What is a DDoS Attack?
Top 5 Types & Examples
Imagine you’re a cafe owner. One day you open up shop and an influx of people rush through your doors. Busy day, you think; good for business. Well, it will indeed be a very busy day, but it won’t be good business. The people are taking up seats but not placing orders. They keep coming, taking up space, and making it difficult for your actual customers to buy anything. Eventually, the influx will completely block your shop’s doorway, denying service to your legitimate customers.
This is what a DDOS attack would be if it were in real life.
Key takeaway: A DDoS attack is designed to take down websites and networks. It is a form of cybercrime that sends a continuous torrent of fake traffic to online services, like websites, until they freeze or break. It is difficult to stop and even the biggest websites have fallen victim to them in the past. Read on to learn about the most common DDoS attacks.
What is a DDoS Attack?
A DDoS attack is an acronym for a Distributed Denial of Service attack. It renders an online service unavailable by bombarding it with traffic from multiple sources.
It is a type of Denial of Service (DoS) attack, which is an attack that comes from a single source: just one network connection or one compromised device. DDoS attacks, in comparison, are attacks that come from multiple sources.
Essentially, a Denial of Service attack is any method of preventing actual users from accessing a network resource. That café example in the earlier analogy can be any sort of online resource: a game server or a website for instance.
When the server or site is under DDoS attack it won’t be able to serve its actual purpose. As the attack overwhelmes that website or game server with fake traffic, the actual traffic—the people who want to join the game server or visit the website—won’t be able to.
Most DDoS attacks are deployed via “botnets,” a network of bots, or an internet-connected network of compromised devices controlled by a hacker. Botnets can number from just a handful of devices to literally millions. Worse, as most botnets use compromised resources, the actual owners of the devices don’t even know they’re being used for DDoS attacks.
Multiplying the sources of attacks amplifies the effectiveness of the attack while also helping conceal the identity of the perpetrator.
Types of DDoS Attack?
To better understand how to stop a DDoS attack, you’ll need to grasp their different types first. DDoS attacks fall under three broad categories, which depend on where the attack is focused:
1. Volume-based attacks – As the name suggests, this type of DDoS attack leverages volume. Volume-based DDoS attacks are also aptly called “floods.” This is the most basic type and is the very definition of a DDoS attack.
2. Protocol attacks – This type of DDoS attack focuses on sending waves of bots to specific protocols: e.g. the web balancers, the firewalls, or the actual web servers that comprise the network resource it is trying to crash.
3. Application attacks – Considered the most serious and sophisticated type of DDoS attack, these attacks target web applications by exploiting vulnerabilities within them. Also called “Layer 7 attacks,” application attacks still function the same way, but they require much less brute force because they focus on weaknesses within the target servers. It takes much less bot traffic to monopolize specific processes and protocols within these weak points, and it also makes the attack much more difficult to detect because the low volume of traffic generated may seem legitimate.
Top 5 Commonly Used DDoS Attacks
These most commonly used DDoS attacks derive from the three broad categories above:
Applications use communications protocols to connect through the internet. The most typically used protocols are Transmission Control Protocol (TCP or sometimes TCP/IP, with IP meaning Internet Protocol) and User Datagram Protocol (UDP or UDP/IP). They send packets of data across the internet to establish connections and send data properly.
A UDP flood is exactly what you would expect: a DDoS protocol attack targeting UDP.
The perpetrator sends the target UDP packets with false information—the targeted network resource will be unable to match the UDP packet with the right associated applications, and will return an error message. Repeat this enough times and the system can become overwhelmed, ultimately becoming unresponsive.
Domain Name Servers (DNS) are computer servers that translate website URLs into their actual IP addresses. For example, when you visit Facebook to check in on your friends and family, you type in Facebook[.]com into your browser. What you’re actually telling your computer is to go to one of Facebook’s IP addresses (Facebook has many, considering how much traffic it needs to accommodate). One such Facebook IP address is 18.104.22.168.
DNS servers translate the website name you know into their actual IP addresses.
So what would happen if you use a DDoS attack to flood DNS servers so they won’t be able to perform this function? That is the goal of a DNS flood.
A SYN request is part of a “three-way handshake” connection sequence done through TCP. Don’t worry, it might sound technical, but it’s pretty straightforward:
First, a SYN (synchronize) request is sent to a host. The host then sends back a SYN-ACK (synchronize-acknowledgment) response. The host that requested the three-way handshake then finalizes the protocol with an ACK (acknowledge) response. What this process does is it allows the two hosts or computers to negotiate how they will communicate moving forward.
A SYN flood stops the three-way handshake at the first part. An attacker sends multiple SYN requests either from fake IP addresses or simply does not respond back to the SYN-ACK response from the target. The targeted system continues to wait for last part of the three-way handshake, the ACK response, for every request.
Do this with enough speed and volume and you can bind the target system’s resources until no new connections can be made, resulting in a denial of service.
HTTP stands for Hypertext Transfer Protocol, and is the foundation of data transfer for the internet. In fact, you should see it in your browser address bar right now, with an additional “S” which stands for secure HTTP.
As with all other protocols, HTTP uses a few request types to send or request information, such as HTTP POST and GET. An HTTP flood is typically used when hackers gain useful information from a website and cover their tracks with a large number of HTTP POST or GET requests to overwhelm the web application or server.
This method uses less bandwidth to execute, but can force servers to max out their resources.
ICMP (Ping) Flood
Internet Control Message Protocol (ICMP) is an error-reporting protocol commonly used by the ping diagnostic utility, among others. Basically, you “ping” a website to check whether you can access it. The ping results can tell you some sorts of problems with connectivity, and from there you can begin to troubleshoot.
A ping sends a small packet of information to the target network resource (e.g. website), and that resource sends a similarly sized packet of information back.
A ping flood is simply a deluge of ping requests, so much that the targeted system’s network bandwidth gets clogged by trying to respond to every request.
Another DDoS attack that uses ping is called the Ping of Death, which instead of using high volumes of similarly sized data packets, circumvents security measures and sends oversized or malformed data packets to overburden the target system.
How to Stop a DDoS Attack
DDoS attacks are hard to identify. A system admin performing maintenance or even a technical problem with particular network resources can produce symptoms similar to a DDoS attack. Still, it is best to stay vigilant and look deeper into unusually slow performance and unavailability of services.
DDoS protection can be set up through network traffic monitoring and analysis via monitored firewalls or intrusion detection systems—these can detect and identify DDoS attacks. System admins can also set up alerts for anomalous traffic activities such as unusually high traffic loads or network packet drops that meet certain criteria.
The bad news is that modern DDoS attacks can be so large and sophisticated that resolving one on your own is next to impossible. You will have to call your ISP or a DDoS mitigation specialist to completely stop the threat.
If you are experiencing an attack, there are a few things you can try that can buy you time to call your ISP or an expert:
- Overprovision bandwidth – increase your bandwidth availability to several times more than your current limit to accommodate for sudden surges in traffic.
- Defend the network perimeter of your own web server – You can mitigate the effects of an ongoing DDoS attack by tweaking some network perimeters:
- Rate limiting your router helps prevent your web server from being overwehlmed.
- Adding filters helps your router identify obvious sources of attacks.
- Create more aggressive timeouts for half-open connections. Some of the most common DDoS attacks take advantage of half-open protocols to clog your bandwidth. More aggressive timeouts help close ongoing DDoS attack vectors.
- Drop malformed and spoofed data packages.
- Set lower drop thresholds for SYN, UDP, and ICMP – three of the most common DDoS attacks.
Once you perform these tweaks, you could buy enough time for your ISP to get a handle on the DDoS attack, or for a mitigation expert to resolve it.
Additionally, internet security companies offer products and services that can help prevent attacks and add layers of DDoS protection. The best way to prevent, identify, and stop DDoS attacks is through DDoS protection software.