We have already talked about what DDoS attacks are. They are a modern plague terrorizing the Internet. Throughout the years they have become stronger and more frequent (check the largest DDoS attacks in history). The variety of DDoS attacks has increased too. Now there are different DDoS attack types. We will show you the most common ones.
There are 3 main DDoS attack types:
Volume-based attacks, a.k.a. volumetric attacks, work by sending strong traffic waves to overwhelm the targeted servers. They are measured in data per second. For example, GitHub got crippled with 1.35 TBPS traffic.
Here, the objective is to get the necessary traffic to saturate and shut down the target. To accomplish this purpose, attackers use different and even mixed techniques. The malicious creativity tries everything, from spoofed IP addresses to large and scary botnets.
Examples: IP/ICMP fragmentation, UDP flood, ICMP flood.
These DDoS attacks type takes advantage of the flaws in the protocols (SSDP, UDP, TCP/IP, etc.). Attackers “confuse” or make the servers work extra. Eventually, the servers crash if the attack is strong enough.
Protocols are useful and necessary sets of rules developed to make communications through the Internet possible, efficient, and safe. The problem is they still have weaknesses that attackers exploit for their evil purposes.
Examples: SYN flood, TCP flood, IP fragmentation, SSDP amplification, Smurf Attack, Ping of Death.
Application layer attacks
This DDoS attack type tries to crash web servers (Windows, OpenBSD, or Apache). Here the emphasis is not on the data but on the number of requests. Too many requests that seem legit. By mimicking the usual behavior of users, they execute the attack to shut the victim down.
A variety of techniques are used by attackers. These attacks don’t work with high traffic volumes, therefore, they are more difficult to detect. Traffic spikes produced by them can look at first sight “normal”.
Examples: HTTP Flood, Slowloris, BGP hijacking.
If you want to know more about DDoS attacks, you can read “DDoS FAQ. Everything you need to know about DDoS attacks”.
Examples of popular DDoS attacks
Now that we know what the DDoS attack types are, let’s check out the most common variations of them:
A Тeardrop attack is executed by sending altered data packets to a network, server, or computer. The victim will start receiving these packets, but since they are corrupted, it won’t understand them. This happens because attackers take advantage of a TCP/IP vulnerability. So they use a bug to affect the TCP/IP fragmentation codes or the reassembly feature.
This way, a conflict is created in the victim that will struggle to try to rebuild the packets in a proper sequence. The packets will overlap and the constant failing of this process will overwhelm the victim.
This situation is already bad for the attacked network, server, or computer. But it gets worse every moment due to the big traffic loads (learn how to test your site for strong traffic here) that attackers send to achieve their malicious objective. This combination will finally cause the crash of the victim.
Ping of Death
Ping of Death, as the name suggests, uses the ping tool (check what the ping command is). The server gets packets that are greater than the limit that the IP protocol allows. This “confuses” the server. As a result of the confusion, it can crash, freeze or reboot.
Let’s consider that the size of an IPv4 packet together with its IP header is 65,535 bytes. In the 1990s, a bug in the TCP/IP structure of different operating systems showed that larger packets sent to a machine would cause instability, rebooting, or crashing. The explanation was simple. The receiver (victim machine) got such data packets larger than the mentioned size. Then, while trying to reassemble these packets a buffer overflow was produced.
It was thought this threat was overcome but later in the 2000s, it evolved hitting IPv6. There’s already protection but better, don’t underestimate it!
Another ping attack. It uses ICMP echo requests and malware called Smurf. Many connected devices all around the world send a ping request, but the confirmation is then redirected to the targeted server. This creates a strong wave of traffic that can cripple the victim.
The Smurf malware changes the IP address of the source sending the data packet. So the packet gets a spoofed IP address, the one of the victim. Then, the packet travels to an IP broadcast address that sends requests to every single device within the broadcasting network. The request gets multiplied by the number of devices in this network. All of them will answer the fake IP address of the victim with an Internet Control Message Protocol (ICMP) echo reply packet. This massive flood of echoes overwhelms the victim, producing the denial of service.
ICMP (Ping) Flood
This attack is very similar to the Smurf Attack. It uses the same technique of sending countless ping requests, disregarding the answers.
The Internet Control Message Protocol (ICMP) is a connectionless protocol, useful for IP operations and the diagnosis of issues. Usually, an ICMP echo request and its echo-reply help to ping a device of a specific network to diagnose or to check both, the connectivity of the device and the sender-device connection. This process, the sending of the ICMP request and its answering, takes resources, like bandwidth. So, once the ICMP requests get enormously multiplied with malicious objectives, the overflow of echoes will shut down the victim.
The purpose of the SYN Flood attack is to overwhelm the server. It takes advantage of a TCP connection sequence called a three-way handshake. The process is simple; the server gets an SYN (synchronized) message. Then the server answers with an SYN-ACK (acknowledgement of the message). In the last step, the server needs to receive an ACK from the client, but this never happens and the server keeps waiting. This shake is activated multiple times until the regular clients can’t connect due to overload.
To make the situation worse for the victim, it’s not strange that attackers add valid information to the requests. This increases the time to process them, therefore the congestion, and the CPU usage.
UDP – User Datagram Protocol – is a network protocol that is used by DNS (learn what DNS is here). This UDP protocol is connectionless and its functionality doesn’t include something like a handshake mechanism. Then, a UDP flood is an attack in which a host will get strong traffic on a random port. It will try to check for the application on that port, but it won’t find a thing.
Besides saturating the Internet pipe, on its way, a UDP flood impacts security key elements like firewalls. These last have to open a state for every UDP packet. They can be overwhelmed very fast by the flood of connections.
The Fraggle attack is one variation of the UDP Flood attacks.
The HTTP Flood looks like a legit GET or POST request, but it is sent by the hacker. It forces the servers to react to all of the requests and uses a lot of resources.
HTTP is the basis of browser Internet requests. It’s a legit tool and it’s very used daily for different purposes. This makes it very hard for security devices to identify malicious HTTP traffic. Systems can get a lot of false-positive signals if they don’t use a proper combination of parameters for effective detection.
Besides, attackers can multiply the power of an HTTP flood by using a botnet.
This attack acts like David vs Goliath. A single computer can take down a complete web server. Slowloris opens multiple connections to the victim’s web server and keeps them open for as long as it can. The means to get this malicious objective is to send incomplete HTTP requests. Its final goal is to open up the maximum amount of connections possible until the server can’t open any for regular users. It is very dangerous for Apache 1.x, 2.x web servers, and others.
Slowloris was created by “Rsnake”, a grey hat hacker (check the different types of hackers here). It got born as a tool to produce a denial of service (DoS) through the use of very slow HTTP requests. It was named after slow lorises, some primates known for their slowness.
Zero-day DDoS Attacks
This term is used for attacks that exploit new security vulnerabilities. These that the developers are still not aware of. The vulnerabilities can be there from the beginning, or they can arise after an update or a patch.
It uses the UDP protocol and the fact that UDP is a connectionless communication model. In this model, one side can send a large amount of data to the other side without restrictions. There is no confirmation of receiving. The cyber-criminals send small UDP requests with spoofed IP addresses of the victim to public servers. The servers return the data amplified and hit the victim with huge traffic.
SNMP Reflection Attack
It uses the Simple Network Management Protocol (SNMP), a network protocol used to configure and collect data from devices within the network (routers, servers, switches, hubs, printers, etc.). The hackers send SNMP queries with a changed IP address (the one of the victim). The more devices connected to the network, the stronger the attack. The target struggles to answer all of the requests as a result of which it can get stuck and go down.
An SNMP reflection attack can hurt. The volumes of hundreds of gigabits per second that it can produce are not to neglect. They can hit servers of different networks.
The goal of the attack is to take all of the resources of the victim to shut it down. The attack works by the repetition of self-replicating processes. They will repeat without stopping so they will drain the memory and stress the CPU. This will block other programs from working normally and prevent other necessary processes from happening. If you or your administrator tries to use the keyboard, you will realize that the inputs are ignored. The system will be locked.
One example is an infinity loop app that starts itself over and over again. This takes up system memory and loads the CPU until the whole system crashes. The conventional fork bomb targets Linux devices, but a more advanced version can target Windows devices too.
Most systems will be accessible once the attacked machine gets restarted. A hard reboot can be enough to get back control. But there are big chances of suffering data loss.
Advanced Persistent DoS (APDoS)
As the name suggests, this one is advanced. It involves HTTP Flood, SQLI, and XSS attacks. We are talking about millions of requests at a time. The attack often has multiple targets to evade defensive anti-DoS actions from the main target and a predefined goal. It attacks multiple layers- 3 to 7. The attack can be very large. The attackers can change the tactic on the go. It is highly dangerous and very challenging to stop.
Usually, attackers executing an APDoS attack have a big computing capacity to guarantee power enough to keep a persistent attack. A victim can face weeks of constant attack.
This is another attack looking for disrupting the correct functioning and availability of a DNS server. What attackers do is send floods of DNS queries to their target to push it to resolve a non-existent domain name. The DNS server will consume its resources in this pointless effort. Since the given DNS records are not valid or non-existent, there’s no way for it to find the requested domain.
Soon, the cache of the target will be saturated with NXDOMAIN responses. The DNS server will get very slow and it will be harder every minute for it to respond the legit queries. Eventually, it will go down.
Now for sure, you are wondering, what can we do to protect ourselves from this huge number of DDoS attack types. Don’t despair, there is an easy way to protect yourself – Neterra DDoS Protection. This protection can withstand huge attacks, even above 2 Tbps. It also secures Layers 3 to 7. Don’t hesitate! Getting modern and effective DDoS protection is an investment that your business deserves!
To understand better what exactly DDoS protection involves, you can read:
What is a DDoS attack and what is DDoS Protection?