Despite the differences in the mechanism, the purpose of the DDoS (distributed denial of service attack) is the same- to deplete the resources on the victim’s network. DDoS can be broadly divided into two types: bandwidth depletion and resource depletion. This post aims to give you a broad overview of the various types of DDoS attacks and their prevention techniques.
- Direct flood attack (UDP flood and ping flood): this type of attack target layer 3 and layer 4 of the OSI model. The primary focus of direct flood attack is to overwhelm the target network with malicious traffic so as legitimate users cannot access the network. For example, if your network can withstand with 20GB of traffic and if the attacker sends you 21GB of traffic, your network will not be able to handle that extra traffic. Flooding attacks utilize UDP and ICMP packets to direct traffic towards that target machine…
Prevention: to prevent UDP or ICMP flood attack you can think about increasing your bandwidth, deploy a pair of load balancers,reflect the attack and use IP spoofing prevention mechanism. Alternatively, you can re-route the malicious traffic to a third party datacenter by subscribing to a DDoS protection service provider.
- Reflection attack: the idea behind reflection attack is to spoof the source IP of the packet. The attackers spoof the source IP so that it appears to come from a victim machine. When the attackers send spoofed IP to a number of machines, they reply to the spoofed addresses (the IP of the victim machine). If the victim’s network and servers do not have enough resources to cope with the reply packet, it becomes inaccessible to the users.
Prevention: implement anti-spoofing technique in your network to detect and discard spoofed source IP address.
- Smurf and Fraggle attack: Both types of attack exploit the router’s broadcast address.
In smurf attacks, a large number of spoofed ICMP traffic is sent to the target router’s broadcast address, whereas a fraggle attack sends spoofed UDP traffic to a router’s broadcast IP address. The goals of both the attacks are same-to make the network inoperable.
Prevention: Configure your router and other network devices properly so as nobody can exploit the IP broadcasting facility of your router.
- (TCP) SYN Flood Attack: TCP SYN attack takes advantage of TCP three-way handshake process where a client sends a request (SYN or synchronize packet) to a server and the server responds with a SYN-ACK packet to the clients. Next, the client sends an ACK packet to start the connection. In this type of attack, client do not send ACK packet to the server. If the server does not receive any ACK, it waits for some time, causing the server resources engaged for listening to the ACK messages. When all of the server’s resource get exhausted, they cannot receive any more new connection requests, making the server unavailable to the users.
Sometimes, the attackers send spoofed IP addresses to the server, making the server sends respond to such a client that never send a SYN request to that server. Since the spoofed IP never sends any SYN request to the server, it never responds to the server’s SYN-ACK message.
You can implement a number of method to fight SYN flood attack such as filtering, increasing backlog, reducing SYN-RECEIVED Timer, recycling half-opened TCP connection, SYN caching, SYN cookies, firewalls etc. You can read more about SYN flood mitigation technique in RFC 4987.
- HTTP) Flood (web Spidering): This type of attacks use web spider to crawl websites in order to exhaust server’s resources.
Prevention: Make sure that you allow only a well-known bots such as Google bots or Bing bots to crawl your website.
- PUSH and ACK Attack: This type of attacks is similar to SYN flood attacks. The only difference between a PUSH & ACK attack and a SYN Flood attack is that the former one sends TCP packets by setting PUSH and ACK bit to a value of one, which makes the target machine to load data into its buffer and sends back an Acknowledgement packet. When the number of TCP packets with PUSH and ACK bit on exceeds the capacity of the buffer of the victim’s machine, it overloads the target machine and causes it to crash.
- Land attack: In this type of attack an IP packet is created where the source address and source port number remains the same as the destination address and destination port number.Land attack makes the target machine to reply to its own packets, making the system to crash eventually.
- DNS amplification attacks
The attacker sends DNS queries using spoofed IP address(IP address of the victim’s machine) to a number of open DNS resolvers. The DNS resolvers respond to all the requests of that spoofed IP, which is the victim’s IP. As you know the packet size of DNS response is normally 50 times greater than that of the requests, the client machine get overwhelmed with responses when a large number of resolvers start sending responses.
To prevent DNS reflection attack, use anti-spoofing technique, load balancers or spread the attack traffic to your other server with the help of anycast IP address.
- Layer 7 attacks
This is also known as application level DDoS attack, where specific functions of a web application are targeted. For example, web servers keep opening new thread for each connection request and each new connection consume server’s capacity to handle more traffic. At some point, server becomes unable to receive new connection; denying new visitors want to visit to webpages. This kind of situation can also occur when your site gets popular or receive sudden spike in traffic from social media.
The way to protect your server against resource exhausting attack is to increase more capacity or buy on-demand cloud computing solution, optimize your web server’s performance and delpyong front-end proxy such as Nginx.
- Multi-Vector Attacks
It is not a specific type of attack, rather it is a technique that utilizes various types of DDoS at the same time. Instead of attacking a server using only SYN flood attack, the attacker can use DNS reflection attacks, UDP and ICMP flooding attacks as well. You need to remember that multi-vector attacks are more concerted and difficult to mitigate.