Types of DDoS attacks

By Posted on

Types of DDoS attacks

DDoS attacks are becoming more frequent every year. In this article, we’ll explore various DDoS attack types, some of which you may never encounter, but it’s essential to be aware of their existence. Let’s dive in!

Zero Day DDoS

This term describes new DDoS attacks that exploit previously unknown vulnerabilities. These vulnerabilities are typically addressed through patches.

UDP types

DNS Flood

The DNS Flood is a common and notorious UDP flood attack targeting DNS servers. Its popularity stems from its difficulty to detect and prevent. Hackers send a massive number of spoofed DNS requests that are difficult to distinguish from legitimate requests. This is multiplied by thousands of IPs, overwhelming the server.

The server struggles to differentiate between legitimate and malicious requests, leading to resource exhaustion and eventual crashing.

UDP Flood

This attack targets a server with UDP packets, exhausting bandwidth. Unlike DNS floods that target hardware, UDP floods saturate the network connection. UDP traffic is favored by attackers due to its lack of required server/client verification, unlike TCP. A large volume of spoofed or masked UDP packets are continuously sent to the server, masking the packets to prevent ICMP return packets from reaching the attacker and anonymizing the source.

Direct UDP Flood

A Direct UDP Flood differs from a regular UDP flood as it is not spoofed. This gives attackers an advantage as the traffic from the botnet may appear legitimate, complicating detection. Similar to the UDP flood, the primary goal is to exhaust server resources.

UDP Fragmentation Flood

This is a fragmented variant of the UDP flood. Like the Direct UDP flood, it mimics legitimate traffic within defined limits, making it difficult to detect. Attackers send large but fragmented packets, overwhelming bandwidth. The server struggles to assemble the packets, leading to performance degradation.

VoIP Flood

This attack floods VoIP servers using UDP packets. Spoofed requests from a vast pool of IPs severely overload the server. Distinguishing legitimate VoIP traffic from malicious traffic is difficult, causing significant damage to server performance, potentially leading to poor performance or server reboots.

ICMP Flood and its types

ICMP Flood

ICMP floods use the same methods as UDP floods, as ICMP lacks end-to-end data exchange processes, making it a possible alternative to UDP Floods. Attackers send a large number of ICMP packets from numerous bots with different IPs. The system becomes unable to process these requests, leading to a server reboot or crippled performance.

ICMP Fragmentation Flood

Another variation of the ICMP flood is its fragmented form. Similar to UDP, attackers split ICMP packets into small pieces and overload the server by sending unrelated parts of different packets without any connection to each other. While a server can typically handle fragmented packets in moderation, exceeding this threshold can cause it to fail.

Ping Flood

Ping Flood is essentially ICMP flood version 2.0. Same spoofed requests are sent to the application target. The attacker sends a flood of “ping” requests to the server to determine latency, which the server must respond to each time. If the server is resourceful enough, it can handle a normal load, but thousands of people pinging it the server may crash. Traffic from ping floods could be concidered legitimate, making detection much harder.

Protocol level

NTP Flood

NTP, or Network Time Protocol, synchronizes the time between clocks and computers, and attackers can target servers running the NTP protocol. Attackers send spoofed requests to the server. When the server tries to understand these requests, so much data overflows through the system that the server eventually crashes.

CharGEN Flood

This protocol was developed in 1984 as Character Generator Protocol, and served as a source of byte streams for debugging TCP code. Modern systems block this protocol by default, but if you can find legacy systems running it, you could send a UDP flood through Port 19.

SNMP Flood

SNMP, or Simple Network Management Protocol is a protocol for managing, collecting, and changing information about the devices located on IP networks. This type of flood can be amplified if a device runs the protocol, meaning attackers can do more harm with fewer resources. This protocol is targetted to send a UDP Flood to the devices running it which are then sent towards the recieving end.

SSDP Flood

SSDP, or Simple Service Discovery Protocol, is used for advertising and discovering network services and presence information without DHCP or DNS. In 2014, devices running on the SSDP became targets for DDoS attacks when packets carrting a spoofed IP address were sent to the devices and resulted in a server crash.

HTTP level

HTTP Flood

HTTP Flood attackers flood the server with GET and POST requests. HTTP Flood does not require IP spoofing thus resulting in lower requirements in order to initiate an attack.

Fragmented HTTP Flood

HTTP Flood is always done with bots with valid IPs, which is done using Trojan viruses. Servers are targeted so they stretch their attack to the edge of timeout, where its connection is cut.

Single Request HTTP Flood

Eventually, programmers and DDoS protection systems understood how to mitigate attack from multiple incoming packets so hackers have decided to find a workaround. This resulted in another loophole which we will explain shortly.

How to create several GET/POST requests within one HTTP session? Attckers have found a way to combine it in one packet, which would mask an attacker as a legitimate person which is very hard to trace him down.

Single Session HTTP Flood

This method is an old one in HTTP 1.1. The attack can bypass the limitations imposed by DDoS defense mechanisms when a number of sessions are allowed.

Recursive HTTP GET Flood

The hacker requests a few web pages, and receives information about them. After that, he starts to analyze each object on the page and send recursive requests for each object on the website. Very hard to trace because those requests seem like legitimate ones.

Random Recursive GET Flood

Similarly to HTTP GET Flood, it sweeps through pages and then starts sending random requests. The thing is, to look like a legitimate user the attacker needs to choose random pages and then choose random numbers from the page to send a new GET request each time. Eventually, this results in poor server performance up to server reboot or crash.

ACK & SYN 

ACK & PUSH Flood

ACK Flag shows either the server or client that the data has been received successfully, such as if a client asks a server to confirm that the form submission has been successfully made by the user.

Attackers may send various info to the server and set an ACK flag for the server to say that he has received the information. 

The PUSH flag asks the server by using packets to process specific info.

These types of requests are more resource-consuming than previous attacks, therefore they have a higher priority that allows them to bypass the server. 

ACK Fragmentation Flood

This variation of ACK flood has maximum-sized packets around ~1500 bytes. The goal is to exhaust the target’s network bandwidth by attempting to overload the network.

SYN Flood

SYN is a name for a connection request via TCP. Since the initiator of the TCP three-way handshake is always the client, he first sends a packet with the SYN flag to the server.

In a TCP SYN Flood attack, attackers intensively send a large number of SYN packets with spoofed IP addresses to the server. This forces the server to react by sending a SYN-ACK packet in response to each such false request, allocating some resources and leaving its ports “half-open”, waiting for numerous responses (packets with the flag set to ACK) from hosts that do not actually exist, and they will not send confirmations, respectively.

SYN-ACK Flood

We mentioned the three-way handshake process, and this type of attack targets to host. Similar to other process issues, the server will be overloaded and unable to handle the traffic it needs to due to processing everything coming in.

RST/FIN Flood

we have talked about SYN-type floods and how they work. After each TCP-SYN session closed there should be an interchange of the RST or FIN packets. When RST or FIN Flood starts the server starts receiving spoofed and fake packets which are not connected to any type of session the server currently has. Similar to SYN-ACK flood the server cannot understand where they come from and spends a lot of time processing them and eventually failing to do so.

IP Level

Fake Session Attack

This type of attack does not use spoofed IPs, but rather uses the real IP addresses of the bots performing the attack. 

IP Null Attack

Each header in IPv4 according to RFC terms should contain information about the transport protocol being used. The null attack comes from the “zero” attackers put in this field. This means that these packets will bypass the routers or firewalls because they are undefined or uncategorized. Today this value is reserved for IPv6 Hop-by-Hop Option but that doesn’t mean that every server today can really process this type of packet. Now multiply it by thousands and the server goes down.

Application Level Attacks

Application Level Attacks are such kinds of attacks that target certain vulnerabilities. One of the most popular targets is the servers running different CMS like WordPress, Drupal, or  Joomla. Of course, those companies always close security breaches, but hackers tend to find certain vulnerabilities from time to time. The other option is to target the victim’s databases with SQL injections. Eventually, the server cannot handle fake requests and goes down. Make sure that you are running the latest versions of CMS and that your data base is being administered by professionals. 

Application Misuse attack

The method of crashing the server remains by overloading the server. The main problem with it is that the traffic is indeed legitimate because the servers are trying to establish the connections. 

Conclusion

We’ve tried to cover the majority of the DDoS attacks you might encounter, there are certainly a few ones we might miss, but we think you’ve got a general understanding of what kind of DDoS attacks there are. If you wish to protect your server from such attacks feel free to ask our team via LiveChat about the servers with DDoS protection. Thank you for your time!




Blog

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *