We are living in an age where cyber criminals and hackers are increasing in number and skill, and the intensity and global reach of their attacks is strengthening. Cyber criminals target a huge range of online services and resources through Distributed Denial of Service (DDoS) attacks, from major news websites to financial services organisations, and can be a major challenge for IT teams to divert and defend against these attacks.
To make things even more complex, there are several different types of DDoS attacks that cyber criminals may use to target your organisation.
DDoS attack can be classified into two types; volumetric attacks and targeted attacks.
A volumetric attack is where the attackers flood internet pipes with traffic to block normal activity or overwhelm firewalls and other infrastructure components.
A targeted attack is where an attack hones in on specific web applications with the purpose of overloading the CPU of an application server or using up all of its memory. The purpose of these attacks is to negatively affect the performance of an online asset and can often bring an entire website down.
Under these two umbrella groups, the specific types of attacks include:
Volumetric Transport Attack Protection
This is the most basic category of DDoS attacks, and happens in the IP transport layer. It includes Smurf and Blacknurse attacks. A Smurf attack is where large numbers of Internet Control Message Protocol (ICMP) request packets (also known as ‘pings’) are sent out in an IP broadcast network. Ping requests prompt a response from every host, which amplifies the attack and enhances its impact. A Blacknurse attack is also an ICMP ping attack, but orchestrated via low bandwidth. It can take down firewalls and routers.
Malformed packet attacks occur when data packets with abnormal information are sent to service. Types of malformed packets can be:
TCP flag NULL or TCP fragment. Attacks with malformed packet payloads cause the victim’s devices to slow down and re-request a correct copy of the packet, which is never delivered.
Layer 4 Volumetric attacks
These include UDP and TCP floods, Local IP abuse attack, TCP RST and SYN flood attacks. These attacks force the victim device to look for applications running on many ports. The DDoS attacks sends requests which render the victim’s device unable to respond to legitimate TCP and UDP requests.
Volumetric Layer 7 application attacks
These are complex and multi-vector attacks, and new types are being developed every day.
Asymmetric session floods
An asymmetric attack occurs when an attacker causes a large number of resources to malfunction or fail; but does so with a relatively small number or low level of resources. This type of attack is referred to as ‘asymmetric’ as the attacker is often much smaller than the ‘defender’, but still highly effective. With an asymmetric session flood attack, the attacker sends a large number of “SYN” requests to a target’s system so that they will consume a large number of server resources and make the system unresponsive to legitimate traffic.
Low and slow attacks
These are attacks which use low bandwidth and communicate with an application in a slow manner. They can often go undetected by traditional DDoS prevention services. Examples of such attacks include Slowloris and Slow Post. A Slowloris attack allows a single machine to target another machine’s web server with very minimal bandwidth, and very few side effects on unrelated ports and services. It involves sending very small data bytes to another machine, continually, until the server has too many concurrent connections and is overloaded. Similarly, with Slow Post (or Slow HTTP) attacks, attackers send a series of single HTTP requests, slowly, and to a web server. If an HTTP request isn’t complete or if there is a low transfer rate, the server keeps its resources busy and becomes overwhelmed and times out.
Reflection and amplification attacks
Reflection attacks work by mimicking the target service by sending the same data it serves out back to it as a form of response. Amplification attacks work in a similar way by requesting a large amount of response data from a small query and directing that response to the victim server. Both of these attacks work by utilising spoofed source IP addresses with DNS amplification attacks being the most common. Some of the largest DDoS attacks seen in recent years have involved DNS amplification as one of the attack vectors.
Some attacks simply search out and exploit existing software based vulnerabilities in customer systems.
We can help you protect your organisation against DDoS with our fully managed Distributed Denial of Service (DDoS) protection service, offering defence against both volumetric and targeted attacks. We’d love to hear from you, call us on 02 9199 0888 or email firstname.lastname@example.org.