You have read about DDoS attacks like SYN flood, death ping, and zero-day on our blog and news sites. One thing they have in common is not the same. They all have different features, methods, and attack vectors. In general, there are three main types of attacks; all DDoS attacks fall under volumetric (Gbps), protocol (pps), and application layer (rps). All three intend to hinder some or all of the victim’s services, but each one does so in a different way.
Since the same names are almost identical, people often confuse the three. And to make it more complex, while there are three different types of DDoS attacks, they can stand out during a single attack and are often combined with having a major impact. We see this many times on our network and have previously reported on it. In this post, we will look at how they work and what they mean.
Volumetric DDoS attacks are what most people think of when they hear of DDoS attacks because this type of attack is very common. It was actually the first attack that made headlines in the late 1990s that produced an army of copies.
Volumetric attacks are also known as floods because they “flood” the victim’s resources with requests, such as unwanted spiders. Attacks are measured in bits per second (bps) or Gigabits per second (Gbps).
The concept of a volumetric attack is simple, that is to send as much traffic as possible to a site across its bandwidth. Volumetric attacks themselves (over the last decade) have been produced using magnification methods. DNS enhancement is a common method by which an attacker sends small DNS requests with the victim’s IP address to the victim’s spoofed server to the DNS server. When the server receives the request, it responds to the victim with a great response. In comparison, it is much easier today to create large botnets using IoT devices. IoT devices are small or not secure at all, are connected to the Internet, and can generate code. As a result, the sound amplification process is less popular, but it is still used in some cases.
The proliferation of cheap IoT devices like dolls, toasters, thermostats, security cameras, and Wi-Fi routers makes it easy to start an active attack with just a few clicks. A hacker can easily use internet access to launch volumetric DDoS attacks with little or no money.
Mirai botnet is an example of the destruction of unprotected IoT devices. Mirira identified IoT devices, using each infected device to join a volumetric DDoS attack. It endangers Airbnb, Twitter, New York Times, CNN, Fox News, Netflix, and many other organizations.
In general, the law of the internet is a set of different rules for exchanging information online. One of the most popular is TCP / IP, a group of rules used to exchange applications and data. By applying those rules, an evil character can bring service to his knees.
For example, ping of death (POD) is a cracked IP attack that uses a packet size limit to transmit it. By manipulating parts of a package or pieces, exploitation can overwhelm the memory lumps provided in that packet and deny service to official packages.
TCP SYN flood is another common attack. Here the explosion of TCP SYN requests directed at the target exceeded the target and made it unresponsive.
Protocol attacks typically apply to layers 3 and 4 of the OSI model on network devices such as routers. And because they are in the network layer, they are measured in packets per second (PPS).
Types of DDoS network attacks include:
While volumetric attacks, and – to a lesser extent – protocol attacks have compromised the service with many applications, application layer attacks or 7 attacks, they are targeted to a server-side server running like WordPress. These threats are hard to spot as attackers in most cases make official requests as a website user, and require very few bots to attack. As a result, these attacks also show very small traffic congestion.
Application layer attacks are rated by requests per second (rps) or the number of applications per application. It takes very few applications to slow down because the attack is focused on crashing the CPU and memory. Application layer attack is considered an application-based attack.
App layer attacks include hacking a web server, using PHP scripts and data connection to load web pages. One HTTP application that is easy to remove on the client side, can cause the server to make many internal requests and upload multiple files to execute the application, which slows down the system.
Mirai botnet was the top-level DDoS story in 2016, and recently, Cloudflare blocked the largest to date 17.2M rps attack. In addition to performing network layer attacks, it has two vector layer application attackers: GET / POST attacks and STOMP attacks. Try the Incapsula scanner to check if one or more devices in your network are infected or at Mirai.
In general, application layer attacks can also be multi-vector attacks that use a combination of volumetric and protocol attacks to increase the chances of taking the app offline.
The hackers do not make a clear distinction between these three types of attacks. Their goal is to disrupt your business and the most effective way to do that is to attack with more than one vector. When they attack your service they will combine volumetric attacks, protocol and application in a multi-vector attack. Multi-vector attacks reach the target in a variety of ways and disrupt processes at a high level.
Because of their complexity and later functionality, multi-vector attacks are the fastest growing types of DDoS attacks. It’s still true in 2021.