DDoS Attack Types & Mitigation Methods

CYBER

A DDoS (Distributed Denial of Service) attack is essentially an attack done by many devices (can be thousands or even tens of thousands of computers) to eat the resources of a website or server, slowing down the service or even causing complete failure (denying the service to its users).

DDoS attacks have become more popular in recent years due to the rise of various affordable DDoS for hire services, which are more ‘profitable’ with very low barriers of entry. Essentially anyone can now launch a DDoS attack: a business attacking its competitor, an ex-employee attacking a company they’ve worked in, and so on.

Meaning, everyone is also vulnerable. DDoS is no longer a risk exclusively for big companies and services like Playstation Network or GitHub, but nowadays smaller companies and even personal blogs are at risk.

Here, we will discuss some common types of DDoS attacks you should know, as well as how to effectively mitigate against the different types.

Different Types of DDoS Attacks

In general, we can differentiate DDoS attacks into three main types: volumetric, protocol, and application layer. Let us discuss them one by one, as well as some variations for each.

Volumetric-based DDoS

As the name suggests, this type of DDoS attack is about launching a high volume of inbound traffic to the target website, with the main objective is to overload the website’s limited bandwidth, as well as burdening the server’s CPU resources.

This is the most basic type of DDoS attack: the one with more available ‘volume’ (in terms of bandwidth, resources, etc.) will win. If the attacker has more resources, it is a successful attack.

The volumetric-based attack is both the easiest to execute and the easiest to defend (although it can be very dangerous). The magnitude of a volumetric-based DDoS is measured in bits per second (BPS).

Here are some common subtypes of volume-based DDoS attacks:

UDP floods

UDP stands for User Datagram Protocol and a UDP DDoS attack is designed to flood random ports on the target URL with UDP packets. As a response, the target URL will send an ICMP (Internet Control Message Protocol) message, which we know as ‘ping’. UDP flood attack is also known as layer3/4 attacks according to the OSI model.

Because the flood of UDP packets forces the target server to respond—eating its resources—, the attack will slow down or completely halt the target website’s services.

ICMP floods

ICMP stands for Internet Control Message Protocol, and in this type of attack, the attackers flood the target URL with spoofed ICMP packets (pings) from various source IPs. The result of this attack is that the target server can’t respond and process all these ICMP requests, consuming the bandwidth until it completely fails. This type of attack can be difficult to detect since the incoming pings are similar to those coming from legitimate traffic.

Protocol-based DDoS

The internet is based on various protocols, sets of rules that tell streams of data on how and where they should ‘move’ within the network. This type of DDoS attack exploits the weaknesses of these protocols, consuming the server resources in the process, and disrupting the service.

These attacks are typically made by sending data packets that exploit a protocol’s weakness, and the severity of this attack is measured in packets per second (PPS).

Some common protocol-based DDoS attacks are:

Slowloris

Slowloris is a type of highly-targeted DDoS attack, but is highly contagious (can infect other services or ports in the network). This attack is performed by creating connections to the target URL and then holding the connection indefinitely by sending only a partial request. As a result, the targeted servers keep these false connections open, waiting for the completion of this partial request. Eventually, the server will open all the available connection pools and will deny additional requests from legitimate users.

Ping of Death (POD)

POD attack involves sending malformed pings (ICMP messages) to the target URL. or example, the maximum packet size is 65,535 bytes, but the Data Link Layer protocol typically limits the maximum size. So, in a Ping of Death attack, the target server receives an IP packet that is larger than 65,535 bytes when reassembled after they are fragmented. This will overflow the server’s memory buffers, resulting in a system slowdown or failure.

Application-Layer DDoS

Application layer targets web application packets to disrupt data transmission while disguising itself as a legitimate request from human users. Also called layer 7 attacks, this attack is called application-layer because it is focused on weaknesses of web applications than the whole network. Can be very hard to detect and mitigate, while at the same time they are relatively easy to execute by the attacker.

Here are some of the common application-layer DDoS attacks:

NTP amplification

The attacker exploits NTP (Network Time Protocol) to overwhelm the target server with UDP traffic. It is called ‘amplification’ since it can produce a very high query-to-response ratio that can exceed 200 responses for a single query, easily overwhelming the target server.

GET/POST flood

In this type of attack, the attacker exploits HTTP GET or POST requests to attack a web application. It requires less bandwidth to execute, and also won’t require the attacker to use spoofed IPs or malformed pings (so it’s much easier to execute).

DDoS Mitigation Methods

Here are the basic approaches to protecting websites and services against various DDoS attack types and mitigating DDoS damage:

Mitigation to Volume-Based Attacks

The main approach of mitigating volumetric DDoS attacks is to divert or absorb the incoming requests into a scrubbing center, a data cleansing server where the incoming traffic is analyzed and malicious traffic is removed. Another approach is to detect malicious traffic as early as possible via behavioral bot detection and block this malicious traffic.

Mitigation to Protocol Attack

The main effective approach here is to accurately detect bad traffic before it reaches the server, and blocking them. Accurately differentiating between legitimate users and malicious traffic is very important to lower false positives.

Mitigation to Application-Layer Attack

Layer 7 attacks are typically performed by bad bots, so challenging suspicious activities via CAPTCHA, JS test, and other challenges is the typical approach. A behavioral bot detection technology offered by DataDome helps in blocking and preventing today’s sophisticated application-layer DDoS attacks.

End Words

With various types of sophisticated DDoS attacks, a proper mitigation measure is necessary to ensure accurate detection of malicious traffic, while allowing legitimate traffic from real users to enter your site or make their requests. DataDome offers an AI-based behavior detection technology to detect incoming malicious traffic and requests as early as possible while ensuring a seamless user experience for legitimate users.

SHARE