With most businesses going digital, distributed denial-of-service (DDoS) attacks have become common. Hackers mainly use the attacks against websites, applications, and other internet-based services. They can also use DDoS attacks against internal network resources, specific computers, and gateways. In both cases, a hacker tries to overwhelm the servers, thus crippling their operation. There are many types of DDoS attacks, and we spread them across three major categories. The categories are Protocol, Application, and Volumetric DDoS attacks. Other DDoS attacks are outside these categories, but this article will focus on the 16 types available within the three categories. Let’s dive in.
What Is a DDoS Attack?
A distributed denial-of-service (DDoS) attack is a type of cybercrime where the malicious party tries to disrupt the normal functioning of a targeted application, server, or network by flooding the target and its infrastructure with internet traffic.
DDoS attacks are usually tailored for online services and systems, which, when overwhelmed, cannot function well and eventually crash. You can picture a DDoS attack as a hundred people trying to get through a single exit, ultimately blocking the exit and limiting movement out of the building. With that in mind, here are the different types of DDoS attacks and how they work.
Volumetric DDoS Attacks
Volumetric DDoS attacks typically flood and eventually overwhelm the capacity of the targeted resource. The attack uses requests to overwhelm servers, traffic for networks, and calls for databases. A volumetric DDoS attack saturates the target website’s bandwidth for the internet. There are several types of volumetric DDoS attacks, and we shall examine them below:
UDP Flood Attacks
UDP flood attacks send several data packets to overwhelm the host listening to these packets. The packets reach the server, which tries to assign applications corresponding to these packets. These application assignments trigger processes within the server that eventually overpower it. Most attackers target internet and network-based servers using IP addresses and ports usually embedded within the UDP packets.
UDP flood attacks come in two variants: UDP fragmentation flood and specific UDP amplification attacks. A UDP fragmentation flood sends large fragmented packets to the targeted server, which tries to assemble these UDP packet fragments, a process that overwhelms the server. On the other hand, specific UDP amplification attacks send legitimate UDP requests to many legitimate servers. It includes the targeted server in the process and spoofs its IP address. As a result, the victim server receives all the responses from the legitimate servers, which eventually crashes it. NTP, SSDP, and SNMP are the commonly used protocols in amplification attacks.
ICMP (Ping) Flood
Under this DDoS attack, the malicious party uses several devices to send spoofed ping packets to the server without waiting for responses. Since the Internet Control Message Protocol (ICMP) requires the server to respond to requests upon receipt, flooding the server with these ping packets consumes outgoing and incoming bandwidth and ultimately overwhelms the server.
ICMP Fragmentation Flood
An ICMP fragmentation flood works in the same manner as ICMP flood attacks. However, it sends fragmented ping packets as opposed to fully formed packets. As a result, the targeted server tries to reconstruct these spoofed ICMP fragmented packets, causing increased traffic. The traffic overwhelms the server resources, causing it to fail.
Misused Application Attack
In a misused application attack, the malicious party takes advantage of a compromised legitimate application on a legitimate server. This application must have high traffic, which the hacker redirects to the targeted server before exiting the system. This DDoS attack occurs autonomously, with legitimate packets from the compromised application to the server. As a result, most defensive mechanisms miss this attack, and eventually, the victim server gets overwhelmed by the increased traffic.
The CharGen protocol was initially intended for measuring, testing, and debugging. A server sends a Transmission Control Protocol (TCP) or a UDP protocol using port 19. The receiving party then responds using either protocol for sending the request.
Malicious parties use the CharGen protocol by spoofing the victim server’s IP address before sending multiple requests to internet devices that support CharGen. The devices respond and overwhelm the server with port 19 traffic. At this point, the server may only survive if the firewall blocks port 19. If not, the system will crash.
Application DDoS Attacks
Application DDoS attacks look for vulnerabilities in applications and make them fail. They focus on Layer 7 software, resulting in exhausted memory and overloaded CPUs, thus affecting the server and other applications. Let us look at the different types of application DDoS attacks:
HTTP Flood Attacks
HTTP flood attacks use HTTP commands to overwhelm websites and their hosting servers. The attack uses bots to send multiple requests, increasing the data traffic the victim’s website receives. Some of the requests the botnets send include GET requests and POST requests.
The malicious party requests highly complex search patterns when using regular expression denial-of-service (ReDoS). Since the patterns are algorithmically complex, they waste server resources, causing a system crash.
Protocol DDoS Attacks
Protocol DDoS attacks abuse protocols by overwhelming servers or firewalls. The method does not use sheer volume, and we measure the attacks in packets per second. Let’s look at some of them:
IP Null Attack
Internet Protocol 4 version has headers that specify the transport protocol being used. All packets that conform to the Internet protocol 4 use this. Attackers can exploit this by setting the headers to a null value. The server will not have specific instructions to discard incoming packets and consume all resources to determine the delivery method for those packets.
TCP Flood Attacks
The communication between different devices through a network is regulated by the Transmission Control Protocol (TCP). TCP flood attacks abuse protocols through spoofing, which overwhelms the system’s resources.
TCP has three communication sequences that end through a four-part sequence. When the server receives an unexpected TCP, it sends a reset (RST) packet as a countermeasure. Flood attacks aim at abusing TCP protocols by using malformed TCP transmissions, which overwhelm resources.
Types of TCP Flood Attacks
- SYN Flood: A masked IP address sends many SYN request packets. The target server holds open the communication bandwidth by responding with SYN-ACK packets.
- SYN-ACK Flood: Large numbers of spoofed SYN-ACK responses are sent to the target server. The server then ties up resources to match the non-existent SYN requests.
- ACK Flood: They carry this attack out by sending many spoofed ACK responses to a target server. This ties up resources as the server attempts to match the ACK responses with SYN-ACK packets. There’s the alternative of using a TCP push function for this attack.
- ACK Fragmentation Flood: Fragmented packets are used to abuse the maximum IP packet length. The target server will make unsuccessful attempts to reconstruct the fragmented packets. The reconstructions exceed the allocated resources, causing memory overflow errors.
- FIN Flood: Attackers flood servers and deplete resources by attempting to match forged RST or FIN packets to fake open TCP sessions.
- Multiple ACK Spoofed Session Flood: Attackers repeatedly send ACK packets, followed by FIN or RST packets, to resemble real TCP traffic more closely and trick security measures. The server uses resources to match the fake packets with open TCP sessions.
- Multiple SYN-ACK Spoofed Session Flood: Multiple SYN and ACK packets are used together with FIN and RST packets. This method replicates real TCP traffic by matching fake packets with real packets, which consume server resources.
- Synonymous IP Attack: Attackers use this tactic by spoofing SYN packets with the IP address of the target server as the packet’s source and destination. The nonsense packet depletes resources as the server tries to respond to itself (also referred to as a local area network denial attack or LAND attack) or deals with receiving a packet from itself.
Slowloris attacks aim at depleting server resources by filling them with empty communication. The attacker must keep the sessions open and running for as long as possible. They send web servers partial HTTP requests to keep the sessions running. Identifying this attack is not easy, as it uses very little bandwidth.
In this method, attackers don’t need to mask their IP addresses or use hidden packets to start a DDoS attack. Several bots are used to reach the optimum range of the source IP or exceed it to initiate allowed connections with the target server. The DDoS attack avoids detection because it uses legitimate TCP sessions from real IP addresses. However, it delays ACK packets to consume bandwidth and depletes resources by keeping idle sessions open.
Ping of Death
The maximum IP packet length is 65,535 bytes. Ping of death attack abuses this length just like the ACK fragmentation flood. The frame size for sending data across a network is 1,500 bytes. These attackers send numerous IP fragments that fall within the Ethernet restriction but will combine into a packet that exceeds the maximum IP packet length. The computer might crash during the process or overflow the memory buffers assigned to the packet.
The Fraggle attack is a variant of the Smurf attack that spoofs UDP packets rather than ICMP packets to flood the target machine with traffic and target the broadcast address of a network router. All network devices responding to UDP requests could cause the receiving device to overload. The effectiveness of this attack is reduced because most modern routers don’t automatically forward packets sent to the broadcast address.
The Smurf malware program sends several ICMP ping requests to a router’s broadcast address while spoofing the IP address of the target device using the IP and ICMP protocols. As each device on the network replies to the ping request, the receiving device might become overloaded. This method is less effective because most routers don’t automatically forward packets sent to the broadcast address.
High Orbit Ion Cannon (HOIC)
The High Orbit Ion Cannon program replaced the Low Orbit Ion Cannon because it can send many GET and HTTP POST requests to up to 256 different websites simultaneously. HOIC may be more efficient and disruptive than LOIC when applied by aggressive attackers.
Low Orbit Ion Cannon (LOIC)
The LOIC open-source software, developed as a network stress testing tool, sends many packets (UPD, TCP, and HTTP) to a target device. Attackers use this technique to launch DDoS attacks from botnets.
Reasons Behind DDoS Attacks
DDoS attacks have become the most common cyber threat. What’s the motivating factor, and why is the number of attacks increasing? Let’s look at some of the reasons behind these attacks:
Running a business can be difficult, especially when facing stiff competition. DDoS attacks can be used to deal with competitors’ websites and derail their operations.
DDoS attacks are used to make a quick buck from targets. Perpetrators penetrate your servers and demand money in return. Economic benefits act as the motivating factor.
The government can authorize DDoS attacks for different reasons. It can deal with specific threats and malicious sites or cripple an enemy nation’s infrastructure.
People have different opinions and ideologies on some issues. DDoS attacks can target sites whose information is misleading or not compatible with the attackers.
How to Prevent DDoS Attacks
Now that you know all the types of DDoS attacks, how exactly can you prevent them from happening? Here are some of the methods you can use:
You can use server redundancy to ensure your system remains online even after a DDoS attack. Redundancy entails having multiple wave servers, thus ensuring you are safe in case one suffers a DDoS attack. However, redundancy only sometimes works, since some hackers target multiple web servers simultaneously.
DDoS Defense Systems (DDS)
You can use anti-DDoS tools and services such as Impervia and Akamai to protect your system. A DDS detects legitimate-looking content that may harm your system and blocks them. A DDS can protect your system against volumetric and protocol attacks.
You can limit the number of requests a server can process within a given time frame, thus reducing the chances of your server being overwhelmed with requests.
Real-Time Packet Analysis
You can analyze packets using rules as they enter the system. Any packets that are found housing potentially malicious content are then blocked.
Since the onset of the COVID-19 pandemic, most businesses have operated online, thus paving the way for DDoS attacks from parties with malicious intent. Hackers are advancing daily and developing more advanced and undetectable DDoS attack methods. To ensure your system or website runs smoothly, you can protect yourself using the aforementioned preventive methods.