What is a DDoS Attack?

DDos attacks are a major concern for online businesses. According to the report released by Akamai, there’s a 179.66% increase in the total number of DDoS attacks!

This figure suggests that, in the last two years, an alarming number of businesses have been targeted by criminals, activists, and hackers for nefarious reasons. It can not only deny service to the business’ users but also result in expensive bills. Some DDoS attacks can even be financially devastating for a business!

What Is a DDoS Attack?

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.

Or

A DDoS attack is a subcategory of a Denial of Service (DoS) attack. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.. This is typically done by sending an excess of requests to the target machine so that it becomes overloaded and stops functioning adequately. While a DoS attack originates from a single source, a DDoS attack differs in that it originates from many sources. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination.In either case, the attack is akin to a car or group of cars that have stopped in the middle of a busy road, preventing normal traffic from successfully driving through.

How DDoS Attacks Work

In order to launch a DDoS attack, a hacker must first gain control of a series of devices that are connected to the Internet. Without them, there cannot be a DDoS attack. In order to control these machines, the malicious actor must infect them with malware that allows him or her to access the devices remotely. In order for a DDoS attack to be successful, hundreds, if not thousands, of devices must be controllable by the malicious actor. Infected machines under the control of the malicious actor are individually referred to as bots(sometimes also known as zombies), while a group of these machines is called a botnet. Once infected, the hacker can command the botnet to simultaneously send requests to a target machine, systematically causing it to overload.When the IP address of a victim is targeted by the botnet, each bot will respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity, resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

What are common types of DDoS attacks?

Different DDoS attack vectors target varying components of a network connection. In order to understand how different DDoS attacks work, it is necessary to know how a network connection is made. A network connection on the Internet is composed of many different components or “layers”. Like building a house from the ground up, each step in the model has a different purpose. The OSI model, shown below, is a conceptual framework used to describe network connectivity in 7 distinct layers.

While nearly all DDoS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories. An attacker may make use one or multiple different attack vectors, or cycle attack vectors potentially based on counter measures taken by the target.

The Goal of the Attack:

Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client side, and can be expensive for the target server to respond to as the server often must load multiple files and run database queries in order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to flag as malicious.

Application Layer Attack Example:

HTTP Flood

This attack is similar to pressing refresh in a web browser over and over on many different computers at once – large numbers of HTTP requests flood the server, resulting in denial-of-service.

This type of attack ranges from simple to complex. Simpler implementations may access one URL with the same range of attacking IP addresses, referrers and user agents. Complex versions may use a large number of attacking IP addresses, and target random urls using random referrers and user agents.

Protocol Attacks

The Goal of the Attack:

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by consuming all the available state table capacity of web application servers or intermediate resources like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.

Protocol Attack Example:

SYN Flood

A SYN FLOOD is analogous to a worker in a supply room receiving requests from the front of the store. The worker receives a request, goes and gets the package, and waits for confirmation before bringing the package out front. The worker then gets many more package requests without confirmation until they can’t carry any more packages, become overwhelmed, and requests start going unanswered.

This attack exploits the TCP handshake by sending a target a large number of TCP “Initial Connection Request” SYN packets with spoofed source IP addresses. The target machine responds to each connection request and then waits for the final step in the handshake, which never occurs, exhausting the target’s resources in the process.

Volumetric Attacks

The Goal of the Attack:

This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.

Amplification Example:

DNS Amplification

A DNS amplification is like if someone were to call a restaurant and say “I’ll have one of everything, please call me back and tell me my whole order,” where the callback phone number they give is the target’s number. With very little effort, a long response is generated.

By making a request to an open DNS server with a spoofed IP address (the real IP address of the target), the target IP address then receives a response from the server. The attacker structures the request such that the DNS server responds to the target with a large amount of data. As a result, the target receives an amplification of the attacker’s initial query.

What is the process for mitigating a DDoS attack?

The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic. For example, if a product release has a company’s website swamped with eager customers, cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known bad actors, efforts to alleviate an attack are probably necessary. The difficulty lies it telling apart the real customer and the attack traffic.

In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks. A multi-vector DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways, potentially distracting mitigation efforts on any one trajectory. An attack that targets multiple layers of the protocol stack at the same time, such as a DNS amplification (targeting layers 3/4) coupled with a HTTP flood (targeting layer 7) is an example of multi-vector DDoS.

Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories. Generally speaking, the more complex the attack, the more likely the traffic will be difficult to separate from normal traffic - the goal of the attacker is to blend in as much as possible, making mitigation as inefficient as possible. Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. In order to overcome a complex attempt at disruption, a layered solution will give the greatest benefit.

Black Hole Routing

In networking, black holes refer to places in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network. If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense.

Rate Limiting

Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. Nevertheless, rate limiting is a useful component in an effective DDoS mitigation strategy.

Web Application Firewall

A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and a origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic. By filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack.

Anycast Network Diffusion

This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network. Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable, diffusing any disruptive capability.

The reliability of an Anycast Network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network.

I am also adding 35 different types of DDoS Attacks, which anyone can refer if they want to go in more detail.

Application Level Attacks

DDoS attacks can target a specific application or a badly coded website to exploit its weakness and take down the entire server as a result. WordPress and Joomla (Just like WordPress, Joomla is an open source content management system that allows you to generate web content and powerful applications.) are two examples of applications that can be targeted to exhaust a server’s resources – RAM, CPU, etc. Databases can also be targeted with SQL injections designed to exploit these loopholes.

The exhausted server is then unavailable to process legitimate requests due to exhausted resources. Websites and applications with security loopholes are also susceptible to hackers looking to steal information.

Zero Day (0day) DDoS

This is a standard term used to describe an attack that is exploiting new vulnerabilities. These ZERO Day DDoS vulnerabilities do not have patches or effective defensive mechanisms.

Ping Flood

An evolved version of ICMP flood, this DDoS attack is also application specific. When a server receives a lot of spoofed Ping packets from a very large set of source IP it is being targeted by a Ping Flood attack. Such an attack’s goal is to flood the target with ping packets until it goes offline.

It is designed to consume all available bandwidth and resources in the network until it is completely drained out and shuts down. This type of DDoS attack is also not easy to detect as it can easily resemble legitimate traffic.

IP Null Attack

Packets contain IPv4 headers which carry information about which Transport Protocol is being used. When attackers set the value of this field to zero, these packets can bypass security measures designed to scan TCP, IP, and ICMP. When the target server tries to put process these packets, it will eventually exhaust its resources and reboot.

CharGEN Flood

It is a very old protocol which can be exploited to execute amplified attacks. A CharGEN amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running CharGEN. These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target.

Most internet-enabled printers, copiers etc., have this protocol enabled by default and can be used to execute a CharGEN attack. This can be used to flood a target with UDP packets on port 19. When the target tries to make sense of these requests, it will fail to do so. The server will eventually exhaust its resources and go offline or reboot.

SNMP Flood

Like a CharGEN attack, SNMP can also be used for amplification attacks. SNMP is mainly used on network devices. SNMP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to the internet enabled devices running SNMP.

These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. However, amplification effect in SNMP can be greater when compared with CHARGEN and DNS attacks. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.

NTP Flood

The NTP protocol is another publicly accessible network protocol. The NTP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running NTP.

These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.

SSDP Flood

SSDP enabled network devices that are also accessible to UPnP from the internet are an easy source for generating SSDP amplification floods. The SSDP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to devices.

These spoofed requests to such devices are used to send UDP floods as responses from these devices to the target. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.

Other Amplified DDoS Attacks

All amplified attacks use the same strategy described above for CHARGEN, NTP, etc. Other UDP protocols that have been identified as possible tools for carrying out amplification flood attacks U.S. CERT are:

• SNMPv2
• NetBIOS
• QOTD
• BitTorrent
• Kad
• Quake Network Protocol
• Steam Protocol

Fragmented HTTP Flood

In this example of a sophisticated attack on a known loophole, BOTs with a valid IP are used to establish a valid HTTP connection with a web server. Then, HTTP packets are split by the bot into tiny fragments and sent to the target as slowly as it allows before it times out. This method allows the attackers to keep a connection active for a long time without alerting any defense mechanisms.

An attacker can use one BOT to initiate several undetected, extended and resource consuming sessions. Popular web servers like Apache do not have effective timeout mechanisms. This is a DDoS security loophole that can be exploited with a few BOTs to stop web services.

HTTP Flood

The real IP of the BOTs is used to avoid suspicion. The number of BOTs used to execute the attack is same as the source IP range for this attack. Since the IP addresses of the BOTs are not spoofed, there is no reason for defense mechanisms to flag these valid HTTP requests.

One BOT can be used to send a large number of GET, POST or other HTTP requests to execute an attack. Several bots can be combined in an HTTP DDoS attack to completely cripple the target server.

Single Session HTTP Flood

An attacker can exploit a loophole in HTTP 1.1 to send several requests from a single HTTP session. This allows attackers to send a large number of requests from a handful of sessions. In other words, attackers can bypass the limitations imposed by DDoS defense mechanisms on the number of sessions allowed.

Single Session HTTP Flood also targets a server’s resources to trigger a complete system shutdown or poor performance.

Single Request HTTP Flood

When defense mechanisms evolved to block many incoming packets, attacks like Single Packet HTTP Flood were designed with workarounds to dodge these defenses. This evolution of an HTTP flood exploits another loophole in the HTTP technology. Several HTTP requests can be made by a single HTTP session by masking these requests within one HTTP packet.

This technique allows an attack to stay invisible while exhausting a server’s resources by keeping packet rates within the allowed limits.

Recursive HTTP GET Flood

For an attack to be highly successful, it must remain undetected for as long as possible. The best method to go undetected is to appear as a legitimate request by staying within all the limitations while another attack is being executed. Recursive GET achieves this on its own by collecting a list of pages or images and appearing to be going through these pages or images.

This attack can be combined with an HTTP flood attack for maximum impact.

Random Recursive GET Flood

This attack is a purpose built variation of Recursive GET attack. It is designed for forums, blogs and other websites that have pages in a sequence. Like Recursive GET it also appears to be going through pages. Since page names are in a sequence, to keep up appearance as a legitimate user, it uses random numbers from a valid page range to send a new GET request each time.

Random Recursive GET also aims to deflate its target’s performance with a large number of GET requests and deny access to real users.

Multi-Vector Attacks

We talked about attackers combining Recursive GET attacks with HTTP flood attacks to amplify the effects of an attack. That’s just one example of an attacker using two types of DDoS attacks at the same time to target a server. Attacks can also combine several methods to keep the engineers dealing with the DDoS attack confused.

These attacks are the toughest to deal with and are capable of taking down some of the best-protected servers and networks.

SYN Flood

This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client initiates a new session by generating a SYN packet. The host assigns and checks these sessions until they are closed by the client. To carry out a SYN Flood attack, an attacker sends a lot of SYN packets to the target server from spoofed IP addresses.

This attack goes on until it exhausts a server’s connection table memory –stores and processes these incoming SYN packets. The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.

SYN-ACK Flood

The second step of the three-way TCP communication process is exploited by this DDoS attack. In this step, a SYN-ACK packet is generated by the listening host to acknowledge an incoming SYN packet. A large amount of spoofed SYN-ACK packets is sent to a target server in a SYN-ACK Flood attack. The attack tries to exhaust a server’s resources – its RAM, CPU, etc. as the server tries to process this flood of requests.

The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.

ACK & PUSH ACK Flood

During an active TCP-SYN session, ACK or PUSH ACK packets carry information to and from the host and client machines till the session lasts. During an ACK & PUSH ACK flood attack, a large amount of spoofed ACK packets is sent to the target server to deflate it.

Since these packets are not linked with any session on the server’s connection list, the server spends more resources on processing these requests. The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.

ACK Fragmentation Flood

Fragmented ACK packets are used in this bandwidth consuming version of the ACK & PUSH ACK Flood attack. To execute this attack, fragmented packets of 1500 bytes are sent to the target server. It is easier for these packets to reach their target undetected as they are not normally reassembled by routers at the IP level.

This allows an attacker to send few packets with irrelevant data through routing devices to consume large amounts of bandwidth. This attack affects all servers within the target network by trying to consume all available bandwidth in the network.

RST/FIN Flood

After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by servers to close the TCP-SYN session between a host and a client machine. In an RST or FIN Flood attack, a target server receives a large number of spoofed RST or FIN packets that do not belong to any session on the target server.

The attack tries to exhaust a server’s resources – its RAM, CPU, etc. as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.

Synonymous IP Attack

To take a server down, a large number of TCP-SYN packets carrying the target server’s Source IP and Destination IP are sent to the target server. Even though the packets are carrying the target server’s source and destination IP information, this data is not important.

The goal of the Synonymous IP attack is to exhaust a server’s resources – RAM, CPU, etc. as it tries to compute this anomaly. The exhausted server is then unavailable to process legitimate requests due to exhausted resources.

Spoofed Session Flood

Some of the above DDoS attacks are unable to fool most modern defense mechanisms but DDoS attacks are also evolving to bypass these defenses. Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying a SYN, multiple ACK and one or more RST or FIN packets.

This attack can bypass defense mechanisms that are only monitoring incoming traffic on the network. These DDoS attacks can also exhaust the target’s resources and result in a complete system shutdown or unacceptable system performance.

Multiple SYN-ACK Spoofed Session Flood

This version of a fake session attack contains multiple SYN and multiple ACK packets along with one or more RST or FIN packets. A Multiple SYN-ACK Fake Session is another example of an evolved DDoS attack. They are changed up to bypass defense mechanisms which rely on very specific rules to prevent such attacks.

Like the Fake Session attack, this attack can also exhaust a target’s resources and result in a complete system shutdown or unacceptable system performance.

Multiple ACK Spoofed Session Flood

SYN is completely skipped in this version of Fake Session. Multiple ACK packets are used to begin and carry an attack. These ACK packets are followed by one or more RST or FIN packets to complete the disguise of a TCP session.

These attacks tend to be more successful at staying under the radar as they generate low TCP-SYN traffic compared to the original SYN-Flood attacks. Like its source, the Multiple ACK Fake Session attack can also exhaust a target’s resources and result in a complete system shutdown or unacceptable system performance.

Session Attack

To bypass defenses, instead of using spoofed IPs, this attack uses the real IP address of the BOTs being used to carry out an attack. The number of BOTs used to execute the attack is same as the source IP range for this attack. This attack is executed by creating a TCP-SYN session between a BOT and the target server.

This session is then stretched out until it times out by delaying the ACK packets. Session attacks try to exhaust a server’s resources through these empty sessions. That, in turn, results in a complete system shutdown or unacceptable system performance.

Misused Application Attack

The attackers first hack client machines that host high traffic apps like P2P services. The traffic from these client machines is then redirected to the target server. The target server exhausts its resources as it tries to accept and negotiate the excessive traffic. Defensive mechanisms aren’t triggered in this case as the hacked client machines are actually trying to make a valid connection to the target server.

After successfully redirecting the traffic to the target, as the attack is going on, the attacker drops off the network and becomes untraceable. Misused Application Attack targets a server’s resources and tries to take it down or destroy its performance.

UDP Flood

As the name suggests, in this type of DDoS attack a server is flooded with UDP packets. Unlike TCP, there isn’t an end to end process of communication between client and host. This makes it harder for defensive mechanisms to identify a UDP Flood attack. A large number of spoofed UDP packets are sent to a target server from a massive set of source IP to take it down.

UDP flood attacks can target random servers or a specific server within a network by including the target server’s port and IP address in the attacking packets. The goal of such an attack is to consume the bandwidth in a network until all available bandwidth has been exhausted.

UDP Fragmentation Flood

It is another one of those cleverly masked DDoS attacks that are not easily detected. The activity generated by this attack resembles valid traffic and all of it is kept within limits. This version of the UDP Flood attack sends larger yet fragmented packets to exhaust more bandwidth by sending fewer fragmented UDP packets.

When a target server tries to put these unrelated and forged fragmented UDP packets together, it will fail to do so. Eventually, all available resources are exhausted and the server may reboot.

DNS Flood

One of the most well-known DDoS attacks, this version of UDP flood attack is application specific – DNS servers in this case. It is also one of the toughest DDoS attacks to detect and prevent. To execute, an attacker sends a large amount of spoofed DNS request packets that look no different from real requests from a very large set of source IP.

This makes it impossible for the target server to differentiate between legitimate DNS requests and DNS requests that appear to be legitimate. In trying to serve all the requests, the server exhausts its resources. The attack consumes all available bandwidth in the network until it is completely drained out.

VoIP Flood

This version of application specific UDP flood targets VoIP servers. An attacker sends a large number of spoofed VoIP request packets from a very large set of source IP. When a VoIP server is flooded with spoofed requests, it exhausts all available resources while trying to serve the valid and invalid requests.

This reboots the server or takes a toll on the server’s performance and exhausts the available bandwidth. VoIP floods can contain fixed or random source IP. Fixed source IP address attack is not easy to detect as it masks itself and looks no different from legitimate traffic.

Media Data Flood

Like VoIP flood, a server can also be attacked with media data such as audio and video. A large number of spoofed media data packets are sent by an attacker from a very large set of source IP. When a server is flooded with spoofed media data requests, it exhausts all available resources and network bandwidth to process these requests.

This attack is similar to VoIP floods in every way other than using spoofed media data packets to attacks the server. It can also be hard to detect these attacks when they are using fixed source IP as this gives them a legitimate appearance. The attack is designed to consume all available server resources and bandwidth in the network until it is completely drained out.

Direct UDP Flood

The target server is attacked with a large number of Non-Spoofed UDP packets. To mask the attack, the attacker does not spoof the BOTs actual IP address. The number of BOTs used to execute the attack is same as the source IP range for this attack. The attack is designed to consume all available bandwidth and resources in the network until it is completely drained out and shuts down. This type of DDoS attack is also not easy to detect as it resembles legitimate traffic.

ICMP Flood

Like UDP, the ICMP stack also does not have an end to end process for data exchange. This makes it harder to detect an ICMP Flood attack. An attacker sends a large number of spoofed ICMP packets from a very large set of source IP. When a server is flooded with massive amounts of spoofed ICMP packets, its resources are exhausted in trying to process these requests. This overload reboots the server or has a massive impact on its performance.

ICMP flood attacks can target random servers or a specific server within a network by including the target server’s port and IP address in the packets. The goal of such an attack is to consume bandwidth in the network until it has exhausted the available bandwidth.

ICMP Fragmentation Flood

This version of ICMP Flood attack sends larger packets to exhaust more bandwidth by sending fewer fragmented ICMP packets. When the target server tries to put these forged fragmented ICMP packets with no correlation together, it will fail to do so. The server eventually exhausts its resources and reboots.