A DDoS attack, or Distributed-Denial-of-Service attack, is a type of cybercrime where threat actors maliciously attempt to make a website or application unavailable to users. Different types of DDoS attacks exist to overwhelm a server with illegitimate traffic, causing an online service to shut down temporarily or permanently.
Do you know how a DDoS attack works? It exploits malware-infected devices called bots, and a cluster of bots is referred to as a botnet. Cyberactors use them to disrupt a system without an owner’s permission, awareness, and consent.
There are multiple types of DDoS attacks that target varying components of a network connection, typically grouped into three categories: Application layer, protocol, and volumetric attacks
But before learning about them, it’s useful to understand how a network connection is made.
How is a Network Connection Made?
A network connection is made up of multiple layers, and each one of them has a distinct purpose. The Open Systems Interconnection (OSI) Model characterizes the various functions that support operability among online devices, products, and services.
As per the OSI model, these communications work together to establish a network connection and comprise seven layers in a framework:
Layer 7- Application Layer
A human-computer interaction layer for end-users to access network services.
Layer 6- Presentation Layer
This layer maintains the data in a usable format and defines how two devices should encode, encrypt, and compress data.
Layer 5- Session Layer
Creates a communication channel after authentication and ensures sessions remain open during data transfer. Once the data is transferred, it closes them.
Layer 4- Transport Layer
Receives the data transferred in the session layer and breaks it into ‘segments.’ Its job is to reassemble the segments or data packets on the receiving end, ultimately regulating the transfer of data.
Layer 3- Network Layer
Breaks segments into network packets, followed by reassembling and routing them to the right path. This layer delivers frames from layer-2 to the intended destination using IP addresses, etc.
Layer 2- Datalink Layer
Responsible for starting and ending a connection between two physically connected nodes on a network.
Layer 1- Physical Layer
Layer 1 defines the connector and electrical cable to transfer raw data.
Application Layer Attacks
Common types of DDoS attacks include application layer attacks designed to hit the application itself. They exploit specific system vulnerabilities (like SIP voice services, web servers, and BGP) so that applications fail to deliver the desired content to their users.
Compared to volumetric and protocol attacks, application layer attacks require fewer resources to disrupt particular functions or features of a website. They mimic legitimate user behavior, making them hard to identify.
This is dangerous as the latest tools used during a DDoS attack can access millions of botnets and harm systems at scales never seen before. The magnitude of such attacks are usually measured in requests per second. Here are two popular sub-categories of application layer attacks:
Attacks Targeting DNS Servers
The DNS or Domain Name System turns domain names into IP addresses used by your browser to show results. As DNS servers are linked to domain name information, attackers can target them to attempt DDoS or Dos attacks.
Hackers use spoofing and amplification, making a small query reflect a more extensive response in bytes. They attack DNS servers using bots to generate fake DNS requests for an amplification record.
The server issues its own request to an infected server to access the amplification record. The entire process also involves spoofing and occurs at Layers 3 or 4 of the OSI model.
DNS flood attacks overwhelm DNS servers by sending legitimate-looking DNS requests from multiple spoofed IP addresses (bots) at a high packet rate. Amplified DNS floods are mightier, targeting recursive DNS servers with large volumes of DNS requests.
HTTP/S Encrypted Flood
HTTP or HTTPS encrypted floods attacks occur at Layer 7 of the OSI model. As the name implies, these common types of DDos attacks flood servers with HTTP requests from single or multiple URLS stemming from a botnet.
HTTP floods aim to deplete web servers’ resources with continuous requests and can comprise scripts and images (GET), forms and files (POST), or combined GET and POST HTTP requests. More sophisticated attacks may also use DELETE, PUT, etc. requests.
A denial of service occurs once the server reaches its maximum amount of simultaneous connections and is unable to respond to legitimate user requests.
While difficult to discover, knowing how to identify a DDoS attack like this can help mitigate the repercussions.
Protocol attacks aim to exhaust server resources and intermediate communication equipment—the mediator between a website and a server. They work by overburdening server resources with phony protocol requests to occupy available resources.
Here are four common DDoS attack types under this category:
Ping of Death
Here, threat actors manipulate IP protocols by sending ping packets to the victim server that are larger than the maximum size allowed The Ping of Death (PoD) is an outdated type of DDoS attack, but it’s still used to target applications and hardware.
It either crashes a server or reboots it, taking down an entire data center. While PoD attacks are less prevalent today, a related DDoS attack type known as an ICMP flood is much more common. You can read about it under volumetric attacks.
The TCP or transmission control protocol is a communication structure interlinked to a client, host, and server operating at layer 4. Malicious actors exploit TCP vulnerabilities and send SYN packets to the targeted server using spoofed source IPs.
SYN is short for synchronized TCP packets sent to another computer when a client tries to establish a TCP connection to a server. SYN floods are also known as TCP floods or SYN-TCP floods and use up connection resources on backend servers.
The spoofed packets are sent until the table memory connection crashes, which shuts down an online service. With the TCP backlog saturated, the server can’t receive any new connections.
Tsunami SYN Flood
A Tsunami SYN flood attack is a more aggressive type of DDoS attack. While a regular SYN flood typically contains low amounts of data, this variation is characterized by packets with around 1,000 bytes each.
In a connection exhaustion attack, hackers target infrastructure components like Next Gen Firewalls, web application servers, and edge load balancers to overwhelm connection state tables with fake data. This DDoS attack type helps threat actors monitor and adjust their attacks for high-intensity impact.
They’re usually planned using discrete intelligent clients that can’t be spoofed. It’s nearly impossible to avert or mitigate them in stateless edge router infrastructures.
Also known as state-exhaustion attacks, these types of DDoS attacks use less bandwidth (up to 20 gigabits per second), so they’re often considered less dangerous.
That said, attackers have adapted standard connection exhaustion, TCP, and flood attacks to target secure socket layer (SSL) services too. Network communication protocols often use SSL for encryption purposes, to enhance security, and address privacy issues.
SSL state-exhaustion DDoS attacks usually target the SSL handshake protocol in one of two ways:
- By exploiting the SSL handshake protocol itself with continuous encryption renegotiation requests that exhaust resources, making services unavailable to legitimate users.
- By sending invalid data packets to SSL servers that waste time and resources processing such data as legitimate, causing connection problems for real users.
Most firewalls can’t mitigate these DDoS attack types as they’re unable to differentiate between authentic and fake SSL handshake data packets.
Volumetric attacks deplete a targeted website’s bandwidth using amplification methods. This DDoS attack type is measured in Bps or bits per second. Usually, request sizes are in the 100s of Gbps, however, some latest incidents have recorded over 1 Tbps as well.
What motivates DDoS attacks of this type is the stealth aspect.
They’re difficult to trace, appearing as authentic traffic generated by multiple IP addresses but originating from an attacker’s bot network.
Volume-based DDoS attacks serve to halt legitimate traffic and shut down entire websites. Here are some of the most notorious types:
DNS amplification exploits public DNS servers to overburden a targeted network with traffic congestion. Bad actors send DNS name lookup requests to a public DNS server by spoofing the source IP address as the target’s IP address.
So, the DNS record response is sent to the target instead. These spoofed requests are of ‘ANY’ type, thus, all the details are packed in a single request. As such, they generate large responses so the victim web resource receives amplified traffic, clogging the network with traffic and rendering it inaccessible.
The different types of DDoS attacks include the UDP flood, where hackers target random ports on the host with high numbers of small User Datagram Protocol (UDP) packets. UDP is a communication protocol that establishes low-latency and loss-tolerating connections between internet applications.
A UDP flood attack depletes vital network element resources, overwhelming the target system and causing a denial of service. It can be done using a spoofed IP address to ensure return packets don’t reach the host and help cybercriminals conceal their identity.
ICMP or Ping Flood
ICMP or the Internet Control Message Protocol is used to communicate problems related to transferring data online. Attackers overwhelm a network with numerous spoofed ICMP echo requests. ICMP echo requests (pings) and echo-reply messages are used to evaluate a network’s connectivity strength. Most of the time, such requests receive replies, which use up network resources. Flooded with these request packets, online services become unavailable to users.
In the transmission control protocol (TCP), attackers use spoofed RST or FIN packets to saturate bandwidth, occupy resources, and interrupt network activity.
While SYN packets are sent to establish new TCP connections, FIN packets are sent to close TCP connections. Meanwhile, RST packets are typically used to forcefully reset connections by aborting them when there’s an issue.
During this type of DDoS attack, threat actors send high volumes of spoofed RST and FIN packets to use up the victim network’s resources. This, in turn, causes disruptions, ultimately leading to system failures.
Although RST-FIN floods aren’t as prevalent today, cyber criminals still use them in conjunction with other attack types.
A smurf attack occurs at the third layer of the OSI model and is similar to the ICMP flood attack. Its name stems from a DDoS attack tool named after the cartoon show The Smurfs, as it could hit larger enemies.
Smurf attacks overload a network with malicious ICMP echo requests or pings and exploits IP vulnerabilities. A false or spoofed IP address is attached to a data packet to send these requests.
The most common DDoS attack types fall under application layer attacks, protocol attacks, and volumetric attacks. They occur at different layers of the OSI model.
While application layer attacks exploit specific vulnerabilities and forge legitimate user actions, protocol attacks eat up server communication resources with invalid requests. Volumetric attacks focus on flooding victim networks with seemingly authentic traffic.
Cyber actors today often use a combination of DDoS attack types and other cyberattacks. While it helps knowing what industries DDoS attackers target, no industry or organization is safe against such threats.
It’s not easy to detect a DDoS attack until the harm is done, so it’s better to strengthen your security protocols and inform your employees about its indicators.