While DDoS attacks have existed for over two decades now, the increasing digitalisation of enterprises in recent years and the proliferation of the myriad connected devices that comprise the IoT have considerably expanded the potential attack surface for attackers. A recent report indicated that there has been a 200% increase in DDoS attacks in the first part of 2023 from 2022, with telecommunications companies proving a prime target for attackers.
The basic aim of DDoS attacks is to disrupt the normal functioning of the target system, network or online service, rendering it unavailable to its intended users. These attacks involve multiple compromised devices, often spanning geographies, which collectively generate a flood of internet traffic that overwhelms the target. These devices are typically part of a botnet, a network of infected computers controlled by the attacker. IoT devices that lack robust security are more susceptible to compromise and inclusion in botnets. Since DDoS attacks not only affect the target but also the intermediary networks and systems through which the attack traffic flows, this can lead to collateral damage for all entities involved.
DDoS attacks can cause disruption of services that result in lost revenue, damage to brand reputation and customer dissatisfaction. The financial impact can be severe in terms of costs incurred by companies for mitigation, infrastructure upgrades and possible legal liabilities, and – sometimes – the need to pay a ransom for discontinuation of the attack.
Organisations must implement robust security measures, including DDoS mitigation strategies, to defend against these attacks and ensure the availability and reliability of their online services. But modern DDoS attacks, like other cyberattacks, are becoming increasingly sophisticated and are easily scaled to enormous proportions, making them difficult to detect and mitigate. Even as mitigation solutions are found, attackers devise innovative ways to evade these, posing a significant challenge for cybersecurity professionals. In this blog we will take a look at the various types of DDOS attacks, their implications and how organisations can protect against these.
For a crime to occur — and make no mistake, DDoS attacks are crimes three elements must be present: MEANS, OPPORTUNITY & MOTIVE |
Application layer DDoS attacks
These attacks target specific software applications. Also called "layer 7 attacks," these attacks use server and network resources, making them more disruptive while using less bandwidth overall. The attacker sends requests that look like they are from legitimate users but are designed to exploit vulnerabilities within an application, making it unavailable to service the end-users' requests.
ACK floods
An ACK flood is a DDoS attack in which the attacker sends a large number of ACK packets to a victim's system. An ACK is a Transmission Control Protocol (TCP) message confirming data receipt. ACK flood attacks exploit the fact that ACK packets can be spoofed, meaning the attacker's IP address can be masqueraded as the source IP address of the ACK packets. The victim's system sends ACK packets back to the attacker, consuming bandwidth and resources, ultimately making it unavailable to serve legitimate user requests.
BGP hijacking
As the primary protocol for routing traffic across the Internet, the Border Gateway Protocol (BGP) is a critical component of global network infrastructure. However, BGP is also susceptible to hijacking attacks, in which an attacker impersonates a legitimate network and uses its prefix to redirect traffic. When other networks accept this spoofed information, traffic is sent to the attacker instead of where it was initially intended. This application-layer DDoS attack can have devastating consequences, as it prevents users from accessing essential services or leaks sensitive data.
CharGEN flood
CharGEN is an ancient protocol that can be exploited to conduct DDoS amplification attacks. During a CharGEN amplification attack, small packets carrying the spoofed IP address of a victim's target server are sent out to Internet-connected devices with the CHARGEN protocol enabled. In response, the internet-facing devices send UDP packets to the target server, which gradually exhausts its resources due to its inability to interpret them.
DHCP Discover reflection/Amplification
Reflection/amplification attacks can occur on DVRs, surveillance cameras, and other embedded devices that use the DHCPDiscover protocol, based on the User Datagram Protocol (UDP) and JavaScript Object Notation (JSON). If these devices are misconfigured, they respond to every DHCPDiscover packet they receive, amplifying the original request by a factor of 25. A small number of DHCPDiscover packets sent to a large number of devices can cause those devices to consume link bandwidth and decrease the capacity of the targeted system to react to network traffic.
DNS flood
DNS Flood DDoS attacks are usually launched using a botnet that sends many DNS requests to the target DNS server to overload it and causes it to fail. This attack targets Domain Name Server (DNS) servers, disrupting DNS resolution for a particular domain. DNS servers are responsible for resolving DNS queries, so a DNS Flood DDoS attack can cause significant disruptions for internet users.
DNS amplification
DNS servers are responsible for converting human-readable domain names into IP addresses. Still, they can be tricked into sending large amounts of data in response to a small DNS query. Attackers can exploit this by sending a DNS request with a spoofed source address that points to the victim's IP address. The DNS server will then send a DNS response to the victim, amplifying the size of the original DNS query by up to 50 times. The result is a compelling Denial of Service (DDoS) attack, as the victim's DNS servers are overwhelmed with DNS responses.
Fraggle attack
A Fraggle is a DDoS attack in which an attacker sends large amounts of UDP traffic to a router's broadcast network. The target server tries to respond, but an overwhelming number of packets continue to arrive. The increased activity causes the server to become less responsive over time. A Fraggle attack is similar to a Smurf attack, but instead of using Internet Control Message Protocol (ICMP) traffic, it uses UDP traffic.
HTTP flood
HTTP Flood is a volumetric DDoS attack targeting servers and apps hosted on Hypertext Transfer Protocol (HTTP), the protocol used to communicate between browsers and web servers. HTTP Flood attacks work by sending many HTTP GET or POST requests to a target server or app. The target is overwhelmed with these spurious requests, preventing it from responding to legitimate requests.
ICMP flood
The Internet Control Message Protocol (ICMP) stack is much like UDP and lacks an end-to-end data exchange process. As a result, detecting an ICMP Flood attack can be more difficult. A large number of fake ICMP packets are sent out from different source IP addresses by the attacker. When the server is inundated with spoofed ICMP packets, its resources are depleted as it attempts to process these requests. This overload either restarts the server or significantly impacts its performance.
ICMP fragmentation
IP fragmentation refers to dividing IP datagrams into smaller packets to send them over a network while adhering to the size constraints imposed by that network. These pieces reassemble to form the original datagram at the end. In an ICMP fragmentation attack, the attackers send fake IP fragments that can't be put back together again (defragmented). As a result, the fragments are kept in temporary storage, where they consume memory and, in some instances, deplete available memory resources on the target system.
IP null
In IP Null DDoS attacks, the attacker sends many IP packets with the IPv4 header field set to zero. The victim's computer cannot determine which transport protocol (TCP/UDP) is being used, causing it to waste computing resources, and ultimately, it becomes incapable of processing legitimate traffic.
Land DDoS attack
Local Area Network Denial (LAND) attack is a distributed denial of service (DDoS) attack targeting a network using TCP SYN packets in which the source and destination IP address and port are the same. Because of this, the target processes the packets in an endless loop, eventually crashing or becoming unresponsive.
Low and slow attack
A low and slow attack is a DDoS attack that uses very slow HTTP or TCP traffic to stop a web service. Data is sent slowly but fast enough to ensure the server does not time out. This type of DDoS attack goes after the server and application resources and makes it difficult to tell it apart from the regular traffic.
Memcached attack
This is an attack in which the attacker sends fake requests to the target's Memcached server, flooding the victim with internet traffic. Most of the time, the target's resources can not handle all of this traffic. New requests cannot be addressed, and legitimate users can not access the resource.
Misused application attack
Instead of using fake IP addresses, this DDoS attack takes advantage of real client computers running programs that use many resources, like P2P tools. The traffic from these clients is redirected to the target server so the attackers can bring it down by overloading it with excessive processing load. Because the traffic comes from actual devices that the attackers have already hijacked, this DDoS attack is difficult to detect and mitigate.
Multi-vector DDoS attack
Multi-vector DDoS attacks are more difficult to defend against than traditional ones because they come from multiple sources and target different parts of the victim's network. These attacks use numerous vectors or attack methods to target a single victim. The most common type of multi-vector DDoS attack is a combination of SYN floods, UDP floods, and ICMP floods.
NTP amplification
NTP Amplification attacks are distributed denial of service (DDoS) attacks that abuse the Network Time Protocol (NTP). NTP is a protocol used to synchronise clocks across computer networks. Attackers can exploit NTP servers to amplify the amount of UDP traffic directed at a victim's system, making it and its surrounding infrastructure inaccessible to regular traffic.
Ping of Death
Hackers use Ping of Death to flood a computer system with "echo request" packets larger than the maximum size allowed, causing the target machine to freeze and resulting in a denial of service. Even though the Ping of Death attack is not as common as it used to be, businesses still need to be aware of it and take steps to protect themselves from it.
Protocol attacks
Protocol attacks exploit vulnerabilities in network protocols, such as TCP, UDP, and DCCP. These attacks consume the computing power of the network resources by targeting layer 3 and 4 communication protocols with malicious connection requests.
Ransom attack
Ransom DDoS (DDoS) attacks have an extortion component, where payment is sought by threatening the target with a DDoS attack. The extortionists may launch a DDoS attack and then send a ransom note demanding money to stop the attack, or they may threaten a DDoS attack in the ransom note before launching the attack. Ransom DDoS attacks are relatively easy to execute, given the low technical skills required to carry them out. Yet, they pose a substantial risk to enterprises.
R U Dead Yet?
'R U Dead Yet?' or RUDY is a DoS attack tool that uses low-and-slow DDoS attacks to tie up a web server. The attack focuses on making a small number of long-form field submissions instead of making a lot of quick requests.
Single request HTTP flood
Attacks like Single Packet HTTP Flood were developed to work around defence systems that block numerous incoming packets. These attacks exploit the feature of HTTP that allows multiple client requests in the same HTTP session. By sending out a few packets at a slow rate, a server's resources can be slowly used up without anyone noticing.
Slowloris DDoS attack
Slowloris is a type of DDoS attack that works by flooding a server with a large number of incomplete HTTP requests. The target server must now keep track of all the open connections, which use up its resources and prevents other people from using it. Slowloris attacks are notoriously hard to defend against because they only need a few computers.
Smurf DDoS attack
A smurf attack or 'Smurfing' is a DDoS attack in which an attacker attempts to flood a target system with ICMP traffic. The name "Smurf" comes from this type of attack using the Smurf malware, which can generate large amounts of ICMP traffic. Smurfing is a relatively simple DDoS attack, but it can disrupt services and bring down websites.
SYN flood
SYN Flood attacks use SYN packets to a target system to attempt to overload it. The SYN packet is a Synchronise packet used to initiate a TCP connection. When the attacker sends multiple SYN packets, the target system becomes overloaded and cannot process legitimate requests.
U.D.P. flood
U.D.P. Flood is a DDoS attack in which the attacker sends UDP packets to a target's IP address. The target server will then attempt to process these UDP packets, ultimately overwhelming it. UDP floods are difficult to defend against because the UDP protocol does not require that the sender has a valid IP address. As a result, UDP floods can be difficult to trace back to the attacker.
VoIP flood
VoIP Flood DDoS is an attack that exploits VoIP systems to flood the network with spurious requests, resulting in a denial of service for legitimate users. VoIP Flood attacks are usually initiated by malware that has infected the VoIP system or by hackers who have gained access to the system. Once the attacker has control of the VoIP system, they can use it to generate a large number of call requests, overwhelm the network, and prevent legitimate users from being able to make or receive calls.
Volumetric attacks
These are the most common DDoS attacks, which rely on overwhelming the victim with traffic. The attacker will send large amounts of data to the target, using up bandwidth and causing the site to crash. Examples of volumetric attacks include UDP floods and ICMP floods.
Zero-day attack
Zero-day DDoS attacks can be devastating. A Zero-day is an unpatched security vulnerability that hackers can exploit by launching a DDoS attack against a target before it can be patched. This attack can be tough to defend against because the target will not have time to prepare or anticipate the attack. Zero-day DDoS attacks often result in downtime for the target, financial loss, and a damaged reputation.
The motivation for perpetrating distributed denial-of-service (DDoS) attacks range from a student playing a prank just because they can, all the way to financial gain, hacktivism, corporate sabotage attempts, cyber warfare and political agendas. Threatening an attack is used to extort money from businesses while attacks have been used as a diversionary tactic to occupy security teams while the attacker executes more sophisticated attacks in the background, such as data exfiltration or malware infections.
Denial of Service (DoS) | Difference Between | Distributed Denial of Service (DDoS) |
Transmits lesser amounts of traffic | ? Volume of Traffic ? | It may transmit much higher amounts of traffic |
Often carried out from a single machine using a script or tool | ? Manner of Execution ? | Employs a server to coordinate numerous hosts infected with malware (bots), resulting in a botnet |
Tracking the true origin is relatively easier | ? Tracing of Source ? | Tracking the true origin is significantly more difficult |
It is simple to identify and terminate the connection | ? Ease of Detection ? | Originates from several locations, hiring its true origins |
DoS attack may be deployed less quicker | ? Speed of Attack ? | DDoS attack may be deployed much quicker |
Given that any entity with an internet-facing service can become the target of a DDoS attack, severely impacting business continuity, potentially resulting in massive financial losses, and affecting a company’s reputation and client base, strengthening cyber defenses against them is of utmost importance. Organisations can adopt a series of measures to protect against and reduce the impact of DDoS attacks.
These include investing in employee security awareness training, which is of even greater importance given today’s hybrid work scenario. A strong cybersecurity strategy with regular vulnerability assessments to check for potential weaknesses that attackers can exploit, ensuring device security to prevent unauthorised access, and continuous monitoring of networks are all of utmost importance. Network and resource segmentation and robust configuration of firewalls and routers are also crucial.
And last, but not least, putting comprehensive business continuity, disaster recovery, and incident response plans in place, as well as investing in threat intelligence to stay prepared. Using the services of a reputed cyber security service provider goes a long way towards ensuring your business stays protected against DDoS attacks.