Distributed denial-of-service (DDoS) attacks occur when attackers use a large number of devices to attempt to overwhelm a resource and deny access to that resource for legitimate use. Most commonly, we see DDoS attacks used against websites, applications, or services exposed to the internet, but DDoS attacks can also be applied against specific computers, gateways, or internal network resources.
To prevent DDoS attacks, we must first understand the distinctions between various DDoS attacks within the three main categories of Volumetric, Protocol, or Application DDoS attacks. However, some attacks fall outside of these three categories and most attackers use a mix of methods to make their attacks more difficult to stop.
- What Is a Distributed Denial of Service (DDoS) Attack?
- How to Stop DDoS Attacks: Prevention & Response
- Top DDoS Protection Service Providers
What are the Main DDoS Attack Types?
DDoS attacks can usually be generalized into three categories of attack:
- Volumetric (raw attack volume)
- Protocol (misuse of IT Protocols)
- Application (misuse of application features)
Those three classifications contain dozens of DDoS attack types, such as UDP, ICMP, IP, TCP and HTTP flood attacks and their variants. We cover the categories and attack types in depth below.
Volumetric DDoS Attacks
Volumetric DDoS attacks attempt to overwhelm the resource’s capacity. Servers will be overwhelmed with requests, networks will be overwhelmed with traffic, and databases can be overwhelmed with calls.
On the internet, a DDoS attack seeks to saturate an attacked site’s bandwidth, and the attack magnitude is typically measured in bits per second. Volumetric DDoS attacks include: many different flood attacks (UDP, CharGen, ICMP) and misused applications.
UDP Flood attacks
The User Datagram Protocol (UDP) does not establish a two-way session with a server. Instead, UDP simply sends data packets without waiting for a reply.
This characteristic provides the perfect setup for flood attacks that attempt to send enough packets to overwhelm a host that is listening to its ports for genuine UDP traffic. Attackers know that upon receiving a UDP packet at any port, the server must check for an application that corresponds to that port, and the protocols will trigger automatic processes within the server.
Attackers target servers on the internet or within a network specifically through the IP address and port embedded in the UDP packets. The attack seeks to overwhelm the server with that process request or consome the bandwidth of the network.
Specific UDP Flood Attacks can use:
- Domain Name Service (DNS)
- Network Time Protocol (NTP)
- Simple Service Discovery Protocol (SSDP)
- Media data such as audio or video packets
- Voice over IP (VoIP) telephone packets
- Peer-to-peer (P2P) networks like BitTorrent or Kad packets
- Simple Network Management Protocol (SNMP)
- Quote of the day (QOTD)
- Video game specific protocols like Quake and Steam
Variants of the UDP Flood attack include:
- UDP Fragmentation Flood: This variation of the UDP Flood attack sends larger, but fragmented packets to the victim server. The server will attempt to assemble the unrelated, forged, and fragmented UDP packets and may become overwhelmed in the process.
- Specific UDP Amplification Attacks: Instead of using a large number of compromised devices, attackers can send a legitimate UDP request to a large number of legitimate servers with the victim server as a spoofed IP address. The responses from these legitimate servers suddenly overwhelms the targeted device. Protocols often used in amplification attacks include: NTP, SNMP, and SSDP.
Developed in 1983, the CharGEN protocol was intended for use in debugging, measuring, and testing. A requesting server triggers the protocol by sending a Transmission Control Protocol (TCP) or UDP request via port 19. The receiving device then responds to the server via the same protocol with:
- Replies via TCP with arbitrarily generated characters
- Replies via UDP with random numbers
The sending device discards any received information from the host server.
Attackers spoof the IP address of the target server and send a flood of requests to internet-enabled devices that run CharGEN, such as printers and copiers. These devices then respond to the request and bombard the server with port 19 traffic. If the firewall does not block port 19, then the server can become overwhelmed with trying to analyze and respond to the random traffic.
ICMP (Ping) Flood
The Internet Control Message Protocol consists of specific error messages and operational information commands sent between network devices such as Time Stamp, Time Exceeded error, Echo Request, and Echo Reply. Echo Request and Echo Reply combine to make the “ping” command.
Attackers use a large number of devices to flood servers with spoofed Ping packets without waiting for replies. The protocol requires the server to receive the requests as well as respond to them which consumes both incoming and outgoing bandwidth.
ICMP Fragmentation Flood
A variant of the ICMP Flood attack, the ICMP Fragmentation Flood sends fragmented ICMP packets instead of fully formed commands. The victim server attempts to reconstruct valid commands from the spoofed ICMP packets and will exhaust resources attempting to make connections between intentionally unrelated fragments.
Misused application attack
In misused applications attacks, hackers compromise existing high-traffic applications on legitimate servers such as P2P servers. The traffic from one or more compromised machines then will be redirected to the victim server, and the hacker will exit the system and allow it to work autonomously.
Since the compromised application is attempting to make a valid connection with properly formed packets, most defensive tools will allow the connection. The victim server simply will be overwhelmed with the surge in traffic.
Protocol DDoS Attacks
Instead of strictly using sheer volume, protocol DDoS attacks abuse protocols to overwhelm a specific resource, usually a server but sometimes firewalls or load balancers. These attacks will often be measured in packets per second.
IP Null attack
All packets conforming to Internet Protocol version 4 contain headers that should specify if the transport protocol used for that packet is TCP, ICMP, etc. However, attackers can set the header to a null value, and without specific instructions to discard those packets, the server will consume resources attempting to determine how to deliver those packets.
TCP Flood attacks
The Transmission Control Protocol (TCP) regulates how different devices communicate through a network. Various TCP flood attacks abuse the basic TCP protocol to overwhelm resources through spoofing or malformed packets.
To understand the different attacks, it is helpful to understand how TCP works. The Transmission Control Protocol requires three communication sequences to establish a connection:
- SYN: The requesting device (endpoint or server) sends a synchronized sequence number in a packet to a server or other destination device (endpoint).
- SYN-ACK: The server responds to the SYN packet with a response consisting of the synchronized sequence number plus an acknowledgement number (ACK).
- ACK: The requesting device sends a response acknowledgement number (original ACK number + 1) back to the server.
Transmission is ended through a four-part termination sequence consisting of:
- FIN: The requesting device sends a session termination request (FIN) to the server.
- ACK: The server responds with an ACK response to the requesting device, and the requesting device will wait to receive the FIN packet.
- FIN: The server responds with a FIN packet (may be nearly simultaneous) to the requesting device.
- ACK: The requesting device returns a final ACK response to the server, and the session is closed.
When servers receive an unexpected TCP packet, the server will send a RST (reset) packet back to reset the communication.
Flood attacks abusing the TCP protocol attempt to use malformed TCP transmissions to overwhelm system resources.
- SYN Flood: The attacker sends many SYN request packets either from a spoofed IP address or from a server set up to ignore responses. The victim server responds with SYN-ACK packets and holds open the communication bandwidth waiting for the ACK response.
- SYN-ACK Flood: Attackers send a large number of spoofed SYN-ACK responses to the victim server. The targeted server will tie up resources attempting to match the responses to non-existent SYN requests.
- ACK Flood: Attackers send a large number of spoofed ACK responses to a server, which will tie up resources attempting to match the ACK response with non-existent SYN-ACK packets. The TCP PUSH function can also be used for this type of attack.
- ACK Fragmentation Flood: A variation of the ACK Flood attack, this method uses fragmented packets of the maximum size of 1,500 bytes to abuse the maximum IP packet length of 65,535 bytes (including the header). When servers and other resources such as routers attempt to reconstruct the fragmented packets, the reconstruction exceeds the allocated resources and can cause memory overflow errors or crash the resource.
- RST/FIN Flood: Attackers use spoofed RST or FIN packets to flood servers and consume resources with attempts to match the packets to non-existent open TCP sessions.
- Multiple ACK Spoofed Session Flood: In this variation attackers send multiple ACK packets followed by RST or FIN packets to more thoroughly mimic actual TCP traffic and fool defenses. Of course, the packets are spoofed, and the server will consume its resources trying to match the fake packets with non-existent open TCP sessions.
- Multiple SYN-ACK Spoofed Session Flood: This variation uses multiple SYN and ACK packets also followed by RST or FIN packets. As with the Multiple ACK Spoofed Session Flood, the spoofed packets attempt to mimic legitimate TCP traffic and waste server resources with attempts to match fake packets to legitimate traffic.
- Synonymous IP Attack: To execute this method, attackers spoof SYN packets that use the victim server’s IP address for both the source and destination IP address of the packet. The nonsense packet then consumes resources as the server attempts to either respond to itself (AKA: local area network denial, or LAND, attack) or resolve the contradiction of receiving a packet from itself related to open communication with itself for TCP sessions that it cannot match.
Attackers do not have to use spoofed IP addresses or spoofed packets to conduct a DDoS attack. A session attack uses a number of bots to meet or exceed the source IP range and initiates legitimate TCP sessions with the target server. The legitimate TCP session from real IP addresses avoids DDoS detection, but the attack then delays ACK packets to chew up bandwidth and exhaust resources to maintain the empty sessions.
Similar to the session attack, the Slowloris attack attempts to consume server resources with empty communication. For this attack, the attackers send partial HTTP requests to a web server to hold open as many sessions as possible for as long as possible. These attacks use very little bandwidth and can be difficult to detect.
Ping of Death
The Ping of Death attack abuses the maximum IP packet length of 65,535 bytes (including the header) in a fashion similar to the ACK Fragmentation Flood. Since the maximum frame size for sending data across an Ethernet network typically will be set at 1,500 bytes, the attackers will send multiple IP fragments that comply with the Ethernet limitation, but that will assemble into a packet that exceeds the maximum IP packet length. As the recipient computer reassembles the IP fragments, it can overflow memory buffers assigned to the packet or crash the computer.
The malware program called Smurf exploits the IP and ICMP protocols to send a large number of spoofed ICMP ping requests to the broadcast address of a router with the IP address of the target device. Every device on the network responds to the ping request and may overwhelm the receiving device. Since 1999, most routers do not forward packets sent to the broadcast address by default, and this attack is not as effective.
Fraggle attacks are a variation of the Smurf attack that spoof UDP packets instead of ICMP packets to overwhelm the victim computer with traffic by targeting the broadcast address of a network router. Every device on the network responds to the UDP requests and may overwhelm the receiving device. By default, most modern routers since 1999 do not forward packets sent to the broadcast address, which reduces the effectiveness of this attack.
Low Orbit Ion Cannon (LOIC)
The Low Orbit Ion Cannon open-source software was designed to be a network stress-testing tool that sends a large number of packets (UPD, TCP, HTTP) to a target device. Unfortunately, attackers deploy this attack to botnets and use it to execute DDoS attacks.
High Orbit Ion Cannon (HOIC)
The High Orbit Ion Cannon application replaced the Low Orbit Ion Cannon with a publicly available application that can submit a large number of GET and HTTP POST requests to up to 256 different domains at the same time. HOIC can be more powerful and disruptive than LOIC when used by malicious attackers.
Application DDoS Attacks
Application DDoS attacks target vulnerabilities in applications to cause the application itself to fail. Unlike other attacks that focus on disrupting infrastructure, this attack focuses on the Layer 7 software. However, it can also result in overloaded CPUs or exhausted memory, which affect the server and other applications. The magnitude of an application DDoS attack is measured in requests per second.
For example, computationally heavy processes, such as adding an item to a shopping cart or proceeding to checkout, can be abused with many concurrent requests to overwhelm the program’s limits or the host computer’s resources. Other attacks target specific vulnerabilities in software or use SQL injections to disrupt databases.
Application DDoS attacks with specific names include:
HTTP Flood attacks
HTTP Flood attacks abuse the HTTP commands to attempt to overwhelm websites, the servers that host them, and the bandwidth used to reach them. The bots used in these attacks can send multiple requests in sequence, so the large number of machines in the botnet exponentially increase traffic for the target website.
- GET Attacks: Attackers use a botnet to send a large number of concurrent GET requests for large files such as large PDF files or videos.
- POST Attacks: A large number of bots send a large number of concurrent POST requests containing large files for storage on the target server.
- Low-and-Slow POST Attacks: Often performed using the R-U-Dead-Yet? (R.U.D.Y.) tool, attackers send HTTP Post requests that indicate they will send large amounts of data but then send tiny bits of data very slowly. The attack avoids DDoS defenses looking for large volume attacks and ties up resources on the server.
- Single Session or Single Request Attack: Many anti-DDoS defenses now block large numbers of incoming packets, so attackers instead exploit a loophole in HTTP 1.1 to include many different requests within a single HTTP packet.
- Fragmented HTTP Flood: Instead of sending large numbers of valid requests, botnets establish valid HTTP connections and can split the HTTP packets into tiny fragments sent as slowly as the server will allow. This form of low-and-slow attack uses a packet rate that appears to be safe for many DDoS defenses, but the software or server keeps the session active and consumes resources with reserved bandwidth. The Slowloris tool enables this type of attack.
- Recursive GET Flood: Attackers attempt to overwhelm servers by requesting long lists of pages or images. The attack appears to be normal browsing behavior, but the botnet simply is chewing up resources that now cannot be used for legitimate traffic.
- Random Recursive GET Flood: A variant of the Recursive GET Flood, this attack randomizes the requested pages to avoid detection.
The regular expression denial-of-service attempts to request algorithmically highly complex search patterns that waste resources or even cause crashes to the system.
Other DDoS Attack Types
Although volume, protocol, and application attacks represent the most common forms of DDoS attacks, some attacks fall outside of clean categorization.
Advanced Persistent DoS (APDoS)
APDoS is an attack type used by hackers who want to cause serious damage. It uses a variety of the styles of attacks, such as HTTP flooding, and SYN flooding, and regularly targets multiple attack vectors that send out millions of requests per second. APDoS attacks can last for weeks, largely due to the ability of the hacker to switch tactics at any moment and to create diversions to elude security defenses.
Attackers can deploy many concurrent attacks to cause DDoS. For example, an attacker might use a volumetric attack to distract defenders while simultaneously executing a low bandwidth HTTP Flood attack from a different botnet.
Zero-Day DDoS Attacks
Attackers may discover undisclosed vulnerabilities for applications, protocols, or hardware and execute a DDoS attack. When exploiting a new vulnerability, the attack is a zero-day attack.
Bottom Line: Stopping and Preventing DDoS Attacks
We understand types of DDoS attacks so that we can stop them. A wide variety of resources can be vulnerable to an even wider variety of DDoS attacks. Security and operations teams need to work together to balance the accessibility and performance of the resource against its security and risks.
Redundancy will be critical for defense and recovery from DDoS attacks, but dedicated attackers have been known to attack multiple web servers simultaneously, so load balancers and redundancy will be insufficient. Record-setting DDoS attacks make headlines and illustrate the enormous potential volume of web-based DDoS attacks:
- Google blocked 46 million requests in a largest Layer 7 DDoS attack.
- Akamai blocked a traffic surge of 809 million packets per second.
- Impervia blocked an attack with 25.3 billion total requests over four hours.
The defense against these attacks requires an overlapping and supporting combination of device hardening, redundancy, anti-DDoS tools, and anti-DDoS services – and perhaps the support of a DDoS prevention and response service.