A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal operation of a targeted server, service, or network by overwhelming it with a flood of internet traffic. These attacks are executed by leveraging a multitude of compromised computer systems, often referred to as “bots” or “zombies,” which are under the control of the attacker. DDoS attacks can cause significant downtime, financial loss, and reputational damage to the targeted entity.
Types of DDoS Attacks
L4 Flood
L4 (Layer 4) floods target the transport layer of the OSI model, aiming to exhaust server resources such as bandwidth and connection table entries. Common types of L4 floods include:
SYN Flood: Exploits the TCP three-way handshake process by sending a large number of SYN requests to initiate connections without completing them, consuming server resources.
ACK Flood: Sends a flood of ACK packets to a target server, attempting to overwhelm its processing capacity by requiring the server to process acknowledgments for non-existent connections.
UDP Flood: Floods the target with a large volume of UDP (User Datagram Protocol) packets, often targeting services that rely on UDP, such as DNS and NTP, to exhaust server resources.
L7 Flood
L7 (Layer 7) floods target the application layer, focusing on overwhelming the target with an excessive number of legitimate-looking requests that consume application resources. Common types of L7 floods include:
HTTP GET/POST Flood: Sends a massive number of HTTP GET or POST requests to a web server, consuming its processing power and bandwidth, ultimately rendering the service unavailable to legitimate users.
Slow HTTP DoS Attack: Exploits vulnerabilities in web server implementations by sending HTTP requests at an exceptionally slow rate, keeping server resources occupied and preventing it from serving legitimate requests efficiently.
Amplification
Amplification attacks exploit services that provide significantly larger responses to small requests, allowing attackers to amplify their attack traffic. Common amplification techniques include:
DNS Amplification: Abuses open DNS servers by sending forged requests with the victim’s IP address as the source, causing the servers to send large responses to the victim, overwhelming its network capacity.
NTP Amplification: Similar to DNS amplification, NTP servers are abused to send large responses to a victim by spoofing the victim’s IP address in NTP requests.
Slow HTTP DoS Attack Variants
RUDY (R-U-Dead-Yet?)
RUDY is a type of Slow HTTP DoS attack that targets web servers supporting POST requests. By sending legitimate-looking, small-sized POST requests at a slow pace, the attacker aims to occupy server-side TCP connections, leading to resource exhaustion and service disruption.
LOIC and HOIC Network Load Generation Tools
LOIC (Low Orbit Ion Cannon) and HOIC (High Orbit Ion Cannon) are open-source network stress testing tools that can be abused for DDoS attacks. These tools allow attackers to coordinate large-scale attacks by leveraging the combined bandwidth of multiple machines to overwhelm the target.
Smurf Attack
A Smurf attack involves sending ICMP (Internet Control Message Protocol) packets to broadcast addresses, causing all hosts on the network to respond to the spoofed source address, flooding the victim’s network with traffic. Defenses against Smurf attacks include configuring network devices to ignore ICMP requests sent to broadcast addresses.
Fraggle Attack
Similar to the Smurf attack, a Fraggle attack sends UDP packets to broadcast addresses, causing network devices to respond and amplify the traffic directed towards the victim. Preventative measures for Fraggle attacks include filtering incoming UDP traffic at network boundaries.
By understanding the different types of DDoS attacks and implementing appropriate defensive measures, organizations can better protect themselves from the damaging effects of these malicious activities.