A DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet. It is distinct from other denial of service (DoS) attacks, in that it uses a single Internet-connected device (one network connection) to flood a target with malicious traffic. This nuance is the main reason for the existence of these two, somewhat different, definitions.
Broadly speaking, DoS and DDoS attacks can be divided into three types:
Common DDoS attacks types
Some of the most commonly used DDoS attack types include:
- UDP Flood : A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. The goal of the attack is to flood random ports on a remote host. This causes the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead to inaccessibility.
- ICMP (Ping) Flood: An ICMP flood, which operates on a similar basis to a UDP flood attack, bombards the target resource with ICMP Echo Request (ping) packets. Typically, packets are sent as quickly as possible without any waiting for responses. Since the victim’s servers frequently attempt to respond with ICMP Echo Reply packets, this form of attack can consume both incoming and outgoing bandwidth, causing a considerable overall system slowdown.
- SYN Flood: A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.
- Ping of Death: A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.
- Slowloris: One web server can shut down another using the highly-targeted Slowloris attack, which doesn’t affect other services or ports on the target network. In order to accomplish this, Slowloris keeps as many connections to the target web server open as possible. By establishing connections with the target server while merely transmitting a portion of the request, it does this. Slowloris never finishes a request and keeps sending new HTTP headers. Every one of these erroneous connections is maintained by the targeted server. As a result, new connections from legitimate customers are finally denied since the maximum concurrent connection pool has been exceeded.
- NTP Amplification: In NTP amplification attacks, the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification assault because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by a using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack. The attacker uses what appear to be normal HTTP GET or POST requests to assault a web server or application in an HTTP flood DDoS attack. HTTP floods use less bandwidth than other attacks to take down the targeted website or server because they don’t use spoofed or reflection techniques, corrupted packets, or other attack methods. When the server or application is forced to commit the maximum amount of resources to each request, the attack is most effective.
- Zero-day DDoS Attacks: The “Zero-day” definition encompasses all unknown or new attacks, exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading zero-day vulnerabilities has become a popular activity.
Motivation behind DDoS attacks
According to recent industry data, DDoS attacks have grown significantly in the previous year in terms of both volume and frequency, and are currently the most common kind of cyber threat. Shorter attacks with higher packet-per-second attack volumes are the current trend.
Attackers are primarily motivated by:
- Ideology – So called “hacktivists” use DDoS attacks as a means of targeting websites they disagree with ideologically.
- Business feuds – Businesses can use DDoS attacks to strategically take down competitor websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
- Boredom – Cyber vandals, a.k.a., “script-kiddies” use prewritten scripts to launch DDoS attacks. The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline rush.
- Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks as a means of extorting money from their targets.
- Cyber warfare – Government authorized DDoS attacks can be used to both cripple opposition websites and an enemy country’s infrastructure.LOIC (Low Orbit Ion Cannon): an “entry-level” DoS attack tool used for cyber vandalism