Different types of DDoS attacks: how to protect your clients
A distributed denial of service (DDoS) attack is a malicious hacking method that uses multiple compromised devices to make an online service unavailable by temporarily interrupting, crashing, or corrupting the services of its hosting server.
Most DDoS attacks aren’t leveraged to gain access to sensitive information or files—they usually serve as a distraction, opening new doors for threat actors to infiltrate companies. As different methods of DDoS attacks continue to rise, there are three core types of DDoS attacks to stay aware of: Volume-based, protocol-based, and application-based attacks.
Your team needs to be ready to have a protection plan for all types of DDoS attacks. Read on to discover the differences between types of DDoS attacks as well as preventive cybersecurity measures you can implement.
The consequences of a DDoS attack
DDoS attacks are quickly becoming the most prevalent type of cyber threat: From early 2020 to 2021, there was a 341% increase in DDoS attacks.
DDoS attack methods can cause significant network damage and result in substantial financial loss for organizations worldwide, as well as additional consequences, such as:
- Loss of revenue: Experiencing a DDoS attack for a client results in downtime, which can be extremely costly depending on the client’s business and size.
- Lost productivity: When your client’s business is taken offline or degraded, employees often cannot work. For remote or hybrid teams that depend on cloud-based servers and networks, this can be a severe consequence.
- Recovery costs: Recovering IT systems both during and after a DDoS attack results in additional time and labor costs for your client.
- Damage to brand reputation: DDoS attacks can be particularly disastrous for certain industries that depend on service availability. If the organization is offline or breached by a DDoS attack, it can cause significant brand reputation damage.
DDoS attack types
There are three core DDoS attack types that impact organizations: Volumetric, protocol, and application.
To gain a deeper understanding of DDoS attack methods, it’s important not to conflate these with other threats, such as phishing, malware, or other threats. DDoS attacks serve as their own prominent form of threat, often paving the way to additional infiltration or even ransomware demands.
Volume-based DDoS attacks
The volume-based DDoS attack method is designed to disrupt normal traffic or requests by overwhelming the target with a flood of fraudulent traffic from numerous sources. This then results in a complete shutdown or compromised service, even for legitimate users.
How they work
Many types of volumetric DDoS attacks are launched using IoT botnets—or groups of bots built from IoT devices, such as IP cameras or consumer routers. Some of the most notable versions of DDoS attacks include:
- UDP flood - A UDP flood attack floods a target with User Datagram Protocol (UDP) packets, rendering it unable to establish a two-way session with a server. UDP flood attacks target a specific or random server within a network by including the IP address in the attacking packets to exhaust all bandwidth capabilities.
- ICMP (ping) flood - Similar to a UDP flood attack, an ICMP (ping) flood attack overwhelms and exhausts bandwidth capabilities by sending rapid packs without waiting for replies. A victim’s server will attempt to respond with ICMP Echo Reply packets that result in a significant system slowdown.
- Connection exhaustion - Also known as state-exhaustion attacks, Connection exhaustion attacks target infrastructure (like web application servers) to completely overwhelm connection tables with fake data.
Examples of volumetric DDoS attacks
One of the most recent volumetric DDoS attacks occurred in 2020 and hit AWS. The attack leveraged CLDAP to flood AWS with unwanted traffic, and it required the AWS Shield team a few days to successfully secure the servers.
Protocol DDoS attacks
Another popular type of DDoS attack is the protocol-based attack. This DDoS attack method relies on weaknesses within internet communication protocols to exploit organizational vulnerabilities. Protocols such as HTTP (Hypertext Transfer Protocol), DNS (Domain Name System), or SIp (Session Initiation Protocol) can be used to launch protocol-based DDoS attacks.
How it works
Protocol-based DDoS attack types typically work by a hacker exploiting vulnerabilities within the protocol implementation to fully consume the target’s resources—and disrupt its normal operations. This may involve flooding the target with an excessive amount of protocol-specific results. Malicious actors typically deploy a botnet to achieve protocol-based DDoS attacks.
Some common methods include:
- SYN flood - A SYN flood attack occurs when a weakness in the TCP layer is exploited, which causes a server to become unavailable by consuming all resources in order to disable it. During an attack, SYN requests are sent but not responded to, or SYN requests are sent from a fake IP address while the host system continues to wait for acknowledgement of each request which results in a denial of service.
- RST-Fin floods - During an RST-Fin flood, attackers send high volumes of deceitful RST and FIN packets to use up the victim network’s resources to cause disruptions that lead to system failures.
- Ping of death - A Ping of death attack involves sending malicious pings to a computer, targeting the implementation of the ICMP protocol. During an attack, the victim ends up with an IP packet larger than 65,535 bytes (maximum IP packet length) due to the manipulation of fragment content.
Examples of protocol DDoS attacks
The first known DDoS protocol-based attack occurred in 1996 when New York City internet provider, Panix, experienced a SYN flood attack. The attack shut down its servers and took more than 36 hours to regain control over the Panix servers and domains.
One of the most prominent examples of a successful protocol DDoS type of attack occurred in 2018. Hackers used Border Gateway Protocol (BGP) hijacking to redirect traffic destined for an organization called MyEtherWallet to Russian servers, which provided a fake version of the site.
The attack lasted for two hours and resulted in malicious actors stealing the contents of cryptocurrency wallets.
Application-based DDoS attacks
The third type of DDoS attack is known as the application-based attack. Also known as Layer 7 DDoS attack, this method targets the application layer of the network stack—which is the layer responsible for processing specific protocols, such as HTTP, SMTP (Simple Mail Transfer Protocol), or DNS.
How it works
Unlike traditional volume-based DDoS attacks, the application-layer attack focuses on exploiting any vulnerabilities within the application itself. By targeting these vulnerabilities, the hacker can exhaust server resources—such as CPU, memory, or application processes.
- Slowloris - A Slowloris is a highly-targeted attack that enables one web server to take down another without affecting other services on the network. This attack works by holding as many connections to the target web server open for as long as possible and creating partial connection requests to that server. As the server is never able to complete a request, this overwhelms the connection network and leads to a rejection of additional connections from legitimate sources.
- HTTP flood - In an HTTP flood attack, the attacker utilizes HTTP GET or HTTP Post requests to attack a web server or application. This attack is effective as it forces the maximum resources possible in response to every request to trigger a complete system shutdown.
- DNS amplification - A DNS amplification attack occurs when an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with extensive traffic to create an inaccessible infrastructure.
Examples of application-based DDoS attacks
In 2018, GitHub, the popular code hosting platform, experienced a massive application-layer DDoS attack. The attack exploited the Memcached servers, which were used as amplifiers, and hackers sent spoofed requests to flood GitHub’s infrastructure. The attack was one of the largest DDoS attacks in history at the time.
Cybersecurity solutions for DDoS attack prevention and protection
Now that you understand the various types of DDoS attacks, it’s time to unpack several cybersecurity solutions to help prevent and protect against these attacks.
Prevention
Consider implementing the following to help prevent a DDoS attack:
- DDoS defense or mitigation system (DDS): A DDS helps to protect against both protocol and volumetric attacks as it can detect and decipher between malicious and legitimate activity.
- Traffic monitoring and analysis: Implementing network traffic monitoring and analysis will allow you to detect and identify any potential DDoS attack patterns. Identifying suspicious traffic patterns can trigger timely mitigation responses.
- Rate limiting: Leverage rate limiting and traffic shaping mechanisms to help control the flow of traffic, therefore preventing the network from becoming overwhelmed. This typically involves setting maximum connection limits, rate limits for specific protocols, or using unique bandwidth management tools to prioritize critical traffic.
- Firewall and intrusion prevention systems (IPS): Firewalls and IPS devices are commonly deployed at network entry points in order to filter and block any malicious traffic.
- Real-time packet analysis: Real-time packet analysis discards potentially malicious packets by analyzing them based on different rules as they enter the server’s system.
- Backup consumer communication: Ensure that clients have a secondary way to contact their customers in the event that their primary system is compromised during an attack.
In addition to the preventive measures outlined above, you should also create a DDoS attack response plan, as even the best proactive measures can succumb to a threat.
Protection
To protect your clients’ organizations against the wide plethora of different types of DDoS attacks, MSPs must deploy a nuanced defense strategy. Follow these best practices for mitigating DDoS attacks:
- Cloud-based apps: To better protect client data, leverage cloud-based apps instead of on-premise options. When data isn’t located on-premise, it’s harder to locate. Plus, using the cloud offers your client the ability to leverage continuous monitoring software, which provides insights into real-time analytics, metrics, and reporting.
- IP addresses: To mitigate attacks that rely on IP address spoofing, change the IP address of a public resource under attack. This can provide some breathing room for your team to get systems back online.
- Client firewalls: SYN flood attacks, which aim to overwhelm the network, can be mitigated by proper firewall configuration. Expand your backlog queue, use SYN cookies, enable firewall filtering, and delete the oldest half-open connection to protect against SYN flood attacks.
- Web server configurations: Determine any DDoS protection settings built-in to your client’s web server hosting provider.
- Content distribution networks (CDN): Utilizing a Content Distribution Network (CDN) helps to minimize the potential opportunity for cybercriminals. This tactic also protects traffic from reaching important elements of your client’s infrastructure, such as sensitive information, databases, and mission-critical files.
Understanding the different types of DDoS attacks help to prevent, protect, respond to, and recover from them. Given the rise in DDoS attacks and the devastating consequences to organizations, no matter the size, it’s important to implement mitigation tactics today.
The ConnectWise Cybersecurity Suite was designed to provide MSPs with the optimal security protection and support clients demand, from advanced threat detection to a fully staffed SOC. Watch an on-demand demo today to learn more about our best-in-class cybersecurity software and solutions.