Are you currently experiencing an attack?

Are you currently experiencing an attack?

Types of DoS and DDoS

Summary

Large volumes of legitimate traffic are used in volumetric attacks. In this context, “legitimate” means that each packet has correct syntax, size, etc. They comprise an attack not by their nature, but in the way they are used: to flood the target with a massive volume of requests, overwhelming the targeted system.

Keep reading: Related Content

More Topics

Summary

Large volumes of legitimate traffic are used in volumetric attacks. In this context, “legitimate” means that each packet has correct syntax, size, etc. They comprise an attack not by their nature, but in the way they are used: to flood the target with a massive volume of requests, overwhelming the targeted system.

Types of DoS and DDoS

There are a variety of ways for an attacker to wage a DoS attack. They can be categorized as:

  • A large volume of legitimate traffic requests.
  • A small volume of legitimate requests.
  • Illegitimate requests.

Large volumes of legitimate traffic are used in volumetric attacks. In this context, “legitimate” means that each packet has correct syntax, size, etc. They comprise an attack not by their nature, but in the way they are used: to flood the target with a massive volume of requests, overwhelming the targeted system.

Some volumetric attacks (such as ping floods) use simple requests. Others are more complex, such as those designed to consume large amounts of resources to process (database reads, CPU cycles, etc.)

Small volumes of legitimate traffic can also be used to DoS attacks. For example, an HTTP POST attack sends a valid HTTP POST header, which includes a large value (perhaps up to 2 GB) for the size of the message’s content. The server will then wait for this large message body to be sent, but the attacker deliberately sends the content extremely slowly (perhaps one byte every 90 seconds). It takes an extremely long time for this to be completed. Meanwhile, the attacker establishes other connections (perhaps hundreds or thousands), each of which does the same thing. Eventually all of the server’s resources for incoming connections are consumed.

Note that in these types of attacks, total saturation of the target’s resources (bandwidth, CPU cycles, etc.) is not attempted. However, it’s not necessary. The targeted server is still unable to respond to legitimate users.

Along with the above methods, DoS can also be accomplished with illegitimate traffic: invalid packets or segments that are meant to be assembled into invalid requests, meant to crash or otherwise adversely affect the targeted system. For example, the Ping of Death attack can cause buffer overflows and crash systems that use an older implementation of TCP/IP.

Note that these types of attacks generally do not need to be sent in large volumes. They rely on the target being unable to correctly handle the input. If this is true, then large volumes are unnecessary. If this is not true, then the targeted system will not react as the attacker desires, regardless of the volume of traffic is sent. Therefore, if a malformed-request attack works at all, it can usually do so without needing distributed resources, and an attacker will just wage a DoS instead of a DDoS.

Obviously, of the three types listed above, volumetric attacks are the most common type of DDoS. One of the major challenges for a DDoS attacker is to generate that volume.

Volumetric Attacks

To achieve sufficient scale for volumetric DDoS, attackers must leverage distributed resources. Typically the requests originate from a network of bots. In the past, this usually meant zombie machines, although with the rise of IoT (Internet of Things) attacks, the definition of “bot” has grown broader. Whatever the composition of a botnet might be, it allows the attacker to create a large amount of bot activity by issuing a relatively small number of commands.

Many attacks multiply the bandwidth even further, so that the target will receive many requests that weren’t sent directly by the originating bots. There are many ways to amplify the traffic that is sent to the target (thus creating an amplification attack).

For example, a request to a DNS server can (depending on the information that’s requested) result in an answer that is up to 179 times as large as the original request. Thus, bandwidth is amplified by a factor of up to 179. If the requestor’s source IP address is spoofed to be the victim’s, then each time a request is submitted, the answer is reflected to the victim rather than the actual source (making this also a reflection attack). This will create incoming traffic to the target that’s far larger than the bandwidth required to wage the attack.

Some reflection attacks rely on misconfigured networks: for example, Smurf attacks use a broadcast IP address to cause multiple devices on a network to “reply” to the target. Other reflection attacks exploit software vulnerabilities, such as the memcached assaults in early 2018 (which allowed attackers to achieve an amplification factor of 50,000).

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.