Types of DDoS attacks and ways to protect against them

What are DDoS attack variants

The most general classification of DDoS attacks is according to which part of the server infrastructure your website relies on is targeted. These types are: volumetric, the name suggests that they use pure volume of traffic to overload your system; protocol, the name suggests that they abuse IT protocols; and application attacks, where attackers take advantage of vulnerabilities in your applications. Let’s have a look at each type as well as the subtypes of each type.

Volumetric attacks

Volumetric DDoS attacks aim at overwhelming your server with traffic through any channel possible. These attacks devour the maximum amount of bandwidth and resources available, causing a dramatic decrease in performance up to downtime.

UDP Floods

UPD flood attacks are the attack type that abuses the way User Datagram Protocol works. What’s special about this protocol, is that it doesn’t require a handshake, like in the case of TCP (transmission control protocol). The server receiving a UPD packet is supposed to check for a corresponding application which in case of genuine UPD traffic is to be followed by numerous automatic processes within the server. UPD floods are just massive torrents of UPD packets that have nothing to do with the applications on the server and make the server process them, thus consuming its resources.

To execute UPD floods, attackers use the IP address of the server and any open port number.

A subtype of UDP flood is UDP fragmentation flood, where larger and fragmented packets are sent, forcing the server to futilely try to assemble them.

Specific UDP amplification attacks send a UDP request to multiple servers, making them respond on the victim’s IP and thus eating up its bandwidth and network resources.

CharGEN Flood

CharGEN (Character Generator) Flood is a type of UDP flood attack that exploits the Character Generator Protocol (CharGEN), which runs on UDP port 19. The original goal of the CharGEN service was to generate characters, mostly ASCII characters, for responding to various clients’ requests for testing, debugging, and measurement purposes.

The attackers use the victim’s IP to send requests to numerous devices connected to the internet. The devices then respond to the requests to the target server, thus overloading it.

ICMP (Ping) Flood

ICMP (Internet Control Message Protocol) is a protocol used for diagnostic and control purposes within IP networks. It is used for network devices to exchange specific error messages and information commands.

The attackers first generate and send a large volume of ICMP echo request packets to the victim’s network which leads to the overwhelming of the network.

Since the ICMP protocol is stateless, there is no need for a connection to be established between the sender and receiver, so a significant volume of ICMP packets can be generated without the need for significant resources.

ICMP Fragmentation Flood

ICMP fragmentation is a subtype of ICMP flood attack where fragmented ICMP packets are used, which also forces the target server to try to “make sense” of them.

Protocol-based attacks

Protocol DDoS attacks target specific network or transport layer protocols rather than using mere volume, thus targeting a very specific resource. 

IP Null Protocol Exploitation

In an IP Null attack, the attackers exploit a vulnerability in a target system's Internet Protocol (IP) stack, sending IP packets with the IP protocol field set to 0, which is mostly an invalid or unused protocol number. This way the server ends up trying to figure out what to do with all these packets and gets overwhelmed.

TCP Protocol Floods

The Transmission Control Protocol regulates the communication of different devices through a network. There are a few variations of TCP protocol floods:

• SYN Flood: In a SYN flood attack, the attacker uses TCP SYN (synchronization) packets, sending them to the victim’s server and pretending to initiate a connection. The attacker doesn’t send the final ACK packet, thus preventing the handshake process from completing, so the pending packets accumulate eventually overwhelming the server.
• ACK Flood: Conversely to the previous approach, in ACK flood attackers send an excessive number of spoofed ACK (acknowledgment) packets, which the server tries to match the SYN-ACK packets that don’t exist.
• SYN-ACK Flood: One step back, the attacker exploits SYN-ACK packets, forcing the server to try to match them with non-existent SYN packets.
• ACK Fragmentation Flood: A subtype of ACK flood – the attacker sends fragmented ACK packets overwhelming the memory of the server that tries to reconstruct them.
• RST/FIN Flood: In a similar manner, the attackers use RST or FIN packages, forcing the server to struggle to match them with TCP sessions helplessly.
• Multiple ACK Spoofed Session Flood: In the case of this type of attack, the attacker combines ACK packets with RST or FIN packets to mimic genuine traffic and circumvent the defense mechanisms. The same principle is applied in Multiple SYN-ACK Spoofed Session Flood where the attacker uses both ACK and SYN packets.
• Synonymous IP Attack: A subtype of SYN attack where the attacker assigns the same IP for the source and destination of the SYN packet creating confusion, so the server either tries to respond to itself or figure out, what’s wrong.

Session Attacks

Session DDoS attacks are attacks that overwhelm the server’s or an application’s capacity to handle sessions. The attackers bombard a specific web application with malicious HTTP request each request designed to create a new session or consume server resources associated with session management, which eventually exhausts the system’s capacity to handle and process session-related tasks.

Stealthy Connection Depletion or Slowloris

Slowloris attacks are the type of DDoS attacks that target web servers by exploiting weaknesses in the way web servers handle incoming connections. The attackers establish as many connections with the target server as possible, whereby HTTP GET requests are often used. After establishing connections, the attackers avoid sending a complete HTTP request in a single burst. Instead, they send packets divided into small fragments and at a minimum speed rate, so the target cannot drop the connections due to their inactivity, while they continue occupying it and consuming available resources 

Smurf Attack

Smurf Attack is a type of DDoS attack that exploits the Internet Control Message Protocol (ICMP).  It is a reflection amplification attack. The attacker sends spoofed ICMP echo request packets to multiple computers on a network with the IP address spoofed being that of the victim's network.

Fraggle attack​

Fraggle attacks are a different type of Smurf attack, where UPD traffic is used instead of ICMP traffic.

Ping of Death Attack

Another protocol-based attack that aims at overwhelming the available memory, the Ping of Death attack, exploits the maximum length of an IP packet of 65,535 bytes. Although the typical maximum size of a piece of data sent across an Ethernet network is around 1500 bytes, the attackers will send fragmented packets that together exceed the size of 65,535 bytes and overwhelm the memory.

Low Orbit Ion Cannon (LOIC)

Low Orbit Ion Cannon is open-source software that was originally developed to test the load resistance of a device by sending lots of packets. The attackers regrettably learned to exploit it for performing a DDoS attack by deploying it on botnets.

High Orbit Ion Cannon (HOIC)

A more advanced variant of LOIC, the High Orbit Ion Cannon, is a tool that was specifically designed for performing DDoS attacks, with more features and capabilities, allowing for similar to LOIC but more disruptive and dangerous DDoS attacks.

Application-layer Onslaughts: Targeting Services

Application layer DDoS attacks exploit vulnerabilities in the software, primarily leading to denial of the application, but also potentially affecting other applications and the whole device overwhelming bandwidth, CPU, and memory.

HTTP Floods: Web Service Overload

HTTP Flood attacks are application-level attacks that abuse HTTP commands. Common types include:

GET Attacks: Attackers create a huge volume of parallel GET requests to retrieve resources from the server. They are particularly dangerous for web servers.

POST Flood: POST attacks consist of numerous HTTP POST requests that are originally intended for submitting data. These attacks can even be more harmful, since submitting data may be often more resource-intensive.

Low-and-Slow POST Attacks are a subtype of POST flood attacks, where a request to send a large amount of data is followed by data sent in tiny pieces and at an extremely slow rate. On the one hand, this blocks the resources of the server and on the other way, circumvents DDoS protection mechanisms that expect large pieces of data.

Single Session or Single Request Attack: Another way of circumventing common DDoS protection mechanisms that are tailored to detecting large numbers of packets, this type of attack packs multiple different requests into one HTTP packet.

Fragmented HTTP Flood: The same fragmentation principle is applied to HTTP flood attacks. Packets are fragmented and sent at an extremely slow rate to block the server resources.

Recursive GET Flood: A type of GET flood, where the same resource is repeatedly requested until the server is overwhelmed.

Random Recursive GET Flood: A subtype of the previous type, now the pages are requested recursively in a randomized manner to avoid detection by protection mechanisms.

ReDoS: Resource Depletion Menace

Regular expressions (regex) are patterns used to match character combinations in strings, widely used in programming languages web applications, and network security systems for tasks such as input validation, parsing, and pattern matching.

The Regular Expression Denial of Service (ReDoS) attacks use vulnerable regex patterns that exhibit exponential or super-linear time complexity when processing certain inputs. The attacker sends specially crafted input strings to the target system, designed to trigger the vulnerable regular expression pattern and cause the regular expression engine to enter into a state of excessive backtracking or recursion.

Exploring Additional DDoS Tactics

Besides the three main types, namely volume, protocol, and application attacks, there are some less common attack types that don’t fit into the general classification.

Advanced Persistent DoS (APDoS)

Advanced Persistent DoS (APDoS) is an approach to DDoS attacks rather than a specific type of it. APDoS suggests an attack that is performed repeatedly and continuously over an extended period of time, combining and alternating various approaches that have been described above. They are usually organized by large organizations of hackers to seriously disrupt the infrastructure of a certain organization.

Multi-Vector DDoS Attacks

Multi-vector attacks suggest simultaneous deployment of different DDoS attack types. They are sometimes performed with one attack synergizing with another one, and are aimed at causing more damage or to have an overall higher chances for success in case one of the attacks is blocked by protection.

Zero-Day DDoS Attacks

Zero-Day DDoS attack term refers to a DDoS attack that exploits a not yet-known vulnerability in software, protocols, or systems, that didn’t even have a chance to be patched.

Conclusion

As you can see, types of DDoS attacks are extremely diverse and capable of hitting your server at different levels so qualified DDoS protection is the only way to not worry about this type of cyber threat.