DDoS attacks are a major concern for online businesses. According to the Q3 2015 Security Report by Akamai, there’s a 179.66% increase in the total number of DDoS attacks!
This figure suggests that, in the last two years, an alarming number of businesses have been targeted by criminals, activists, and hackers for nefarious reasons. It can not only deny service to the business’ users but also result in expensive bills. Some DDoS attacks can even be financially devastating for a business!
From trying to flood a target with ping command based ICMP echo request to multi-vector attacks, DDoS attacks have grown bigger and sophisticated over the years. In this post, we will take a look at the different types of DDoS attacks. Here’s a list of the different DDoS attack types.
- Application Level Attacks
- Zero Day (0day) DDoS
- Ping Flood
- IP Null Attack
- CharGEN Flood
- SNMP Flood
- NTP Flood
- SSDP Flood
- Other Amplified DDoS Attacks
- Fragmented HTTP Flood
- HTTP Flood
- Single Session HTTP Flood
- Single Request HTTP Flood
- Recursive HTTP GET Flood
- Random Recursive GET Flood
- Multi-Vector Attacks
- SYN Flood
- SYN-ACK Flood
- ACK & PUSH ACK Flood
- ACK Fragmentation Flood
- RST/FIN Flood
- Synonymous IP Attack
- Spoofed Session Flood
- Multiple SYN-ACK Spoofed Session Flood
- Multiple ACK Spoofed Session Flood
- Session Attack
- Misused Application Attack
- UDP Flood
- UDP Fragmentation Flood
- DNS Flood
- VoIP Flood
- Media Data Flood
- Direct UDP Flood
- ICMP Flood
- ICMP Fragmentation Flood
Application Level Attacks
DDoS attacks can target a specific application or a badly coded website to exploit its weakness and take down the entire server as a result. WordPress (we now offer the best WordPress hosting on the web) and Joomla are two examples of applications that can be targeted to exhaust a server’s resources – RAM, CPU, etc. Databases can also be targeted with SQL injections designed to exploit these loopholes.
The exhausted server is then unavailable to process legitimate requests due to exhausted resources. Websites and applications with security loopholes are also susceptible to hackers looking to steal information.
Zero Day (0day) DDoS
This is a standard term (like John Doe) used to describe an attack that is exploiting new vulnerabilities. These ZERO Day DDoS vulnerabilities do not have patches or effective defensive mechanisms.
An evolved version of ICMP flood, this DDoS attack is also application specific. When a server receives a lot of spoofed Ping packets from a very large set of source IP it is being targeted by a Ping Flood attack. Such an attack’s goal is to flood the target with ping packets until it goes offline.
It is designed to consume all available bandwidth and resources in the network until it is completely drained out and shuts down. This type of DDoS attack is also not easy to detect as it can easily resemble legitimate traffic.
IP Null Attack
Packets contain IPv4 headers which carry information about which Transport Protocol is being used. When attackers set the value of this field to zero, these packets can bypass security measures designed to scan TCP, IP, and ICMP. When the target server tries to put process these packets, it will eventually exhaust its resources and reboot.
It is a very old protocol which can be exploited to execute amplified attacks. A CharGEN amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running CharGEN. These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target.
Most internet-enabled printers, copiers etc., have this protocol enabled by default and can be used to execute a CharGEN attack. This can be used to flood a target with UDP packets on port 19. When the target tries to make sense of these requests, it will fail to do so. The server will eventually exhaust its resources and go offline or reboot.
Like a CharGEN attack, SNMP can also be used for amplification attacks. SNMP is mainly used on network devices. SNMP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to the internet enabled devices running SNMP.
These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. However, amplification effect in SNMP can be greater when compared with CHARGEN and DNS attacks. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.
The NTP protocol is another publicly accessible network protocol. The NTP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running NTP.
These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.
SSDP enabled network devices that are also accessible to UPnP from the internet are an easy source for generating SSDP amplification floods. The SSDP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to devices.
These spoofed requests to such devices are used to send UDP floods as responses from these devices to the target. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.
Other Amplified DDoS Attacks
All amplified attacks use the same strategy described above for CHARGEN, NTP, etc. Other UDP protocols that have been identified as possible tools for carring out amplification flood attacks U.S. CERT are:
- Quake Network Protocol
- Steam Protocol
Fragmented HTTP Flood
In this example of a sophisticated attack on a known loophole, BOTs with a valid IP are used to establish a valid HTTP connection with a web server. Then, HTTP packets are split by the bot into tiny fragments and sent to the target as slowly as it allows before it times out. This method allows the attackers to keep a connection active for a long time without alerting any defense mechanisms.
An attacker can use one BOT to initiate several undetected, extended and resource consuming sessions. Popular web servers like Apache do not have effective timeout mechanisms. This is a DDoS security loophole that can be exploited with a few BOTs to stop web services.
The real IP of the BOTs is used to avoid suspicion. The number of BOTs used to execute the attack is same as the source IP range for this attack. Since the IP addresses of the BOTs are not spoofed, there is no reason for defense mechanisms to flag these valid HTTP requests.
One BOT can be used to send a large number of GET, POST or other HTTP requests to execute an attack. Several bots can be combined in an HTTP DDoS attack to completely cripple the target server.
Single Session HTTP Flood
An attacker can exploit a loophole in HTTP 1.1 to send several requests from a single HTTP session. This allows attackers to send a large number of requests from a handful of sessions. In other words, attackers can bypass the limitations imposed by DDoS defense mechanisms on the number of sessions allowed.
Single Session HTTP Flood also targets a server’s resources to trigger a complete system shutdown or poor performance.
Single Request HTTP Flood
When defense mechanisms evolved to block many incoming packets, attacks like Single Packet HTTP Flood were designed with workarounds to dodge these defenses. This evolution of an HTTP flood exploits another loophole in the HTTP technology. Several HTTP requests can be made by a single HTTP session by masking these requests within one HTTP packet.
This technique allows an attack to stay invisible while exhausting a server’s resources by keeping packet rates within the allowed limits.
Recursive HTTP GET Flood
For an attack to be highly successful, it must remain undetected for as long as possible. The best method to go undetected is to appear as a legitimate request by staying within all the limitations while another attack is being executed. Recursive GET achieves this on its own by collecting a list of pages or images and appearing to be going through these pages or images.
This attack can be combined with an HTTP flood attack for maximum impact.
Random Recursive GET Flood
This attack is a purpose built variation of Recursive GET attack. It is designed for forums, blogs and other websites that have pages in a sequence. Like Recursive GET it also appears to be going through pages. Since page names are in a sequence, to keep up appearance as a legitimate user, it uses random numbers from a valid page range to send a new GET request each time.
Random Recursive GET also aims to deflate its target’s performance with a large number of GET requests and deny access to real users.
We talked about attackers combining Recursive GET attacks with HTTP flood attacks to amplify the effects of an attack. That’s just one example of an attacker using two types of DDoS attacks at the same time to target a server. Attacks can also combine several methods to keep the engineers dealing with the DDoS attack confused.
These attacks are the toughest to deal with and are capable of taking down some of the best-protected servers and networks.
This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client initiates a new session by generating a SYN packet. The host assigns and checks these sessions until they are closed by the client. To carry out a SYN Flood attack, an attacker sends a lot of SYN packets to the target server from spoofed IP addresses.
This attack goes on until it exhausts a server’s connection table memory –stores and processes these incoming SYN packets. The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.
The second step of the three-way TCP communication process is exploited by this DDoS attack. In this step, a SYN-ACK packet is generated by the listening host to acknowledge an incoming SYN packet. A large amount of spoofed SYN-ACK packets is sent to a target server in a SYN-ACK Flood attack. The attack tries to exhaust a server’s resources – its RAM, CPU, etc. as the server tries to process this flood of requests.
The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.
ACK & PUSH ACK Flood
During an active TCP-SYN session, ACK or PUSH ACK packets carry information to and from the host and client machines till the session lasts. During an ACK & PUSH ACK flood attack, a large amount of spoofed ACK packets is sent to the target server to deflate it.
Since these packets are not linked with any session on the server’s connection list, the server spends more resources on processing these requests. The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.
ACK Fragmentation Flood
Fragmented ACK packets are used in this bandwidth consuming version of the ACK & PUSH ACK Flood attack. To execute this attack, fragmented packets of 1500 bytes are sent to the target server. It is easier for these packets to reach their target undetected as they are not normally reassembled by routers at the IP level.
This allows an attacker to send few packets with irrelevant data through routing devices to consume large amounts of bandwidth. This attack affects all servers within the target network by trying to consume all available bandwidth in the network.
After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by servers to close the TCP-SYN session between a host and a client machine. In an RST or FIN Flood attack, a target server receives a large number of spoofed RST or FIN packets that do not belong to any session on the target server.
The attack tries to exhaust a server’s resources – its RAM, CPU, etc. as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.
Synonymous IP Attack
To take a server down, a large number of TCP-SYN packets carrying the target server’s Source IP and Destination IP are sent to the target server. Even though the packets are carrying the target server’s source and destination IP information, this data is not important.
The goal of the Synonymous IP attack is to exhaust a server’s resources – RAM, CPU, etc. as it tries to compute this anomaly. The exhausted server is then unavailable to process legitimate requests due to exhausted resources.
Spoofed Session Flood
Some of the above DDoS attacks are unable to fool most modern defense mechanisms but DDoS attacks are also evolving to bypass these defenses. Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying a SYN, multiple ACK and one or more RST or FIN packets.
This attack can bypass defense mechanisms that are only monitoring incoming traffic on the network. These DDoS attacks can also exhaust the target’s resources and result in a complete system shutdown or unacceptable system performance.
Multiple SYN-ACK Spoofed Session Flood
This version of a fake session attack contains multiple SYN and multiple ACK packets along with one or more RST or FIN packets. A Multiple SYN-ACK Fake Session is another example of an evolved DDoS attack. They are changed up to bypass defense mechanisms which rely on very specific rules to prevent such attacks.
Like the Fake Session attack, this attack can also exhaust a target’s resources and result in a complete system shutdown or unacceptable system performance.
Multiple ACK Spoofed Session Flood
SYN is completely skipped in this version of Fake Session. Multiple ACK packets are used to begin and carry an attack. These ACK packets are followed by one or more RST or FIN packets to complete the disguise of a TCP session.
These attacks tend to be more successful at staying under the radar as they generate low TCP-SYN traffic compared to the original SYN-Flood attacks. Like its source, the Multiple ACK Fake Session attack can also exhaust a target’s resources and result in a complete system shutdown or unacceptable system performance.
To bypass defenses, instead of using spoofed IPs, this attack uses the real IP address of the BOTs being used to carry out an attack. The number of BOTs used to execute the attack is same as the source IP range for this attack. This attack is executed by creating a TCP-SYN session between a BOT and the target server.
This session is then stretched out until it times out by delaying the ACK packets. Session attacks try to exhaust a server’s resources through these empty sessions. That, in turn, results in a complete system shutdown or unacceptable system performance.
Misused Application Attack
The attackers first hack client machines that host high traffic apps like P2P services. The traffic from these client machines is then redirected to the target server. The target server exhausts its resources as it tries to accept and negotiate the excessive traffic. Defensive mechanisms aren’t triggered in this case as the hacked client machines are actually trying to make a valid connection to the target server.
After successfully redirecting the traffic to the target, as the attack is going on, the attacker drops off the network and becomes untraceable. Misused Application Attack targets a server’s resources and tries to take it down or destroy its performance.
As the name suggests, in this type of DDoS attack a server is flooded with UDP packets. Unlike TCP, there isn’t an end to end process of communication between client and host. This makes it harder for defensive mechanisms to identify a UDP Flood attack. A large number of spoofed UDP packets are sent to a target server from a massive set of source IP to take it down.
UDP flood attacks can target random servers or a specific server within a network by including the target server’s port and IP address in the attacking packets. The goal of such an attack is to consume the bandwidth in a network until all available bandwidth has been exhausted.
UDP Fragmentation Flood
It is another one of those cleverly masked DDoS attacks that are not easily detected. The activity generated by this attack resembles valid traffic and all of it is kept within limits. This version of the UDP Flood attack sends larger yet fragmented packets to exhaust more bandwidth by sending fewer fragmented UDP packets.
When a target server tries to put these unrelated and forged fragmented UDP packets together, it will fail to do so. Eventually, all available resources are exhausted and the server may reboot.
One of the most well-known DDoS attacks, this version of UDP flood attack is application specific – DNS servers in this case. It is also one of the toughest DDoS attacks to detect and prevent. To execute, an attacker sends a large amount of spoofed DNS request packets that look no different from real requests from a very large set of source IP.
This makes it impossible for the target server to differentiate between legitimate DNS requests and DNS requests that appear to be legitimate. In trying to serve all the requests, the server exhausts its resources. The attack consumes all available bandwidth in the network until it is completely drained out.
This version of application specific UDP flood targets VoIP servers. An attacker sends a large number of spoofed VoIP request packets from a very large set of source IP. When a VoIP server is flooded with spoofed requests, it exhausts all available resources while trying to serve the valid and invalid requests.
This reboots the server or takes a toll on the server’s performance and exhausts the available bandwidth. VoIP floods can contain fixed or random source IP. Fixed source IP address attack is not easy to detect as it masks itself and looks no different from legitimate traffic.
Media Data Flood
Like VoIP flood, a server can also be attacked with media data such as audio and video. A large number of spoofed media data packets are sent by an attacker from a very large set of source IP. When a server is flooded with spoofed media data requests, it exhausts all available resources and network bandwidth to process these requests.
This attack is similar to VoIP floods in every way other than using spoofed media data packets to attacks the server. It can also be hard to detect these attacks when they are using fixed source IP as this gives them a legitimate appearance. The attack is designed to consume all available server resources and bandwidth in the network until it is completely drained out.
Direct UDP Flood
The target server is attacked with a large number of Non-Spoofed UDP packets. To mask the attack, the attacker does not spoof the BOTs actual IP address. The number of BOTs used to execute the attack is same as the source IP range for this attack. The attack is designed to consume all available bandwidth and resources in the network until it is completely drained out and shuts down. This type of DDoS attack is also not easy to detect as it resembles legitimate traffic.
Like UDP, the ICMP stack also does not have an end to end process for data exchange. This makes it harder to detect an ICMP Flood attack. An attacker sends a large number of spoofed ICMP packets from a very large set of source IP. When a server is flooded with massive amounts of spoofed ICMP packets, its resources are exhausted in trying to process these requests. This overload reboots the server or has a massive impact on its performance.
ICMP flood attacks can target random servers or a specific server within a network by including the target server’s port and IP address in the packets. The goal of such an attack is to consume bandwidth in the network until it has exhausted the available bandwidth.
ICMP Fragmentation Flood
This version of ICMP Flood attack sends larger packets to exhaust more bandwidth by sending fewer fragmented ICMP packets. When the target server tries to put these forged fragmented ICMP packets with no correlation together, it will fail to do so. The server eventually exhausts its resources and reboots.