November 12, 2015
What kinds of DDoS attacks are there?
What different kinds of DDoS attacks are there ?
Here are some common forms of DDoS attacks (both past and present):
User Datagram Protocol is a sessionless networking protocol. One common DDoS attack method is referred to as a UDP flood. Random ports on the target machine are flooded with packets that cause it to listen for applications on that those ports and report back with a ICMP packet.
A “three-way handshake”, which is a reference to how TCP connections work, are the basis for this form of attack. The SYN-ACK communication process works like this:
First, a “synchronize”, or SYN message, is sent to the host machine to start the conversation.
Next, the request is “acknowledged” by the server. It sends an ACK flag to the machine that started the “handshake” process and awaits for the connection to be closed.
The connection is completed when the requesting machine closes the connection.
A SYN flood attack will send repeated spoofed requests from a variety of sources at a target server. The server will respond with an ACK packet to complete the TCP connection, but instead of closing the connection the connection is allowed to timeout. Eventually, and with a strong enough attack, the host resources will be exhausted and the server will go offline.
Ping of Death
Ping of death (”POD”) is a denial of service attack that manipulates IP protocol by sending packets larger than the maximum byte allowance, which under IPv4 is 65,535 bytes. Large packets are divided across multiple IP packets – called fragments – and once reassembled create a packet larger than 65,535 bytes. The resulting behemoth packet causes servers to reboot or crash.
Note: This was a real problem in early years (think 1996), but doesn’t have the same effect these days. Most ISPs block ICMP or “ping” messages at the firewall. However, there are many others forms of this attack that target unique hardware or applications. Some other names are “Teardrop”, “Bonk”, and “Boink”.
A reflected attack is where an attacker creates forged packets that will be sent out to as many computers as possible. When these computers receive the packets they will reply, but the reply will be a spoofed address that actually routes to the target. All of the computers will attempt to communicate at once and this will cause the site to be bogged down with requests until the server resources are exhausted.
Peer-to-Peer servers present an opportunity for attackers. What happens is instead of using a botnet to siphon traffic towards the target, a peer-to-peer server is exploited to route traffic to the target website. When done successfully, people using the file-sharing hub are instead sent to the target website until the website is overwhelmed and sent offline.
Corrupt and fragmented ICMP packets are sent via a modified ping utility to keep the malicious packets to be delivered to the target. Eventually, the target machine goes offline. This attack focuses on comprising computer networks and is an old distributed denial of service attack.
This type of distributed denial of service attack can be especially difficult to mitigate. It’s most notable use was in the 2009 Iranian Presidential election. Slowloris is a tool that allows an attacker to use fewer resources during an attack. During the attack connections to the target machine will be opened with partial requests and allowed to stay open for the maximum time possible. It will also send HTTP headers at certain intervals. This adds to the requests, but never completes them – keeping more connections open longer until the target website is no longer able to stay online.
Degradation of Service Attacks
The purpose of this attack is to slow server response times. A DDoS attack seeks to take a website or server offline. That is not the case in a degradation of service attack. The goal here is to slow response time to a level that essentially makes the website unusable for most people. Zombie computers are leveraged to flood a target machine with malicious traffic that will cause performance and page-loading issues. These types of attacks can be difficult to detect because the goal is not to take the website offline, but to degrade performance. They are often confused with simply an increase in website traffic.
Unintended distributed denial of service happens when a spike in web traffic causes a server to not be able to handle all of the incoming requests. The more traffic that occurs, the more resources are used. This causes pages to timeout when loading and eventually the server will fail to respond and go offline.
Application Level Attacks
Application level attacks target areas that have more vulnerabilities. Rather than attempt to overwhelm the entire server, an attacker will focus their attack on one – or a few – applications. Web-based email apps, WordPress, Joomla, and forum software are good examples of application specific targets.
Multi-vector attacks are the most complex forms of distributed denial of service (DDoS) attack. Instead of utilizing a single method, a combination of tools and strategies are used to overwhelm the target and take it offline. Often times, multi-vector attacks will target specific applications on the target server, as well as, flood the target with a large volume of malicious traffic. These types of DDoS attacks are the most difficult to mitigate because the attack come in different forms and target different resources simultaneously.
Zero Day DDoS
A “Zero Day” based attack is simply an attack method that to date has no patches. This is a general term used to describe new vulnerabilities and exploits that are still new.
As you can see, the types of DDoS attacks vary, but all can affect your website’s performance.