Every business owner should be able to understand the concept of Distributed Denial of Service (DDoS) attacks to prepare the best security solution. Knowing DDoS attack types and their significant features is a great way to achieve such knowledge and prevent attacks. This blog post will help you understand what DDoS attacks are. how they work, and what the most common attacks are.
What Are DDoS Attacks?
Distributed Denial of Service (DDoS) attack attempts to take down the targeted website or slow it down by flooding the network, server, or application with fake traffic. DDoS attacks are malicious attempts to make online services unavailable to users, often temporarily interrupting or suspending their hosting server.
A DDoS attack can be launched from numerous compromised devices distributed globally. DDoS attacks interrupt a server by either bombarding it with requests that look valid but aren’t or flooding a site with data. The primary purpose of DDoS attacks is to make the target completely useless. Hackers launch a series of data packets faster to that target system until it begins to lag or reach its downtime ultimately.
Read also: What is a DDoS attack and how to protect against it?
How Does a DDoS Attack Work?
In a successful DDoS attack, hackers will spread malicious software to vulnerable systems mainly through infected emails or attachments. Botnets are extended networks of compromised computers like the internet of things (IoT), devices, servers, workstations, routers, etc. controlled by the central attack server. Hackers will command the botnets to flood a specific site with so much traffic to take it offline and deplete the application resources. DDoS attacks overwhelm a web server, network, and application resources by sending spikes of fake traffic.
A successful DDoS attack prevents users from accessing a site or slows it down and increases the bounce rate, which results in financial losses and performance issues. DDoS attacks can also start from thousands of networks that are not compromised but instead, are misconfigured or tricked into participating in a botnet.
DDoS attacks can’t steal website visitors’ information. They only overload the website’s resources. DDoS attacks can happen based on many motivations for blackmailing, extortions, hacktivism, business competition, ransom campaigns, political statues, or absolute boredom.
Different Types of DDoS Attacks
Even though DDoS attacks are less complicated than other cyberattacks, they are getting stronger and more innovative each day. Knowing different types of DDoS attacks can give businesses a clear understanding of them. Different types of DDoS attacks fall into the following categories based on the traffic quantity and the targeted vulnerabilities.
1. Volume-Based Attacks
Volume-based attacks are the common types of DDoS attacks. A volume-based DDoS attack includes numerous requests sent to the target system. The system thinks these requests are valid (spoofed packets) or invalid (malformed packets). The purpose of this attack is to overwhelm the network capacity and cause CPU or IOPS usage issues.
Because the bot floods ports with data, the system continually must check the malicious data requests and not accept legitimate traffic. Volume-based attacks saturate the bandwidth of the target measured in bits per second. These attacks are related to the volume of inbound traffic.
The attackers use UDP amplification or other means of creating massive traffic to send large amounts of data to the target system. They send requests for data to a third-party server, then spoof the server’s IP address as the return address. The third-party server sends a massive amount of data to the server in response. As a result, the target system will suffer an attack with amplified data from a third-party server. It can include thousands of systems. UDP floods and ICMP floods comprise the two primary forms of volumetric attacks.
2. Protocol Attacks
A protocol-based DDoS attack is a malicious attempt to damage connection tables in a network responsible for verifying connections. These attacks send slow and malformed pings and partial packets to cause memory buffers in the target system and overload it to crash potentially. Protocol-based attacks can target firewalls.
The Internet environment is based on protocols. Protocol-based DDoS attacks exploit a weakness in Layer 3 and Layer 4 and consume the target server’s resources or intermediate communication equipment (firewalls, load balancers, etc.) to disrupt the service entirely.
It is a measured packet per second (Pps). Protocol-based attacks exploit network stack by sending many packets or bandwidth that the server cannot handle. Most protocol attacks are designed for servers, or load balancers, which exploit the methods systems use for connecting. The packets will make the servers wait for a non-existent response during a regular handshake protocol. Some of the most known types of protocol-based attacks are SYN floods and Ping of Death.
3. Application Layer Attacks
The application layer DDoS attacks, known as the Layer 7 attacks, are related to the OSI network’s topmost layer, closest to the user’s interaction with the system. In application-layer attacks, hackers use weakness in the webserver software or application software and lead the webserver to crash. The application layer attacks are focused directly on web traffic, including potential features like HTTP, HTTPS, DNS, or SMTP.
Since the application layer attacks, use a small number of machines (even one), they are hard to catch. This means the server can be tricked into thinking the attack is not a higher volume of legitimate traffic. The application layer attacks will target applications. The application layer attacks’ goal is to shut down an application, online service, or website. This is measured in requests per second. These attacks can go unnoticed, and that makes them extremely disruptive. One of the significant application layer DDoS attacks is HTTP flood.
4. UDP Flood
The User Datagram Protocol (UDP) DDoS attack randomly floods various ports, making a host server report back with an Internet Control Message Protocol or ICMP packet. This will cause the host to check for the application listening at that port repeatedly, and since no application is found, it will respond with ICMP Destination Unreachable packet. UDP floods are using packets, which are also known as Layer 3 and Layer 4 attacks. UDP floods force the server to respond while utilizing the web server resources.
Finally, it will sap host resources and lead to complete inaccessibility. UDP floods are connectionless protocols, and they do not validate source IP addresses. And for that, most of the time, UDP floods are associated with Distributed Reflective Denial of Service (DRDoS) attacks.
5. ICMP (Ping) Flood
Internet Control Message Protocol (ICMP) flood attack, or Ping flood, attempts to overwhelm a target system with ICMP echo-requests (pings). The ping packets will be sent from a massive set of source IPs as fast as possible without waiting for any replies. As a result, the system resources will be exhausted and unable to process requests leading to a significant influence on total performance.
ICMP attacks can consume both outgoing and incoming bandwidth, and they can be targeted at specific servers, or they can be random. When the request packets flood the target, the network will be forced to respond with an equal number of reply packets. This causes the target server to become unavailable to legitimate traffic.
6. DNS Amplification
A Domain Name Server (DNS) Amplification attack is an attempt that uses accessible open DNS servers to flood and overwhelm a target system with DNS response traffic. The attackers will send a DNS name lookup request to an open DNS server with a spoofed source address to be the target’s address. Then the DNS record response is sent to the target. Since the response size is larger than the request, attackers can increase the amount of traffic directed at the target.
Finally, by leveraging a botnet to create a massive number of spoofed DNS queries, a heavy amount of traffic will be sent to the target. A misconfigured DNS server can be used as a participant in a DDoS attack.
7. SYN Flood
A Synchronize (SYN) flood DDoS attack exploits a weakness in the TCP (Transmission Control Protocol) three-way handshake connection between the client, the host, and the server. To initiate the TCP connection, a SYN request will be sent to the host, answered with an SYN-ACK response and then confirmed with an ACK response from the requester.
In case of a SYN flood attack, the requester sends multiple SYN requests and then won’t respond to the host’s SYN-ACK response or send the SYN requests from a spoofed IP address. In both cases, the host will wait for the acknowledgment of the requests for the final step of the handshake, which will never occur, bind resources until no new connection can be made, and finally result in DDoS.
The purpose of the SYN flood is to overwhelm the server’s memory connection and shut down the entire service. The TCP connections in the SYN flood will be sent faster than the target server can process to cause network saturation.
8. Ping of Death
A Ping of Death (POD) attack is an attempt in which the attackers send multiple malformed/malicious pings to a server and manipulate the IP protocols. The maximum packet length of an IP packet is 65,536 bytes. In the Ping of Death DDoS attack followed by malicious manipulation of fragment content (multiple IP packets), the server will receive an IP packet larger than 65,535 bytes when reassembled. It will overflow memory buffers and cause a denial of service for legitimate packets. The server will reboot or crash at the end.
9. HTTP Flood
HTTP flood DDoS attack is an attempt to exploit seemingly legitimate HTTP GET or POST requests to attack a web server or application. These sophisticated Layer 7 attacks use less bandwidth, but they can force servers to use maximum resources. In HTTP flood attacks, malformed packets and spoofing/reflection techniques are not used.
These attacks can be very harmful by forcing the server/application to allocate the highest amount of resources possible for every single request. HTTP floods are significantly crafted happening in-depth, and this makes them harder to detect or block.
The Strongest DDoS Attacks of All Times
Google Attack in 2017
In October 2020, Google Threat Analysis Group posted a blog about cyber threats and their changing tactics explaining that the Google Reliability Engineering team measured a significant and record-breaking UDP amplification attack launched from three Chinese ISP’s sources in 2017, which is the largest bandwidth attack ever.
The attack on thousands of Google’s IP addresses lasted for six months and peaked at 2.5 Tbsp. The attackers used several networks to spoof 167 Mpps to 180000 exposed CLDAP, DNS, and SMTP servers, which sent large responses to Google.
The AWS DDoS Attack in 2020
Amazon Web Service, the cloud computing company, was attacked by a massive DDoS attack in February 2020. The attack target was an unidentified AWS customer using a technique known as Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. It uses third-party CLDAP servers’ vulnerabilities and amplifies the sent data to the target IP address by 70 times. This attack lasted for three days and peaked at 2.3 terabytes per second.
The Mirai Krebs DDoS Attacks in 2016
In September 2016, Brian Krebs, the cybersecurity expert, was targeted at a DDoS attack over 620 Gbps, and at the time, it was the largest attack ever. The attack source was the Mirai botnet consisting of more than 600000 compromised Internet of Things services. It was then discovered in August.
DDoS Attack in India
DDoS attacks in India broke the records of total DDoS packets, which were more than 10 billion as per a global security firm study in August 2020. Shockingly more than 26 percent of all the DDoS attacks in the world originated from India.
DDoS attacks in India seem to be a significant interest for attackers due to Indians’ high number of bot-infected machines, the low adoption rate of networking technology to filter the spoofed packets, lack of adequate security methods, low cybersecurity awareness, and lackadaisical attitudes toward obtaining the best security practices. There is more to this story and if you want to know Why is India Most Vulnerable to Cyberattacks, check out our article about DDoS attacks in India.
Final Thoughts
Being familiar with different types of DDoS attacks can lead to early threat detection, one of the most efficient ways to prevent such attacks. Distributed Denial of Service attacks can occur in several forms discussed the common types of DDoS attacks above. The slowdown in performance, increased numbers of spam emails can be significant signs of an intrusion. If you are not capable of identifying these network-layer and application-layer attacks or you are not efficiently equipped, in that case, the best thing is to go for an advanced DDoS protection solution.
A DDoS mitigation service, like ArvanCloud Security solution, can mitigate/block numerous possible attacks. ArvanCloud Security Implementations use anycast and GSLB structure to mitigate all sorts of attacks, including UDP, TCP, and ICMP in Layer 3, Layer 4, and, more importantly, Layer 7 attacks.
Both security technology and DDoS attacks are changing continuously. Use DDoS protection that offers your business continuity and availability of legitimate traffic. Check out ArvanCloud Security and contact experts to find out more and put an end to any DDoS attacks that might happen to your business.