DDoS Attacks
A Distributed Denial of Service (DDoS) attack is a low-level volumetric attack, designed to overwhelm the server by the number of requests being made and make it unavailable to its users.
There are many different types of DDoS attacks, from the most common ones that can be performed by single-system attackers, to the more sophisticated ones that are carried out with the use of botnets.
Most DDoS attacks can be divided into three categories:
- Volume-based DDoS Attacks
- Protocol-based DDoS Attacks
- Application Layer Attacks
Volume-based DDoS attack types
Volume-based DDoS attacks focus on targeting the bandwidth of the server. These attacks are often made up of large numbers of requests that are small in size, which can overload a server and cause it to crash or become unstable.
UDP floods
A UDP flood is a type of a DDoS attack where the attacker sends many UDP packets to the target. This has two effects:
- While the server is dealing with these requests, it cannot send any other traffic.
- The server cannot detect where the requests are coming from, so it cannot filter them out.
UDP flooding is a common type of a DDoS attack because UDP packets do not require a connection to be opened before sending data and there are relatively few resources needed for an attacker to send many UDP packets.
ICMP floods
An ICMP flood is a type of a DDoS attack that exploits the Internet Control Message Protocol (ICMP) by sending out an overwhelming number of ICMP requests to the victim’s computer.
An ICMP flood can cause significant performance degradation, making it difficult or impossible for a user to use their system. The ICMP messages typically report error conditions such as “host unreachable” or “network down”.
ICMP flooding often starts off slow and then builds up over time. The first packets may not even register on your network’s bandwidth usage meter because each packet is so small; however, after a while these packets will start to take up more space than normal traffic would require. This means that the bandwidth usage for legitimate users might suffer as a result.
Ping floods
A ping flood is a DDoS attack that sends large numbers of pings to an IP address, consuming the target’s bandwidth and resources. Ping flood attacks can be carried out with any type of Internet-enabled computer or device. They are often used as a distraction tactic in conjunction with other types of cyberattacks.
Protocol-based DDoS attack types
Ping of death
Ping of death is a denial-of-service attack that exploits the fragmentation reassembly algorithm in TCP/IP. When an attacker sends a malformed packet to the victim, it causes their system to crash and reboot because they are unable to process these corrupt packets.
SYN flood
An SYN flood is a type of denial-of-service attack that can disable a computer by overwhelming the system with fake messages.
The attacker sends thousands of synchronous requests, often to an unguarded API endpoint or external service, which then responds by opening many connections with other servers in order to handle all the information.
Because this attack does not use an exploit and instead relies on brute force, it can be difficult for firewalls to block.
SYN flooding can also be used as a form of censorship where the attacker blocks out specific websites from being accessed by bombarding those sites with meaningless or nonsensical data.
Application layer attacks
Application layer DDoS attacks are relatively new in the world of cybersecurity. This type of attack leverages vulnerabilities in software applications to flood networks with requests and overwhelm them so that they can no longer respond to legitimate traffic.:
The most common types of application layer DDoS attacks (Layer 7) are:
- HTTP floods
- DNS amplification
- NTP amplification
- Memcached reflection
These types of application layer DDoS attacks often target web servers or databases for their high-bandwidth capability and relative ease in exploiting them.
To mitigate these risks, it is important to patch vulnerable systems as soon as possible to minimize exposure time while waiting for a more complete fix from vendors who may not be able to provide one at all times.
Learn more about DDoS Layer 7 Attacks.
Frequently asked questions
How to prevent DDoS attacks?
There are many ways to prevent a DDoS attack. Some of the most common methods include:
- Use of anti-DDoS protection services.
- Blocking or restricting malicious IP addresses.
- Deployment of strong firewalls in front of servers and networks.
- Filtering out traffic using IP blocks or blacklists, which may be set up by ISPs in coordination with web hosting providers.
Which DDoS attack type is the most dangerous?
In general, the most dangerous DDoS attack type is an Application-Layer Attack. These types of attacks can be difficult to mitigate and are often carefully targeted at a specific organization’s weaknesses with malicious code.
How to stop or minimize the effects of a DDoS attack?
There are a few ways to mitigate the effects of DDoS attacks, including:
- Using more than one Internet Service Provider (ISP) so if one is attacked or taken offline, there’s still another path to get online.
- Having a backup plan in place for critical data and systems should an attack happen.
- Providing a call-to-action to end users who may be experiencing an attack, such as: “If you’re seeing this page, it means our site is currently being attacked by hackers. Please do not refresh the page. Please wait for us to fix the problem before trying again.”
- Including contact information so visitors can reach out if they have been affected by an attack in any way.
How to investigate a DDoS attack?
After the attack is over, all logs of inbound and outbound traffic should be examined.
Network engineers typically start by looking for any anomalies from their own network perspective. They’ll compare server ping times before and after the event to see if packet loss or latency changes corresponded with a spike in traffic. They’ll also check for any spikes in bandwidth usage, data packets transmitted and received, dropped connections or ICMP pings sent.
What is the most common DDoS attack type?
SYN attacks are now the most common type of DDoS attack. In 2020 they contributed to 94.60% of DDoS attacks.
How do you know if a website is being DDoSed?
There are several ways to tell whether your site has been under a DDoS attack. The most common symptom of a successful DDoS attack will be that no one can connect to the target on port 80/443 for any request. This includes “pinging” with ICMP requests and trying to access anything without SSL over TCP ports like SMTP (25), Telnet (23), FTP(21). If these services work but web pages don’t load then it’s likely that the website is being flooded with excessive web traffic.
Other symptoms of a successful DDoS attack include:
- Decreased availability to access resources online.
- Increased latency in accessing websites or other network services.
- Inability to connect to any site on the hosted server using its IP address from within your hosting provider’s network.
- Packet loss due to outbound broadcast flooding.
If you notice any of these problems it is recommended that you contact your ISP for assistance immediately as this could lead to further downtime if left untreated.
How to protect API from DDoS attacks?
- Ensure that the API has a healthy connection and is not overloaded with requests.
- Reduce the number of threads in your system to reduce pressure on those connections.
- Increase retry rates for any errors or failures you observe, but leave them at an appropriate level (e.g., ~500ms). If it takes longer than 500 milliseconds for each connection to complete successfully then this may suggest that too many concurrent connections are being handled by the server without enough resources available to do so which could contribute to vulnerabilities from DDoS attacks.
How to test DDoS protection?
There are a number of tools available to help you test the effectiveness of your DDoS protection strategy. You can determine if your solution is up to date and configured correctly by using one or more of the following:
- Website attack simulation programs
- Network emulation software
- Load testing tools
Can any of the above DDoS attack types be used to steal information?
Yes. While DDoS attacks are not intended to steal information, the malware used in these types of attacks can also carry out different types of data-stealing methods like keylogging and screen scraping.