Types of DDoS attacks explained

This blog was written by a third party author and does not reflect the opinions of AT&T

The general types of DDoS attacks

Distributed denial of service (DDoS) is a broad class of cyberattack that disrupts online services and resources by overwhelming them with traffic. This renders the targeted online service unusable for the duration of the DDoS attack. The hallmark of DDoS attacks is the distributed nature of the malicious traffic, which typically originates from a botnet—a criminally-controlled network of compromised machines spread around the globe.

Over the years, cybercriminals have developed a number of technical approaches for taking out online targets through DDoS. The individual techniques tend to fall into three general types of DDoS attacks:

1. Volumetric attacks

   The classic type of DDoS, these attacks employ methods to generate massive volumes of traffic to completely saturate bandwidth, creating a traffic jam that makes it impossible for legitimate traffic to flow into or out of the targeted site.

2. Protocol attacks

   Protocol attacks are designed to eat up the processing capacity of network infrastructure resources like servers, firewalls, and load balancers by targeting Layer 3 and Layer 4 protocol communications with malicious connection requests.

3. Application attacks

   Some of the more sophisticated DDoS attacks, these exploit weaknesses in the application layer—Layer 7—by opening connections and initiating process and transaction requests that consume finite resources like disk space and available memory.

Keep in mind that in real-world attack scenarios, the criminals like to mix and match these types of attacks to increase the pain. Thus, a single DDoS campaign may layer in protocol and application attacks on top of volumetric attacks.

Reviewing specific DDoS attack styles

UDP and ICMP floods

Some of the most common volumetric attacks are those that flood host resources with either User Datagram Protocol (UDP) packets or Internet Control Message Protocol (ICMP) echo requests, or pings, until the service is overwhelmed. Attackers tend to boost the crushing flow of these floods through reflection attacks, which spoof the victim's IP address to make the UDP or ICMP request. That way the attacker saturates bandwidth both coming and going. The malicious packet appears to come from the victim, and so the server sends the response back to itself.

DNS amplification

DNS amplification attacks are volumetric DDoS attacks that use a technique that's essentially a supercharged reflection attack. Amplification attacks cripple bandwidth by magnifying the outbound flow of traffic. They do this by making information requests from the server that output large amounts of data and then routing that information directly back to the server by spoofing the reply-to address.

Thus, in a DNS amplification attack, the bad actor sends many relatively small packets to a publicly accessible DNS server from many different sources in a botnet. Every one of them are requests for a very verbose response, such as DNS name look-up requests. The DNS server then replies to each of these distributed requests with response packets containing many orders of magnitude more data than the initial request packet—with all of that data being sent right back to the victim's DNS server.

SYN flood

One of the most common protocol attacks, SYN flood attacks circumvent the three-way handshake process required to establish TCP connections between clients and servers. These connections are normally made with the client making an initial synchronize (SYN) request of the server, the server replying with an acknowledging (SYN-ACK) response, and the client completing the handshake with a final acknowledgment (ACK).  SYN floods work by making a rapid succession of those initial synchronization requests and leaving the server hanging by never replying with a final acknowledgement. Ultimately the server is called on to keep open a bunch of half-open connections that eventually overwhelm resources, often to the point where the server crashes.

Ping of death

Another type of protocol attack, ping of death attacks vary from the garden variety ICMP echo ping flood attacks in that the content of the packet itself is maliciously designed to cause server-side system malfunction. The data contained in a normal ping flood attack is almost immaterial—it is simply meant to crush bandwidth with its volume. In a ping of death attack, the criminal seeks to exploit vulnerabilities in the targeted system with packet content that causes it to freeze or crash. This method can also be extended into other protocols beyond ICMP, including UDP and TCP.

HTTP flood

HTTP flood attacks are one of the most prevalent types of application-layer DDoS attacks. With this method, the criminal makes what appear to be normal interactions with a web server or application. All of the interactions come from web browsers to look like regular user activity, but they're coordinated to use up as many resources from the server as possible. The request the attacker could make includes anything from a calling up URLs for images or documents with GET requests to making the server process calls to a database from POST requests.

Why DDoS attacks are common

While the logistical aim of each type of DDoS attack is simple—to degrade or completely shut down targeted online resources—the strategic motivations behind DDoS can be quite complex. DDoS attacks are common because they can be used by a broad range of malicious actors to accomplish a variety of end goals. Some common schemes supported by DDoS attacks include:

• Hacktivism: Ideological attackers who have scores to settle with organizations may use DDoS to disrupt profitable online revenue streams and make brands look bad.
• Nation-state activity: Adversarial governments use DDoS as a way to wage cyberwarfare by harassing economic interests in targeted countries.
• Corporate sabotage: Unethical companies hire cybercriminals to take down the competition, particularly during seasonal busy times when the stakes are highest.
• Extortion: In the same vein as ransomware, enterprising criminals use DDoS as a way to extort money from companies vulnerable to disruption.
• Cybercriminal smokescreen: Cybercriminals love to use DDoS attacks as a distraction mechanism to help them carry out stealthy attacks somewhere else on a victim's systems. By overwhelming security and network ops personnel with a DDoS attack, they can commit fraud or data theft elsewhere without anyone noticing.

How DDoS protection should fit into your cybersecurity strategy

It's incumbent upon cybersecurity leaders to maintain availability of systems, which means that DDoS protections should be a key layer in any mature cybersecurity strategy. Security teams can accomplish this through proactive development of defenses, preparing effective DDoS response plans, and keeping on top of threat trends to tweak these preparations as DDoS attack methods change.

Infrastructure preparation

• Build monitoring capabilities to detect early signs of DDoS attacks
• Establish infrastructure that can divert and scrub DDoS traffic
• Engineer resilient network components that can accommodate attack scenarios that create traffic loads above normal levels

Response planning and execution

• Create a plan and task force for remediating DDoS attacks when they occur
• Establish communication plans during an attack in case IP-based services are impacted

Threat landscape research

• Stay up on DDoS attack methods to ensure planning is adequate for future attacks.

FAQ

Why should DDoS attacks worry cybersecurity professionals?

DDoS attacks can wreak havoc on the availability of profitable online resources and can also serve as a diversionary tactic to carry out other illicit activities elsewhere on the network.

What role do botnets play in DDoS?

Botnets are criminally controlled networks of compromised machines. Sometimes referred to as bots or as zombies, these compromised machines can be laptops, desktops, servers, or even IoT devices. Attackers coordinate these machines to create distributed sources of attack traffic to overwhelm an organization infrastructure.

Why are DDoS attacks so hard to stop with traditional forms of cybersecurity filtering?

The distributed nature of DDoS makes it hard to block the flood of malicious traffic by turning off any one specific spigot.