Types of DDoS attacks and optimal DDoS prevention

DDoS attacks are generally categorized into three main types: volumetric, protocol, and application. Some attacks do not fall entirely into these categories, and attackers often combine multiple methods to increase complexity and make prevention more difficult. DDoS occurs when an attacker uses multiple devices to overwhelm resources, disrupting legitimate access to a website, application, or online service.

See more: The increasing risk of DDoS attacks in Vietnam with over 800,000 exposed surveillance cameras

1. Volumetric DDoS Attacks

Volumetric DDoS Attacks model

Volumetric DDoS attacks attempt to overload the capacity of resources. Servers become flooded with requests, networks become congested with traffic, and databases can be overloaded with calls. On the internet, a DDoS attack aims to deplete the bandwidth of the attacked website, and the intensity of the attack is often measured in bits per second. Volumetric DDoS attacks include various types of flood attacks (UDP, CharGen, ICMP) and application abuse.

Common types of volumetric DDoS attacks include:

1.1. UDP Flood Attack

The User Datagram Protocol (UDP) does not establish a two-way session with the server but only sends data packets without waiting for a response. This characteristic creates an ideal environment for flood attacks, when the attacker tries to send enough packets to overload a server listening for legitimate UDP traffic. Attackers target servers on the internet or within a specific network through IP addresses and ports embedded in UDP packets. The goal of the attack is to overload the server or consume network bandwidth.

Specific UDP Flood attacks can use:

• Domain Name Service (DNS)
• Network Time Protocol (NTP)
• Simple Service Discovery Protocol (SSDP)
• Multimedia data such as audio or video
• NetBIOS
• Peer-to-peer (P2P) networks like BitTorrent or Kad packets
• Simple Network Management Protocol (SNMP)
• Quote of the day (QOTD)
• Video game specific protocols like Quake and Steam

Variations of the UDP Flood attack include:

• UDP Fragmentation Flood: This variant sends large fragmented UDP packets to the victim server. The server will try to assemble the unrelated, forged, and fragmented UDP packets, which can lead to overload during this process.
• UDP Amplification Attack: Instead of using many compromised devices, the attacker only needs to send a legitimate UDP request from the victim's spoofed IP to many different servers. These servers will respond and flood the target server. Protocols often exploited in amplification attacks include NTP, SNMP, and SSDP.

1.2. CharGEN Flood Attack

The CharGEN protocol was originally designed for debugging and testing. The server will send a TCP or UDP request over port 19, and the receiving device responds with random characters (TCP) or random numbers (UDP). Attackers exploit this by spoofing the IP and sending a large number of requests to internet-connected devices running CharGEN, such as printers, causing them to flood the target server with responses over port 19. If the firewall does not block this port, the server is easily overloaded when processing random responses.

1.3. ICMP (Ping) Flood Attack

The Internet Control Message Protocol (ICMP) includes error messages and informational operating commands sent between network devices such as timestamps, timeouts, and echo requests. Echo request and echo reply combine to form the "ping" command. Attackers use multiple devices to flood the server with spoofed Ping packets without waiting for a response. This protocol requires the server to receive the request and respond, consuming both inbound and outbound bandwidth.

1.4. ICMP Fragmentation Flood Attack

This variant sends fragmented ICMP packets instead of full commands. The victim server will try to assemble legitimate commands from the spoofed ICMP packets and will consume resources when trying to connect unrelated fragments.

1.5. Tấn công lạm dụng ứng dụng (Misused Application Attack)

In a misused application attack, hackers penetrate high-traffic applications on legitimate servers, such as P2P servers, and redirect this traffic to the target server. Then, the hacker exits the system and lets the connections continue automatically. Because the compromised application generates legitimate connections, defense tools often do not detect it, causing the target server to be overloaded by the sudden increase in traffic.

A real-world example of a volumetric DDoS attack

One of the largest recent volumetric DDoS attacks occurred in 2020, targeting AWS. The attack used CLDAP to flood AWS with unwanted traffic, causing the AWS Shield team to spend several days successfully protecting the server.

2. Protocol DDoS Attacks

Protocol DDoS Attacks Model

Unlike Volumetric DDoS Attacks, Protocol DDoS Attacks exploit protocols to overload a specific resource, usually a server, but sometimes also a firewall or load balancer. These attacks are often measured by the number of packets per second.

Common types of Protocol DDoS Attacks include:

2.1. IP Null Attack

All packets following Internet Protocol version 4 have a header that identifies the transport protocol for that packet (such as TCP, ICMP...). However, attackers can set the header to a null value and if there are no specific instructions to discard these packets, the server will consume resources trying to determine how to handle them.

2.2. TCP Flood Attack

The TCP protocol controls how devices communicate over a network. TCP flood attacks exploit TCP to overload the system with spoofed or erroneous packets. TCP establishes a connection in three steps: SYN (device sends a request), SYN-ACK (server acknowledges), and ACK (device acknowledges). The connection is closed in four steps: FIN, ACK, FIN, ACK. If it encounters an unexpected packet, the server will send an RST to reset the connection. TCP flood attacks use incorrect packets to overload the system. Variations of TCP Flood:

• SYN Flood: The attacker sends many SYN packets from a spoofed IP, causing the server to wait for an ACK response, wasting resources.
• SYN-ACK Flood: The server is overloaded when it has to match the spoofed SYN-ACK packets with non-existent SYN requests.
• ACK Flood: Many spoofed ACK packets consume resources when the server tries to match them with non-existent SYN-ACK packets.
• ACK Fragmentation Flood: This variant uses maximum-sized 1,500-byte fragmented packets to take advantage of the maximum IP packet length of 65,535 bytes. When servers and other resources like routers try to assemble these fragmented packets, the process can exceed allocated resources and cause buffer overflows or resource crashes.
• RST/FIN Flood: The attacker uses spoofed RST or FIN packets to flood the server, consuming resources when trying to match these packets with non-existent TCP sessions.
• Multiple ACK Spoofed Session Flood: ACK packets combined with spoofed RST/FIN simulate real traffic, bypassing defense solutions.
• Multiple SYN-ACK Spoofed Session Flood: Combining SYN, ACK, RST, and FIN to simulate real traffic, causing the server to run out of resources.
• Synonymous IP Attack: The SYN packet uses the server's own IP for both source and destination, causing overload when the server tries to respond to itself.

2.3. Session Attack

Attackers do not need to use spoofed IP addresses to perform DDoS attacks. Session attacks use a large number of bots to meet or exceed the source IP address range and initiate legitimate TCP sessions with the target server. Legitimate TCP sessions from real IP addresses avoid DDoS detection, but the attack will then slow down ACK packets to consume bandwidth and deplete resources to maintain idle sessions.

2.4. Slowloris Attack

Similar to session attacks, Slowloris attacks try to consume server resources with empty communications. The attacker sends incomplete HTTP requests to the web server to keep as many sessions open as possible for as long as possible. These attacks consume very little bandwidth and are difficult to detect.

2.5. Ping of Death Attack

The Ping of Death attack exploits the maximum IP packet length of 65,535 bytes, similar to the ACK Fragmentation Flood attack. Since the maximum frame size for transmitting data over an Ethernet network is usually limited to 1,500 bytes, the attacker will send multiple IP fragments that comply with the Ethernet limit, but will assemble into a packet that exceeds the maximum length. When the target computer reassembles the IP fragments, it can cause a buffer overflow in the designated memory or hang the computer.

2.6. Smurf Attack

Chương trình phần mềm độc hại Smurf lợi dụng giao thức IP và ICMP để gửi số lượng lớn các yêu cầu ICMP giả mạo đến địa chỉ phát sóng của một router với địa chỉ IP của thiết bị mục tiêu. Mọi thiết bị trên mạng phản hồi yêu cầu ping và có thể làm quá tải thiết bị nhận. Kể từ năm 1999, hầu hết các router không chuyển tiếp các gói tin gửi đến địa chỉ phát sóng theo mặc định, làm cho tấn công này ít hiệu quả hơn.

2.7. Fraggle Attack

A Fraggle attack is a variant of the Smurf attack that uses spoofed UDP packets instead of ICMP packets to flood the victim device by targeting the broadcast address of a network router. All devices on the network respond to UDP requests, potentially overloading the receiving device. By default, most modern routers since 1999 do not forward packets sent to the broadcast address, reducing the effectiveness of this attack.

2.8. Low Orbit Ion Cannon (LOIC) Attack

The open-source software Low Orbit Ion Cannon is designed to test network stress by sending a large number of packets (UDP, TCP, HTTP) to a target device. However, attackers deploy this attack on botnets and use it to carry out DDoS attacks.

2.9. High Orbit Ion Cannon (HOIC) Attack

The High Orbit Ion Cannon application replaces Low Orbit Ion Cannon with a public application that can send multiple GET and HTTP POST requests to 256 different domains simultaneously. HOIC can be more powerful and disruptive than LOIC when used by attackers.

Real-world examples of protocol-based DDoS attacks

The first known protocol-based DDoS attack occurred in 1996 when the internet service provider Panix in New York City experienced a SYN flood attack. Another notable example occurred in 2018 when hackers used BGP hijacking to redirect MyEtherWallet's traffic to fake servers, leading to cryptocurrency theft.

3. Application DDoS Attacks

Application DDoS Attacks model

Application-layer DDoS attacks exploit layer 7 software vulnerabilities, disrupting application operations. Unlike infrastructure attacks, application-layer DDoS attacks can overload the CPU or exhaust memory, affecting the entire server. The intensity is often measured in requests per second.

For example, hackers can send a large number of complex processing requests such as adding to a shopping cart or making a payment, or target specific vulnerabilities like SQL injection to damage the database. Common types of application-layer DDoS attacks include:

3.1. HTTP Flood Attack

HTTP Flood attacks exploit HTTP commands to flood websites, hosting servers, and the bandwidth used to access them. Bots in these attacks can send multiple requests in succession, causing traffic to the target website to increase exponentially.

• GET Attack: Attackers use a botnet to send a large number of simultaneous GET requests for large files, such as PDFs or videos.
• POST Attack: Multiple bots send simultaneous POST requests containing large files to be stored on the target server.
• Slow POST Attack: Often performed using the R-U-Dead-Yet? (R.U.D.Y.) tool, the attacker sends large HTTP POST requests but sends only a small amount of data very slowly. This attack avoids DDoS defenses that look for large traffic and consumes server resources.
• One-session or one-request attack: Many current DDoS prevention systems block large amounts of incoming packets, so attackers exploit a loophole in HTTP 1.1 to put multiple requests into a single HTTP packet.
• HTTP fragmentation attack: Instead of sending a large number of legitimate requests, the botnet establishes legitimate HTTP connections and splits HTTP packets into small pieces sent slowly, avoiding detection by DDoS defenses.
• Recursive GET Flood Attack: The attacker floods the server by requesting a long list of pages or images. This attack looks like normal browsing behavior, but the botnet is actually consuming resources.
• Random Recursive GET Flood Attack: This variant randomly changes the requested pages to avoid detection.

3.2. ReDoS Attack

A Regular Expression Denial of Service (ReDoS) attack attempts to request highly complex search patterns, wasting resources or even causing the system to hang.

Real-world example of an application-layer DDoS attack In 2018, GitHub experienced a large application-layer DDoS attack. The attack exploited Memcached servers as amplification tools and sent spoofed requests to flood GitHub's infrastructure, becoming one of the largest DDoS attacks at the time.

4. Other types of DDoS attacks

Some attacks do not fall into the three main categories above, such as:

• Advanced Persistent DoS (APDoS): This is a type of attack carried out by hackers to cause serious damage. APDoS uses multiple attack types such as HTTP flooding and SYN flooding, targeting multiple attack vectors simultaneously, sending millions of requests per second and can last for weeks.
• Multi-Vector Attacks: Attackers can deploy multiple attacks simultaneously to cause DDoS. For example, an attacker can use a volumetric attack to disperse defenses while simultaneously performing a low-bandwidth HTTP Flood attack from another botnet.
• Zero-Day DDoS Attacks: Attackers can discover previously undisclosed vulnerabilities in applications, protocols, or hardware and carry out DDoS attacks. When exploiting a new vulnerability, the attack is called a Zero-Day attack.

VNIS security capabilities against DDoS attacks

VNIS (VNETWORK Internet Security) is a comprehensive security solution developed by VNETWORK, excelling in its ability to block DDoS attacks of up to several Tbps. Against the aforementioned types of DDoS attacks, VNIS confidently positions itself as a solution capable of providing comprehensive protection regardless of attack form or technique.

VNIS operation model

VNIS operation mechanism VNIS operates as an intermediary layer between users and the enterprise's origin server. When a request is sent from a user, VNIS analyzes and processes these requests through two main protection layers:

• The first protection layer: With a CDN designed to distribute and reduce traffic load, especially in cases of sudden traffic spikes, while simultaneously blocking invalid requests from unauthorized sources. VNETWORK's VNIS platform, with the integration of leading global CDN providers (Multi-CDN) on a single platform, gives VNIS a powerful system capacity and flexible scalability. With a vast infrastructure of over 2,300 PoPs (Points of Presence) globally, increasing load capacity to over 2,600 Tbps, domestic uplink bandwidth of up to 10 Tbps, the ability to handle over 8,000,000 CCU (concurrent users) and process over 9 billion requests per day. As a result, the system is capable of effectively combating layer 3 and 4 DDoS attacks.
• The second protection layer: In addition to blocking malicious bots/crawlers, this layer focuses on more detailed analysis of access requests, especially attacks targeting application vulnerabilities. VNIS uses security rules to detect attacks and block vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), and CSRF...

VNIS also focuses on preventing dangerous security vulnerabilities in enterprise applications and systems to limit layer 7 DDoS attacks. Against exploitation attacks, VNIS acts as a "steel shield" to help businesses minimize the negative impact on information systems. The platform can automatically detect and block critical security vulnerabilities in the OWASP Top 10 list, such as Broken Access Control, SQL Injection, and Cryptographic Failures. In addition, with over 2,000 security rules and the ability to manage CRS (Core Rule Set), VNIS protects websites from the risk of being attacked and exploited for unauthorized data. These security rules are updated monthly, along with an intuitive, user-friendly interface that allows businesses to flexibly customize according to specific security needs.

Furthermore, VNIS provides the ability to monitor vulnerability exploitation activities in real-time, helping businesses accurately identify exploited URLs or hijacked accounts, thereby proactively patching vulnerabilities and preventing potential attacks.

The team of VNETWORK experts is present in many countries such as Vietnam, Hong Kong, Taiwan, Singapore, and the UK... combined with a comprehensive SOC monitoring system, providing continuous 24/7/365 alerts to detect incidents early and be ready to respond at any time to ensure stable operation even in the event of an attack. VNIS's powerful system capabilities are thanks to the multi-CDN-based operation mechanism, avoiding the risk of infrastructure downtime and ensuring 99.99% uptime, as well as a commitment to SLAs with customers.

See more: Comprehensive cybersecurity trends for DDoS attacks in 2024

VNIS case study in preventing a 150 Gbps DDoS attack

VNIS successfully blocked a large-scale DDoS attack of nearly 150Gbps targeting the system of a financial enterprise. The attack used UDP and TCP methods to cause congestion and disrupt user access. With its vast infrastructure, advanced technology, and continuous monitoring by VNETWORK's expert team, VNIS detected and responded quickly, effectively protecting the system, ensuring uninterrupted service, and demonstrating the ability to respond to the most complex DDoS threats.

Details of the DDoS attack recorded by the VNIS platform

Don't let your business be threatened by the risks of DDoS attacks. Contact us immediately via hotline: +84 (028) 7306 8789 or email: contact@vnetwork.vn for detailed advice and deployment of VNIS, a solution that helps businesses feel secure against all cybersecurity challenges.