In The Art of War, Chinese military strategist Sun Tzu famously said that if you know your enemy, and you know yourself, you will not be imperiled in a hundred battles. Sun Tzu lived in the 6th century BCE, well before DDoS attacks were ever thought of, but not only does his advice ring true for these attacks, he also seems to know just how many attacks are being aimed at some organizations.
There are plenty of delightful tidbits to be uncovered about these powerful and pervasive attacks, but where the education needs to begin is at their very core. Here’s what you need to know about the three main types of DDoS attacks.
Every type of DDoS attack
As mentioned, there are three main types of distributed denial of service or DDoS attacks: application layer, volumetric, and protocol. Regardless of which type of attack is being used, the goal is the same: to overwhelm a target website with malicious traffic to take it offline and keep its users from being able to access it.
Every DDoS attack results in frustrated users, some of whom take to social media to loudly complain, and many of whom experience a loss of trust or loyalty. Some DDoS attacks are powerful enough to also cause hardware or software damage. Even worse, some are used as a distraction meant to occupy security employees while a hack or data theft is occurring.
Distributed denial of service attacks come from botnets, which are large networks made up of infected devices that can be controlled remotely by the people using the botnets. All of these devices give attackers a huge amount of computing power which can be aimed at target websites in the form of malicious traffic. Where and how that traffic is aimed depends on which type of attack it is.
DDoS attack type #1: application layer attacks
The application layer of a website or online service is the part that interacts with end users. In order for application layer attacks to successfully get to the target server, the malicious requests are usually made to resemble the requests that would come from legitimate users, such as repeated requests to load a graphic or web page.
Since request-response is one of the basic ways computers communicate with each other, application layer attacks are measured in requests per second (rps). These attacks are most effective and efficient when the requests sent by the botnet require a large or complex response from the server, tying up the memory and CPU to easily render the server unavailable to users. With memory and CPU being finite resources, application layer attacks require less computing power than other types of DDoS attacks.
Popular or well-known types of DDoS attacks that fall under the application layer heading are HTTP floods and reflective DNS amplification attacks.
DDoS attack type #2: volumetric attacks
The application layer isn’t the only layer of the OSI model that gets targeted by DDoS attacks. The network layer also gets nailed, and one of the types of DDOS attacks that take aim at it are volumetric attacks, measured in Gigabits per second (Gbps) or bits per second (bps).
Volumetric DDoS attacks are the heavy hitters of the DDoS world, aiming to saturate the bandwidth of the target with a massive amount of malicious traffic. These attacks have become more common and easier to accomplish with the advent of Internet of Things botnets that take advantage of lax security in the IoT. The havoc wreaked by the Mirai botnet last fall (such as the Dyn and Brian Krebs attacks) is a good example of volumetric attacks at work.
Common types of volumetric DDoS attacks include DNS amplification, NTP amplification and UPD and TCP floods.
DDoS attack type #3: network protocol attacks
Network protocol attacks also tend to take aim at the network layer, and they do so by exploiting vulnerabilities in the set of rules used to exchange information on the internet. By exploiting these vulnerabilities, network protocol attacks can consume a target’s processing capability or exhaust critical resources like firewalls resulting in a disruption of service for legitimate users.
For instance, there is a rule governing the size of packets being exchanged over the internet. However, this rule doesn’t actually prevent packets that are too big from being sent. Ping of Death is a network protocol DDoS attack that sends a much-too-large packet in a series of fragments, and when the target system reassembles the packet, the memory buffers overflow and there is no memory left for legitimate packets.
In another example of a network protocol attack, an attacking botnet will send connection requests called SYN messages to the target server. The target server then replies with SYN acknowledgments, or SYN-ACK messages. With this step completed, connections are opened. In a SYN flood attack, these connections are left open, binding up server resources while the server waits for a response that will not come. Both the SYN flood and Ping of Death are common types of network protocol attacks, which are measured in packets per second (pps).
More in common
Different though these attacks may be, sophisticated attackers will often combine these attack types into one DDoS mess that can easily leave a website crippled. Whether used together or on their own, one more thing these attack types have in common is that they require professional DDoS mitigation.
Distributed denial of service mitigation that combines a scalable and powerful approach to dealing with volumetric attacks, granular traffic analysis for sussing out sneaky application layer attacks, and a careful and proactive approach to eliminating those protocol vulnerabilities is the only type of mitigation the effectively protects against all three main types of DDoS attacks. This is essential, because DDoS attacks are more common than ever, and rare is the website that isn’t at risk. As Sun Tzu said, the art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him. “Consider DDoS protection that’s cloud-based,” he did not add, but may have, had he lived in our time.