In recent years, DDoS assaults have grown increasingly more complicated and varied. They have moved from simple attempts to flood a target with ICMP echo requests based on the ping command to more complicated multi-vector attacks. Let's look at all the different DDoS attacks.
Application layer DDoS attacks
These attacks target specific software applications. Also called "layer 7 attacks," these attacks use server and network resources, making them more disruptive while using less bandwidth overall. The attacker sends requests that look like they are from legitimate users but are designed to exploit vulnerabilities within an application, making it unavailable to service the end-users' requests.
An ACK flood is a DDoS attack in which the attacker sends a large number of ACK packets to a victim's system. An ACK is a Transmission Control Protocol (TCP) message confirming data receipt. ACK flood attacks exploit the fact that ACK packets can be spoofed, meaning the attacker's IP address can be masqueraded as the source IP address of the ACK packets. The victim's system sends ACK packets back to the attacker, consuming bandwidth and resources, ultimately making it unavailable to serve legitimate user requests.
As the primary protocol for routing traffic across the Internet, the Border Gateway Protocol (BGP) is a critical component of global network infrastructure. However, BGP is also susceptible to hijacking attacks, in which an attacker impersonates a legitimate network and uses its prefix to redirect traffic. When other networks accept this spoofed information, traffic is sent to the attacker instead of where it was initially intended. This application-layer DDoS attack can have devastating consequences, as it prevents users from accessing essential services or leaks sensitive data.
CharGEN is an ancient protocol that can be exploited to conduct DDoS amplification attacks. During a CharGEN amplification attack, small packets carrying the spoofed IP address of a victim's target server are sent out to Internet-connected devices with the CHARGEN protocol enabled. In response, the internet-facing devices send UDP packets to the target server, which gradually exhausts its resources due to its inability to interpret them.
DNS Flood DDoS attacks are usually launched using a botnet that sends many DNS requests to the target DNS server to overload it and causes it to fail. This attack targets Domain Name Server (DNS) servers, disrupting DNS resolution for a particular domain. DNS servers are responsible for resolving DNS queries, so a DNS Flood DDoS attack can cause significant disruptions for internet users.
DNS servers are responsible for converting human-readable domain names into IP addresses. Still, they can be tricked into sending large amounts of data in response to a small DNS query. Attackers can exploit this by sending a DNS request with a spoofed source address that points to the victim's IP address. The DNS server will then send a DNS response to the victim, amplifying the size of the original DNS query by up to 50 times. The result is a compelling Denial of Service (DDoS) attack, as the victim's DNS servers are overwhelmed with DNS responses.
A Fraggle is a DDoS attack in which an attacker sends large amounts of UDP traffic to a router's broadcast network. The target server tries to respond, but an overwhelming number of packets continue to arrive. The increased activity causes the server to become less responsive over time. A Fraggle attack is similar to a Smurf attack, but instead of using Internet Control Message Protocol (ICMP) traffic, it uses UDP traffic.
HTTP Flood is a volumetric DDoS attack targeting servers and apps hosted on Hypertext Transfer Protocol (HTTP), the protocol used to communicate between browsers and web servers. HTTP Flood attacks work by sending many HTTP GET or POST requests to a target server or app. The target is overwhelmed with these spurious requests, preventing it from responding to legitimate requests.
The Internet Control Message Protocol (ICMP) stack is much like UDP and lacks an end-to-end data exchange process. As a result, detecting an ICMP Flood attack can be more difficult. A large number of fake ICMP packets are sent out from different source IP addresses by the attacker. When the server is inundated with spoofed ICMP packets, its resources are depleted as it attempts to process these requests. This overload either restarts the server or significantly impacts its performance.
IP fragmentation refers to dividing IP datagrams into smaller packets to send them over a network while adhering to the size constraints imposed by that network. These pieces reassemble to form the original datagram at the end. In an ICMP fragmentation attack, the attackers send fake IP fragments that can't be put back together again (defragmented). As a result, the fragments are kept in temporary storage, where they consume memory and, in some instances, deplete available memory resources on the target system.
In IP Null DDoS attacks, the attacker sends many IP packets with the IPv4 header field set to zero. The victim's computer cannot determine which transport protocol (TCP/UDP) is being used, causing it to waste computing resources, and ultimately, it becomes incapable of processing legitimate traffic.
Land DDoS attack
Local Area Network Denial (LAND) attack is a distributed denial of service (DDoS) attack targeting a network using TCP SYN packets in which the source and destination IP address and port are the same. Because of this, the target processes the packets in an endless loop, eventually crashing or becoming unresponsive.
Low and slow attack
A low and slow attack is a DDoS attack that uses very slow HTTP or TCP traffic to stop a web service. Data is sent slowly but fast enough to ensure the server does not time out. This type of DDoS attack goes after the server and application resources and makes it difficult to tell it apart from the regular traffic.
This is an attack in which the attacker sends fake requests to the target's Memcached server, flooding the victim with internet traffic. Most of the time, the target's resources can not handle all of this traffic. New requests cannot be addressed, and legitimate users can not access the resource.
Misused application attack
Instead of using fake IP addresses, this DDoS attack takes advantage of real client computers running programs that use many resources, like P2P tools. The traffic from these clients is redirected to the target server so the attackers can bring it down by overloading it with excessive processing load. Because the traffic comes from actual devices that the attackers have already hijacked, this DDoS attack is difficult to detect and mitigate.
Multi-vector DDoS attack
Multi-vector DDoS attacks are more difficult to defend against than traditional ones because they come from multiple sources and target different parts of the victim's network. These attacks use numerous vectors or attack methods to target a single victim. The most common type of multi-vector DDoS attack is a combination of SYN floods, UDP floods, and ICMP floods.
NTP Amplification attacks are distributed denial of service (DDoS) attacks that abuse the Network Time Protocol (NTP). NTP is a protocol used to synchronise clocks across computer networks. Attackers can exploit NTP servers to amplify the amount of UDP traffic directed at a victim's system, making it and its surrounding infrastructure inaccessible to regular traffic.
Ping of Death
Hackers use Ping of Death to flood a computer system with "echo request" packets larger than the maximum size allowed, causing the target machine to freeze and resulting in a denial of service. Even though the Ping of Death attack is not as common as it used to be, businesses still need to be aware of it and take steps to protect themselves from it.
Protocol attacks exploit vulnerabilities in network protocols, such as TCP, UDP, and DCCP. These attacks consume the computing power of the network resources by targeting layer 3 and 4 communication protocols with malicious connection requests.
Ransom DDoS (DDoS) attacks have an extortion component, where payment is sought by threatening the target with a DDoS attack. The extortionists may launch a DDoS attack and then send a ransom note demanding money to stop the attack, or they may threaten a DDoS attack in the ransom note before launching the attack. Ransom DDoS attacks are relatively easy to execute, given the low technical skills required to carry them out. Yet, they pose a substantial risk to enterprises.
R U Dead Yet?
'R U Dead Yet?' or RUDY is a DoS attack tool that uses low-and-slow DDoS attacks to tie up a web server. The attack focuses on making a small number of long-form field submissions instead of making a lot of quick requests.
Single request HTTP flood
Attacks like Single Packet HTTP Flood were developed to work around defence systems that block numerous incoming packets. These attacks exploit the feature of HTTP that allows multiple client requests in the same HTTP session. By sending out a few packets at a slow rate, a server's resources can be slowly used up without anyone noticing.
Slowloris DDoS attack
Slowloris is a type of DDoS attack that works by flooding a server with a large number of incomplete HTTP requests. The target server must now keep track of all the open connections, which use up its resources and prevents other people from using it. Slowloris attacks are notoriously hard to defend against because they only need a few computers.
Smurf DDoS attack
A smurf attack or 'Smurfing' is a DDoS attack in which an attacker attempts to flood a target system with ICMP traffic. The name "Smurf" comes from this type of attack using the Smurf malware, which can generate large amounts of ICMP traffic. Smurfing is a relatively simple DDoS attack, but it can disrupt services and bring down websites.
SYN Flood attacks use SYN packets to a target system to attempt to overload it. The SYN packet is a Synchronise packet used to initiate a TCP connection. When the attacker sends multiple SYN packets, the target system becomes overloaded and cannot process legitimate requests.
U.D.P. Flood is a DDoS attack in which the attacker sends UDP packets to a target's IP address. The target server will then attempt to process these UDP packets, ultimately overwhelming it. UDP floods are difficult to defend against because the UDP protocol does not require that the sender has a valid IP address. As a result, UDP floods can be difficult to trace back to the attacker.
VoIP Flood DDoS is an attack that exploits VoIP systems to flood the network with spurious requests, resulting in a denial of service for legitimate users. VoIP Flood attacks are usually initiated by malware that has infected the VoIP system or by hackers who have gained access to the system. Once the attacker has control of the VoIP system, they can use it to generate a large number of call requests, overwhelm the network, and prevent legitimate users from being able to make or receive calls.
These are the most common DDoS attacks, which rely on overwhelming the victim with traffic. The attacker will send large amounts of data to the target, using up bandwidth and causing the site to crash. Examples of volumetric attacks include UDP floods and ICMP floods.
Zero-day DDoS attacks can be devastating. A Zero-day is an unpatched security vulnerability that hackers can exploit by launching a DDoS attack against a target before it can be patched. This attack can be tough to defend against because the target will not have time to prepare or anticipate the attack. Zero-day DDoS attacks often result in downtime for the target, financial loss, and a damaged reputation.
DDoS attacks continue to be a significant risk for businesses across the world. These threats are compounded by the large variety of DDoS threat vectors. When a public-facing website or app goes down as a result of a DDoS attack, it can make customers upset, cost money, and hurt the brand. Businesses should learn to proactively recognise the warning signs, have a suitable response plan, and constantly work to strengthen the network architecture to protect themselves against distributed denial of service attacks. Companies may look to leverage a DDoS protection service that protects against multiple types of DDoS attacks. By choosing a DDoS solution that offers protection against these attacks, organisations can be confident that their systems will be safe from even the most sophisticated threats.
Tata Communications provides advanced DDoS protection to businesses around the world. Regardless of the DDoS attack's volume, complexity, or duration, our DDoS protection service offers real-time detection and mitigation. Get in touch with us about how our decade-long experience providing DDoS protection services, massive capacity, and multi-layered protection can help keep your organisation safe from DDoS attacks. Click here to get in touch with us.