The types of DDoS attacksBroadly divided, DDoS consists of two main types: bandwidth depletion and resource depletion. There are many subtypes but within the context of this article, we will very quickly go over 10 most notable types.
1. Direct flood attack (UDP flood and ping flood):
- Goal: Overwhelm the target network with traffic from different sources to block legitimate access from real users.
- Method: Flood target with UDP and ICMP packets.
- Prevention: Increasing bandwidth, using load balancers, reflect the attack, use IP spoofing prevention mechanism or reroute traffic to a DDoS protection service provider.
2. Reflection attack:
- Goal: Consume resources by spoofing source IP of the packet to appear as if coming from the victim.
- Method: Send spoofed IP to many machines and then have them reply to the spoofed address.
- Prevention: anti-spoofing techniques.
3. Smurf and Fraggle attack;
- Goal: exploit the router’s broadcast address and make the network inoperable.
- Method: send spoofed ICMP traffic to the target router’s broadcast address OR send spoofed UDP traffic to the target router’s broadcast IP address.
- Prevention: Configure your router to ensure no one can exploit its IP broadcasting facility.
4. (TCP) SYN Flood Attack:
- Goal: Exhaust the server’s resource and prevent it from taking any new connection requests.
- Method: Take advantage of TCP three-way handshake process: Send a SYN request to the server to initiate a SYN-ACK packet in reply, but do not send an ACK packet back, causing the server resources engaged for listening to the ACK messages that never come.
- Prevention: filtering, increasing backlog, reducing SYN-RECEIVED Timer, SYN caching, firewalls…
5. (HTTP) Flood (Web Spidering):
- Goal: exhaust server’s resources
- Method: using web spider to crawl websites
- Prevention: allowing only trusted bots like Google’s
6. PUSH and ACK attack:
- Goal: exhaust server’s resources
- Method: similar to SYN Flood attack but send TCP packets by setting PUSH and ACK bit to a value of one. When the number of TCP packets with PUSH and ACK bit on exceeds the capacity of the buffer of the target, the machine will crash.
- Prevention: similar to SYN Flood attack
7. Land attack:
- Goal: Crash the system
- Method: IP packet is created where the source address and source port number remains the same as the destination address and destination port number, making the target reply to its own packets.
8. DNS amplification attacks:
- Goal: Overwhelm the target with responses from open DNS resolvers
- Method: use spoofed IP address of the victim’s machine to send DNS queries to many DNS resolvers. The resolvers send responses, which can be 50 times greater than the size of the requests, to the victim’s IP.
- Prevention: anti-spoofing techniques, load balancers or redirection of the attack traffic to other servers.
9. Layer 7 attacks:
- Goal: target specific functions of a web application.
- Method: An example is when web servers keep opening new thread for each connection request and each new connection consume server’s capacity to handle more traffic. At some point, server becomes unable to receive new connection; denying new visitors want to visit to webpages.
- Prevention: increasing capacity, cloud computing solutions, optimizing web server’s performance and using front-end proxy.
10. Multi-vector attacks:This attack simply combines many types of DDoS attacks at the same time to make it more difficult to mitigate the consequences.
How to stop a DDoS attack?It is clear that there are many types of DDoS attacks. What might be not so clear is that you can equip yourselves with just as many ways to mitigate the consequences.
- If you can identify the IP of the computers in the attack: you can put an ACL (Access control list) in your firewall to block those IP, or even block IPs from a particular country if needed.
- Monitor your traffic: this way, you can investigate the small DDoS attacks used to estimate your network strength that attackers use before the real attack.
- Buy more bandwidth, deploy more servers and use good load balancing solutions.
- Optimize your webserver to handle more visitors.
- Enable anti IP spoofing features in your firewall.
- Hire a third-party DDoS service to protect your site, or hire a DDoS expert
- Block ICMP in your router.