An Analysis of DDoS Attacks

Distributed denial of service (DDoS) attacks have become a growing problem since the first attacks began to appear in the late 1990s. As the scale has grown, larger DDoS attacks have become measured in terabits of malicious traffic per second, which has cost victims a lot. Kaspersky estima

Distributed denial of service (DDoS) attacks have become a growing problem since the first attacks began to appear in the late 1990s. As the scale has grown, larger DDoS attacks have become measured in terabits of malicious traffic per second, which has cost victims a lot. Kaspersky estimates that an average managed ddos services incident costs the company $ 2 million.

At first glance, DDoS attacks seem very simple. Many compromised computers start talking to the destination computer, overwhelming their computing resources and Internet bandwidth. In reality, not all DDoS attacks are created equal. Understanding the differences helps reduce risk and protect your business.

Attack types can be divided into three main categories.

Volume Attack

These are the simplest attacks that block the network connection to the attacker's server with brute force. These typically operate on the bottom network and the transport layers of the network stack. Here are some examples of these attacks.

  • ICMP or ping flood attacks squeeze the server by sending ICMP echo request packets.
  • UDP floods use the User Datagram Protocol to point to servers on random ports in ICMP requests. If the server cannot find an application that listens on the port, the server sends a "destination unreachable" packet. This limits server resources and network bandwidth.

This is an example of an attack that can also be "mirrored" by sending a request to a large number of servers and spoofing the source address of the request with the victim's address. All responses from the server flood the victim's network.

Protocol Attack

Protocol attacks take advantage of protocol features at layers 3 and 4 of the network stack, forcing a server or firewall to respond and bind its resources. There are several types:

SYN floods use TCP SYN requests to make network connections. The standard method of protocol handling for these requests is to force the server to respond and then listen for acknowledgments, leaving all connections half open. Ping of Death attacks send large network packets to your computer and break them up into chunks. When the victim reassembles them, some hosts may crash because they are larger than the allowed packet size.

Application Layer Attack

These attacks target the top layers of the network stack, can take up large amounts of system resources, and are difficult to detect, resulting in many actions. Here are some examples to consider:


  • HTTP binds the server by flooding it with HTTP GET or POST requests and forcing it to serve meaningless requests. Slowloris is an attack tool that specializes in sending HTTP traffic. The attack has different levels of sophistication, including random HTTP floods that avoid hitting the same page every time, and the cache prevents HTTP floods that try to prevent requests for cached web pages.
  • Large payload POST attacks load large files through POST requests, further tying up server resources.
  • A slow POST attack sends HTTP requests slowly. This forces the target to wait for the resource to arrive, not only to process the request, but for everything to arrive.
  • Attacks targeting applications can exploit vulnerabilities in certain applications to block an online application, causing a buffer overflow or blocking all CPU resources and causing the application to crash.

The more attackers climb the stack, the more dangerous the technique will be. In some cases, it may not be necessary to spread Layer 7 attacks too widely, as some computers can wreak havoc on the system.

Dark DDoS

Traditionally, all of these attacks have focused on disconnecting the victim's system. The attackers had various motivations, including ideology (attacks on organizations that disagreed), financial (withdrawing money from victims), and self-centered (engaging in a form of sport). But recently another reason has come up. DDoS as a distraction mechanism.

In some cases, the attacker's intention is not to harm the network, but to harm it by attacking the network administrator with enough resources to cause the problem. An attack could flood the protection system with enough traffic, put it in safe mode, and pass the traffic unfiltered.

These sub-Gb / s attacks can also create enough work to divert an administrator from another attack on the network that could steal data. If an administrator finds these attacks, called "dark DDoSs" or low-threshold subsaturation attacks, it's worth checking the net to see if anything else is happening.

DDoS Protection

How can companies protect themselves from DDoS attacks? Installing signature-based firewalls and routers can block known malicious traffic and protect your server from overload. Supplement these with a load balancer and spread the jobs across multiple servers.

Businesses must stay in close contact with hosting, cloud service providers, and ISPs to mitigate these attacks. In addition to assisting companies in the above ways, service partners can also advise on building website architectures that balance the load on different servers. Multiple cloud deployments that allow businesses to failover between different service providers are also helpful.

Finally, another defense is a cloud-based anti-DDoS solution. These services are available from multiple providers and can analyze and eliminate traffic before it reaches the target infrastructure, preventing DDoS attackers from damaging it.

By taking a defense-in-depth approach and working closely with infrastructure partners, companies can minimize the chances of successful DDoS attacks and mitigate the impact of anything that goes through them. Once attackers have implemented these attacks at will, using standard tools, it is time to defend them.