16 Types of DDoS Attacks and How They Work

DDoS network attack

16 Types of DDoS Attacks and How They Work

With most businesses going digital, distributed denial-of-service (DDoS) attacks have become common. Hackers mainly use the attacks against websites, applications, and other internet-based services. They can also use DDoS attacks against internal network resources, specific computers, and gateways. In both cases, a hacker tries to overwhelm the servers, thus crippling their operation. There are many types of DDoS attacks, and we spread them across three major categories. The categories are Protocol, Application, and Volumetric DDoS attacks. Other DDoS attacks are outside these categories, but this article will focus on the 16 types available within the three categories. Let’s dive in. 

What Is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a type of cybercrime where the malicious party tries to disrupt the normal functioning of a targeted application, server, or network by flooding the target and its infrastructure with internet traffic. 

DDoS attacks are usually tailored for online services and systems, which, when overwhelmed, cannot function well and eventually crash. You can picture a DDoS attack as a hundred people trying to get through a single exit, ultimately blocking the exit and limiting movement out of the building. With that in mind, here are the different types of DDoS attacks and how they work.

Volumetric DDoS Attacks

A hacker floods the network server until it is completely overwhelmed and crashes in Volumetric DDoS attacks.

Volumetric DDoS attacks typically flood and eventually overwhelm the capacity of the targeted resource. The attack uses requests to overwhelm servers, traffic for networks, and calls for databases. A volumetric DDoS attack saturates the target website’s bandwidth for the internet. There are several types of volumetric DDoS attacks, and we shall examine them below:

UDP Flood Attacks 

UDP flood attacks send several data packets to overwhelm the host listening to these packets. The packets reach the server, which tries to assign applications corresponding to these packets. These application assignments trigger processes within the server that eventually overpower it. Most attackers target internet and network-based servers using IP addresses and ports usually embedded within the UDP packets.

UDP flood attacks come in two variants: UDP fragmentation flood and specific UDP amplification attacks. A UDP fragmentation flood sends large fragmented packets to the targeted server, which tries to assemble these UDP packet fragments, a process that overwhelms the server. On the other hand, specific UDP amplification attacks send legitimate UDP requests to many legitimate servers. It includes the targeted server in the process and spoofs its IP address. As a result, the victim server receives all the responses from the legitimate servers, which eventually crashes it. NTP, SSDP, and SNMP are the commonly used protocols in amplification attacks.

ICMP (Ping) Flood

Under this DDoS attack, the malicious party uses several devices to send spoofed ping packets to the server without waiting for responses. Since the Internet Control Message Protocol (ICMP) requires the server to respond to requests upon receipt, flooding the server with these ping packets consumes outgoing and incoming bandwidth and ultimately overwhelms the server. 

ICMP Fragmentation Flood

An ICMP fragmentation flood works in the same manner as ICMP flood attacks. However, it sends fragmented ping packets as opposed to fully formed packets. As a result, the targeted server tries to reconstruct these spoofed ICMP fragmented packets, causing increased traffic. The traffic overwhelms the server resources, causing it to fail. 

Misused Application Attack

In a misused application attack, the malicious party takes advantage of a compromised legitimate application on a legitimate server. This application must have high traffic, which the hacker redirects to the targeted server before exiting the system. This DDoS attack occurs autonomously, with legitimate packets from the compromised application to the server. As a result, most defensive mechanisms miss this attack, and eventually, the victim server gets overwhelmed by the increased traffic. 

CharGen Flood

The CharGen protocol was initially intended for measuring, testing, and debugging. A server sends a Transmission Control Protocol (TCP) or a UDP protocol using port 19. The receiving party then responds using either protocol for sending the request. 

Malicious parties use the CharGen protocol by spoofing the victim server’s IP address before sending multiple requests to internet devices that support CharGen. The devices respond and overwhelm the server with port 19 traffic. At this point, the server may only survive if the firewall blocks port 19. If not, the system will crash. 

Application DDoS Attacks

Application DDoS attacks look for vulnerabilities in applications and make them fail. They focus on Layer 7 software, resulting in exhausted memory and overloaded CPUs, thus affecting the server and other applications. Let us look at the different types of application DDoS attacks:

HTTP Flood Attacks 

HTTP flood attacks use HTTP commands to overwhelm websites and their hosting servers. The attack uses bots to send multiple requests, increasing the data traffic the victim’s website receives. Some of the requests the botnets send include GET requests and POST requests.


The malicious party requests highly complex search patterns when using regular expression denial-of-service (ReDoS). Since the patterns are algorithmically complex, they waste server resources, causing a system crash.  

Protocol DDoS Attacks

fiber optic
Hackers use various packet based loopholes to trick and overwhelm network resources through either size or sheer quantity of packets in a Protocol DDoS attack.

Protocol DDoS attacks abuse protocols by overwhelming servers or firewalls. The method does not use sheer volume, and we measure the attacks in packets per second. Let’s look at some of them:

IP Null Attack

Internet Protocol 4 version has headers that specify the transport protocol being used. All packets that conform to the Internet protocol 4 use this. Attackers can exploit this by setting the headers to a null value. The server will not have specific instructions to discard incoming packets and consume all resources to determine the delivery method for those packets.

TCP Flood Attacks

The communication between different devices through a network is regulated by the Transmission Control Protocol (TCP). TCP flood attacks abuse protocols through spoofing, which overwhelms the system’s resources.

TCP has three communication sequences that end through a four-part sequence. When the server receives an unexpected TCP, it sends a reset (RST) packet as a countermeasure. Flood attacks aim at abusing TCP protocols by using malformed TCP transmissions, which overwhelm resources.

Types of TCP Flood Attacks
  • SYN Flood: A masked IP address sends many SYN request packets. The target server holds open the communication bandwidth by responding with SYN-ACK packets.
  • SYN-ACK Flood: Large numbers of spoofed SYN-ACK responses are sent to the target server. The server then ties up resources to match the non-existent SYN requests.
  • ACK Flood: They carry this attack out by sending many spoofed ACK responses to a target server. This ties up resources as the server attempts to match the ACK responses with SYN-ACK packets. There’s the alternative of using a TCP push function for this attack.
  • ACK Fragmentation Flood: Fragmented packets are used to abuse the maximum IP packet length. The target server will make unsuccessful attempts to reconstruct the fragmented packets. The reconstructions exceed the allocated resources, causing memory overflow errors.
  • FIN Flood: Attackers flood servers and deplete resources by attempting to match forged RST or FIN packets to fake open TCP sessions.
  • Multiple ACK Spoofed Session Flood: Attackers repeatedly send ACK packets, followed by FIN or RST packets, to resemble real TCP traffic more closely and trick security measures.  The server uses resources to match the fake packets with open TCP sessions.
  • Multiple SYN-ACK Spoofed Session Flood: Multiple SYN and ACK packets are used together with FIN and RST packets. This method replicates real TCP traffic by matching fake packets with real packets, which consume server resources.
  • Synonymous IP Attack: Attackers use this tactic by spoofing SYN packets with the IP address of the target server as the packet’s source and destination. The nonsense packet depletes resources as the server tries to respond to itself (also referred to as a local area network denial attack or LAND attack) or deals with receiving a packet from itself.


Slowloris attacks aim at depleting server resources by filling them with empty communication. The attacker must keep the sessions open and running for as long as possible. They send web servers partial HTTP requests to keep the sessions running. Identifying this attack is not easy, as it uses very little bandwidth. 

Session Attack

In this method, attackers don’t need to mask their IP addresses or use hidden packets to start a DDoS attack. Several bots are used to reach the optimum range of the source IP or exceed it to initiate allowed connections with the target server. The DDoS attack avoids detection because it uses legitimate TCP sessions from real IP addresses. However, it delays ACK packets to consume bandwidth and depletes resources by keeping idle sessions open.

Ping of Death

The maximum IP packet length is 65,535 bytes. Ping of death attack abuses this length just like the ACK fragmentation flood. The frame size for sending data across a network is 1,500 bytes. These attackers send numerous IP fragments that fall within the Ethernet restriction but will combine into a packet that exceeds the maximum IP packet length. The computer might crash during the process or overflow the memory buffers assigned to the packet.

Fraggle Attack 

The Fraggle attack is a variant of the Smurf attack that spoofs UDP packets rather than ICMP packets to flood the target machine with traffic and target the broadcast address of a network router. All network devices responding to UDP requests could cause the receiving device to overload. The effectiveness of this attack is reduced because most modern routers don’t automatically forward packets sent to the broadcast address.

Smurf Attack

The Smurf malware program sends several ICMP ping requests to a router’s broadcast address while spoofing the IP address of the target device using the IP and ICMP protocols. As each device on the network replies to the ping request, the receiving device might become overloaded. This method is less effective because most routers don’t automatically forward packets sent to the broadcast address.

High Orbit Ion Cannon (HOIC)

The High Orbit Ion Cannon program replaced the Low Orbit Ion Cannon because it can send many GET and HTTP POST requests to up to 256 different websites simultaneously. HOIC may be more efficient and disruptive than LOIC when applied by aggressive attackers.

Low Orbit Ion Cannon (LOIC)

The LOIC open-source software, developed as a network stress testing tool, sends many packets (UPD, TCP, and HTTP) to a target device. Attackers use this technique to launch DDoS attacks from botnets.

Reasons Behind DDoS Attacks

404 Error page (website)
When the user can’t access a website, they will go elsewhere and any entity linked to the page will slowly lose their reputation for being reliably available.

DDoS attacks have become the most common cyber threat. What’s the motivating factor, and why is the number of attacks increasing? Let’s look at some of the reasons behind these attacks:

Business Rivalries

Running a business can be difficult, especially when facing stiff competition. DDoS attacks can be used to deal with competitors’ websites and derail their operations.


DDoS attacks are used to make a quick buck from targets. Perpetrators penetrate your servers and demand money in return. Economic benefits act as the motivating factor.

Cyber Warfare

The government can authorize DDoS attacks for different reasons. It can deal with specific threats and malicious sites or cripple an enemy nation’s infrastructure.

Different Ideologies

People have different opinions and ideologies on some issues. DDoS attacks can target sites whose information is misleading or not compatible with the attackers.

How to Prevent DDoS Attacks

types of information security threats
Various cybersecurity measures can be implemented to reduce either the risk of a DDoS attack or the consequences following aDDoS attack.

Now that you know all the types of DDoS attacks, how exactly can you prevent them from happening? Here are some of the methods you can use:

Server Redundancy 

You can use server redundancy to ensure your system remains online even after a DDoS attack. Redundancy entails having multiple wave servers, thus ensuring you are safe in case one suffers a DDoS attack. However, redundancy only sometimes works, since some hackers target multiple web servers simultaneously. 

DDoS Defense Systems (DDS)

You can use anti-DDoS tools and services such as Impervia and Akamai to protect your system. A DDS detects legitimate-looking content that may harm your system and blocks them. A DDS can protect your system against volumetric and protocol attacks. 

Rate Limiting

You can limit the number of requests a server can process within a given time frame, thus reducing the chances of your server being overwhelmed with requests. 

Real-Time Packet Analysis

You can analyze packets using rules as they enter the system. Any packets that are found housing potentially malicious content are then blocked. 

Wrapping Up

Since the onset of the COVID-19 pandemic, most businesses have operated online, thus paving the way for DDoS attacks from parties with malicious intent. Hackers are advancing daily and developing more advanced and undetectable DDoS attack methods. To ensure your system or website runs smoothly, you can protect yourself using the aforementioned preventive methods.

Frequently Asked Questions

What is a DDoS attack?

A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target with a flood of internet traffic from multiple sources. This can be achieved by using a botnet, which is a group of computers or other devices that have been compromised and controlled by the attacker. The goal of a DDoS attack is to render the targeted resource unavailable to its users, resulting in loss of revenue, damage to reputation, or other negative consequences.

How can I protect against DDoS attacks?

You can protect against DDoS attacks by implementing a few key strategies. These include using a reputable DDoS protection service, keeping your software and systems up to date, setting up firewalls and intrusion detection/prevention systems, and having a plan in place for responding to an attack. Additionally, you can implement traffic monitoring and analysis tools to help detect and mitigate potential DDoS attacks. It’s important to also educate yourself and your team on DDoS attacks so that you can recognize and respond to them appropriately.

Can an Antivirus prevent DDoS attack?

Antivirus cannot prevent a DDoS attack, as DDoS attacks are carried out by overwhelming the target’s network with traffic from multiple sources. Antivirus software is designed to protect against viruses and other types of malware that can infect a device or network, but it cannot prevent a DDoS attack. To protect against DDoS attacks, it is necessary to use specialized tools and techniques such as firewalls, load balancers, and DDoS mitigation services.

How do Firewalls stop DDoS attacks?

Firewalls can help prevent DDoS attacks by monitoring and filtering network traffic. When a firewall detects an excessive number of requests from a particular IP address or a particular type of traffic, it can block that traffic from reaching its intended destination. Firewalls can also be configured to allow only authorized traffic to pass through, which helps prevent unauthorized access and limits the attack surface for potential DDoS attackers. Additionally, firewalls can be equipped with features such as rate limiting and packet inspection to help detect and mitigate DDoS attacks in real time. However, firewalls alone may not be enough to completely prevent DDoS attacks, and other security measures, such as intrusion detection and prevention systems, load balancers, and content delivery networks may also be necessary.

How can I tell if my system is under a DDoS attack?

Some common signs of a DDoS attack include:

  • A significant increase in traffic to your website or server
  • A slow or unresponsive website or server
  • Network latency or packet loss
  • Unusually high CPU or memory usage on servers

Remember, if you suspect that you’re under a DDoS attack, it’s crucial to act quickly and contact your IT security team or a trusted security provider for assistance.

To top