per second.

Particular cybersecurity measures should be taken to protect organizations from these DDoS attacks, which are developing and increasing day by day. 

Infrastructure preparation

• Establish SOC for continuous security monitoring to detect DDoS attacks on the network.
• Build infrastructure that can route and clean up DDoS traffic.
• Design resilient network components that can accommodate attack scenarios that generate traffic loads above normal levels
• Response planning and execution.
• Create a plan and task force for detecting and enhancing DDoS attacks when they occur.
• Create communication plans during an attack in case IP-based services are affected.

Threat landscape research

• Follow DDoS attack methods to ensure there is adequate planning for future attacks.