All You Need to Know About DDoS Attacks: Part 1 (and Its Attack Types)

Next, to the US, China, UK, India is one of the most targeted countries in the world for web attacks as distributed denial of service (DDoS) attacks and bot-driven abuse.

But, what is a DDoS attack? How does it work?

If you are also the one who is looking forward to know the ins and outs of the DDoS attack, then your search ends here. The following post gives you a comprehensive understanding of-

• What is DDoS Attack?
• What are its types?
• How does it work?
• Why is it dangerous?
• What are its consequences?

Have a look:

What is a DDoS Attack?

A DDoS attack is one of the most disruptive types of cyberattack. This malicious attempt exhausts online resources (like network, service, or application) and temporarily interrupts or suspends the services of hosting server. As a result, genuine users fail to access anything.

What is its Prime Aim?

DDoS attack includes multiple connected online devices (known as a botnet). The primary function of the botnet is to overwhelm legitimate traffic of a target website with bad bot traffic.

The worst thing: DDoS attack prime aim is to make your servers and website unavailable to legitimate users instead of breaching your security perimeter. Not just this, cyber-attacker also use DDoS attack to take down security appliances.

Cut-short, a DDoS attack has a potential to impact a complete user base.

Who Would Carry Out a DDoS Attack?

A DDoS attack is a popular weapon for-

How Can You mMeasure a DDoS Attack?

It is a number of bits of traffic send at the target per second. Generally, a small attack measures in few megabits per second (Mbps) and a large attack measures hundreds of gigabits per second (Gbps), or terabit per second (Tbps).

What is the Duration of the DDoS Attack?

Broadly speaking as such there is not any defined duration. A DDoS attack can last for days, weeks, and months at a time.

What are the Different DDoS Attacks Types?

There are three types of DDoS attacks-

1. Volume Based Attacks: These are connectionless attacks
2. Protocol Attacks: These are state-exhaustion attacks
3. Application Layer Attacks: These are connection based attacks

Parameter	Volume-Based Attacks	Protocol Attacks	Application Layer Attacks
What does it mean?	These are the ones that use an enormous amount of traffic saturating the target’s bandwidth	These are the ones that make a target inaccessible. These exploits a weakness in Layer 3 and Layer 4 protocol	These are the ones that exploit a weakness in Layer 7 protocol stack
How it Impact?	Completely blocks access to the end-resource	Consumes the comprehensive processing ability of intermediate critical resources and attacked targe	Creates a connection with target and exhaust the resources of the server by dominating transaction and processes
Add-on Info	Easy to generate	Measured in magnitude as packets per second (pps)	Most sophisticated/ challenging attack

DDoS Attack Type Glossary

Layer 3 – Network Attacks

ICMP Flood

1. Also known as Ping Flood
2. One of the common Denial of Service (DoS) attack
3. In this, attackers takedown system of the victim by overwhelming it with pings ( i.e. ICMP echo requests)
4. In this, attackers send packets as swift as possible without even waiting for a response
5. Consume both incoming and outgoing bandwidth

IP/ICMP Fragmentation

• In this, the attacker overpowers a network. How? An attacker exploits datagram fragmentation mechanisms

BGP Hijacking

1. Also known as prefix hijacking, IP hijacking, or route hijacking
2. In this, attacker corrupts the Internet routing tables that have maintained using the Border Gateway Protocol (BGP) and illegitimately takeover IP addressee’s groups.
3. As a result, the attacker gets the traffic instead of the legitimate users.

Layer 4 – Transport Attacks

User Datagram Protocol (UDP) Flood

1. In this, attacker use UDP- a session less or connectionless computer networking protocol
2. What attacker does-send a large number of UDP packets on a remote host to random ports
3. Allows receiving host to verify the applications interlinked with these datagrams
4. When fails to find any application returns a “Destination Unreachable” packet
5. As more and more packets on the requested ports get returned, they overwhelm the target host and makes it unresponsive for other clients

SYN Flood

1. In this, the attacker sends SYN requests succession to a target’s system with a goal to consume as much as possible server resources
2. The prime aim of this attack is to make the computer unresponsive to legitimate traffic
3. It halts web server capability to handle new connection requests
4. In this, almost all target server’s communications ports get transformed into a half-open state
5. How it does this-by halting the TCP three-way handshake process between the server and client

Other TCP Floods

Apart from these, there are also several other TCP floods of varying state flags. For example, FIN flood, ACK flood, Xmas tree flood, RST flood.

LAYER 5 / LAYER 6 – Session / Presentation Attacks

Long-Lived TCP sessions

1. These have a slow transfer rate
2. It includes slow HTTP post, TCP SYN, Flood, and protocol
3. Contributing factors- peer-to-peer file hosting, idle TCP connections, user-initiated actions like bulk downloads

SSL Exhaustion

1. SSL is a secure service on the internet
2. Since it is resource intensive, so the service that relies on it is susceptible to resource exhaustion attacks
3. In this attack, a small request plays a vital role
4. It forces the server to execute a disproportionately large work to set up a secure session

NXDOMAIN floods/ DNS query

1. In this, DNS plays a critical role
2. Attacker share spoofed but valid request packets. Firstly, at a very high packet rate and secondly, from a big group of source IP addresses
3. Since these come out as a valid request, thus the target DNS servers respond to all requests
4. Typically, this attack consumes a large amount of network resources. As a result, DNS infrastructure gets exhausted before getting offline. Further, it also takes down target user’s Internet access

LAYER 7 – Application Attacks

HTTP/S Flood

• In this, attacker impose high HTTP/S request every second on a server with an aim to make it busy

Large Payload POST requests

1. In this, the attacker exhaust server or TCP resources on the server by uploading either a large amount of data or a big file
2. In this attack, the prime target is to hold the server’s connection

Slowloris

1. In this, attacker send small HTTP request header chunks to the desired web server with an objective to exhaust connection resources
2. Thus, when a number of Slowloris attacks get launched by multiple malicious hosts, all available connection gets open together and makes server incapable of carrying out legitimate HTTP requests

Point to remember:

1. Firstly, it sends request headers too slowly
2. Secondly, it sends every HTTP header chunk a moment ago HTTP request server expiry

Slow Post/ Slow Read

1. In this, the attacker not only send valid TCP-SYN packets but also execute TCP three-way handshakes along with target system to create valid sessions between the target system and attacker
2. Since these attacks keep sessions open for a longer period, thus these are always non-spoofed

Mimicked user browsing

1. These use a large botnet
2. In this, the botnet owner mimics human browsing behaviour (i.e. legitimate cyber behaviour) and fly under the radar

Reflection Amplification Attacks

• In this, the attacker performs two actions-first, magnifies malicious traffic that they can generate and second, complicate source of that particular attack traffic. Such as Memcached DDoS attacks.

Why is DDoS Attack Dangerous?

It is a digital era. You, me; we all rely heavily on the Internet and web-based applications and services for every small work. Thus, it won’t be erroneous to say that-

The DDoS attack is a primary threat to business continuity.

Retailers, gaming firms, healthcare companies, manufacturing firms, financial services… This list is endless. Reason being, it can potentially target the mission-critical business applications that companies use heavily to manage day-to-day operations (CRM, email, salesforce automation, etc.)

Consequences of a DDoS attack

The DDoS attack can lead to-

• Revenue loss
• Reputation Damage
• Consumer Trust Destruction
• Unnecessary fortune loss in compensations

Now, you must be curious to know how to protect yourself from DDoS attack and how to mitigate them. Stay tuned for Part 2 of this series. It will be all about DDoS Protection and Mitigation.

Coming soon!