25 Types of DDoS attacks a hacker uses to knock down any website
- 1 25 Types of DDoS attacks a hacker uses to knock down any website
- 2 What is a DDoS attack?
- 2.1 Protocol attacks: These attacks are used to exhaust the server or firewall resources.
- 2.2 Volumetric Attacks (Volume-based): The 1996 DDoS attack was one of these. These attacks are the “classic” ones that congest a target network’s bandwidth with a hefty amount of traffic packets.
- 2.3 Application layer (layer 7 DDoS) attacks: These attacks are zero in on specific web applications rather than the whole network. These ones are particularly hard to prevent and mitigate while being relatively easy to orchestrate.
- 2.4 To implement one of these attacks there are 25 subtypes of DDoS attacks methods which are used in the current era:
- 2.4.1 1. NTP Flood (NTP Amplification)
- 2.4.2 2. Fraggle Attack
- 2.4.3 3. SYN-ACK Flood
- 2.4.4 4. ACK & PUSH ACK Flood
- 2.4.5 5. Fragmented ACK Flood
- 2.4.6 6. Spoofed Session Flood (Fake Session Attack)
- 2.4.7 7. UDP Flood
- 2.4.8 8. DNS Flood
- 2.4.9 9. VoIP Flood
- 2.4.10 10. SYN Flood
- 2.4.11 11. CHARGEN Flood
- 2.4.12 12. SSDP Flood
- 2.4.13 13. SNMP Flood (SNMP Amplification)
- 2.4.14 14. HTTP Flood
- 2.4.15 15. Recursive HTTP GET Flood
- 2.4.16 16. ICMP Flood
- 2.4.17 17. Misused Application Attack
- 2.4.18 18. IP Null Attack
- 2.4.19 19. Smurf Attack
- 2.4.20 20. LAND attack
- 2.4.21 21. Ping of Death Attack
- 2.4.22 22. Slowloris
- 2.4.23 23. Low Orbit Ion Cannon (LOIC)
- 2.4.24 24. High Orbit Ion Cannon (HOIC)
- 2.4.25 25. ReDoS
Most people assume that a DDoS attack is just a DDoS attacker sends packets of unwanted data to a website he/she wants to shut down. Actually, there is much more to DDoS than that. The world’s first DDoS attack was reported in 1974 when 13-year-old David Dennis, a student at University High School, sent hundreds of Ext requests to Computer-Based Education Research Laboratory (CERL)’s PLATO Terminal.
The first-ever large-scale DDoS attack using a botnet occurred in August 1999, when a hacker used a tool called “Trinoo” to disable the University of Minnesota’s computer network for more than two days. Trinoo consisted of a network of compromised machines called “Masters” and “Daemons,” allowing an attacker to send a DoS instruction to the botnets.
Coming to the present, compare this to the recent DDoS attack on GitHub involved a 1.35-terabit-per-second (Tbps) attack against the site. This virtual one-two punch was delivered without the help of a botnet and put GitHub down for nearly a month.
Over the years the DDoS size has just increased with most DDoS attacks averaging 50Gbs. DDoS remains the top destructive and ever-evolving threat vector that can put even a highly guarded website offline by flooding it with unwanted traffic.
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of unwanted data packets.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems aka botnets as sources of attack traffic. Botnets or zombie machines can include computers/laptops and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with Internet highway, preventing regular traffic from arriving at its desired destination.
To attack a System the hackers go to these three categories to form the base of the attack:
Protocol attacks: These attacks are used to exhaust the server or firewall resources.
Volumetric Attacks (Volume-based): The 1996 DDoS attack was one of these. These attacks are the “classic” ones that congest a target network’s bandwidth with a hefty amount of traffic packets.
Application layer (layer 7 DDoS) attacks: These attacks are zero in on specific web applications rather than the whole network. These ones are particularly hard to prevent and mitigate while being relatively easy to orchestrate.
To implement one of these attacks there are 25 subtypes of DDoS attacks methods which are used in the current era:
1. NTP Flood (NTP Amplification)
Network Time Protocol (NTP), one of the oldest networking protocols tasked with clock synchronization between electronic systems, is at the core of another DDoS attack vector. The idea is to harness publicly-accessible NTP servers to overload a target network with a large number of UDP packets.
2. Fraggle Attack
This DDoS technique follows a logic similar to the Smurf Attack, except that it deluges the intended victim with numerous UDP packets rather than ICMP echo requests.
3. SYN-ACK Flood
The logic of this attack vector is to abuse the TCP communication stage where the server generates an SYN-ACK packet to acknowledge the client’s request. To execute this onslaught, crooks inundate the CPU and RAM resources of the server with a bevy of rogue SYN-ACK packets.
4. ACK & PUSH ACK Flood
Once the TCP three-way handshake has resulted in establishing a connection between a host and a client, ACK or PUSH ACK packets are sent back and forth until the session is terminated. A server targeted by this type of a DDoS attack cannot identify the origin of falsified packets and wastes all of its processing capacity trying to determine how to handle them.
5. Fragmented ACK Flood
This attack is a knockoff of the above-mentioned ACK & PUSH ACK Flood technique. It boils down to deluging a target network with a comparatively small number of fragmented ACK packets that have a maximum allowed size, usually 1500 bytes each. Network equipment such as routers ends up running out of resources trying to reassemble these packets. Furthermore, fragmented packets can slip below the radar of intrusion prevention systems (IPS) and firewalls.
6. Spoofed Session Flood (Fake Session Attack)
In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic.
7. UDP Flood
As the name suggests, this DDoS attack leverages multiple User Datagram Protocol (UDP) packets. For the record, UDP connections lack a handshaking mechanism (unlike TCP), and therefore the IP address verification options are very limited. When this exploitation is in full swing, the volume of dummy packets exceeds the target server’s maximum capacity for processing and responding to requests.
8. DNS Flood
This one is a variant of UDP Flood that specifically homes in on DNS servers. The malefactor generates a slew of fake DNS request packets resembling legitimate ones that appear to originate from a huge number of different IP addresses. DNS Flood is one of the hardest denial-of-service raids to prevent and recover from.
9. VoIP Flood
This is a common form of UDP Flood that targets a Voice over Internet Protocol (VoIP) server. The multitude of bogus VoIP requests sent from numerous IP addresses drain the victim server’s resources and knock it offline at the end of the day.
10. SYN Flood
This attack exploits the TCP three-way handshake, a technique used to establish any connection between a client, a host, and a server using the TCP protocol. Normally, a client submits an SYN (synchronize) message to the server to request a connection.
When an SYN Flood attack is underway, criminals send a plethora of these messages from a spoofed IP address. As a result, the receiving server becomes incapable of processing and storing so many SYN packets and denies service to real clients.
11. CHARGEN Flood
Similarly to NTP, the Character Generator Protocol (CHARGEN) is an oldie whose emergence dates back to the 1980s. In spite of this, it is still being used on some connected devices such as printers and photocopiers. The attack comes down to sending tiny packets containing a victim server’s fabricated IP to devices with CHARGEN protocol enabled. In response, the Internet-facing devices submit UDP packets to the server, thus flooding it with redundant data.
12. SSDP Flood
Malefactors can exploit networked devices running Universal Plug and Play (UPnP) services by executing a Simple Service Discovery Protocol (SSDP) reflection-based DDoS attack. On a side note, SSDP is embedded in the UPnP protocol framework. The attacker sends small UDP packets with a spoofed IP address of a target server to multiple devices running UPnP. As a result, the server is flooded with requests from these devices to the point where it goes offline.
13. SNMP Flood (SNMP Amplification)
Tasked with harvesting and arranging data about connected devices, the Simple Network Management Protocol (SNMP) can become a pivot of another attack method. Cybercriminals bombard a target server, switch, or router with numerous small packets coming from a fabricated IP address. As more and more “listening” devices reply to that spoofed address, the network cannot cope with the immense quantity of these incoming responses.
14. HTTP Flood
When executing an HTTP Flood DDoS attack, an adversary sends ostensibly legitimate GET or POST requests to a server or web application, siphoning off most or all of its resources. This technique often involves botnets consisting of “zombie” computers previously contaminated with malware.
15. Recursive HTTP GET Flood
To perpetuate this attack, a malicious actor requests an array of web pages from a server, inspects the replies, and iteratively requests every website item to exhaust the server’s resources. The exploitation looks like a series of legitimate queries and can be difficult to identify.
16. ICMP Flood
Also referred to as Ping Flood, this incursion aims to inundate a server or other network device with numerous spoofed Internet Control Message Protocol (ICMP) echo requests or pings. Having received a certain number of ICMP pings, the network responds with the same number of reply packets. Since this capability to respond is finite, the network reaches its performance threshold and becomes unresponsive.
17. Misused Application Attack
Instead of using spoofed IP addresses, this attack parasitizes legitimate client computers running resource-intensive applications such as P2P tools. Crooks reroute the traffic from these clients to the victim server to bring it down due to excessive processing load. This DDoS technique is hard to prevent as the traffic originates on real machines previously compromised by the attackers.
18. IP Null Attack
This one is carried out by sending a slew of packets containing invalid IPv4 headers that are supposed to carry transport layer protocol details. The trick is that threat actors set this header value to null. Some servers cannot process these corrupt-looking packets properly and waste their resources trying to work out how to handle them.
19. Smurf Attack
This one involves a malware strain called Smurf to inundate a computer network with ICMP ping requests carrying a spoofed IP address of the target. The receiving devices are configured to reply to the IP in question, which may produce a flood of pings the server can’t process.
20. LAND attack
To perform a Local Area Network Denial (LAND) attack, a threat actor sends a fabricated SYN message in which the source and destination IP addresses are the same. When the server tries to respond to this message, it gets into a loop by recurrently generating replies to itself. This leads to an error scenario, and the target host may eventually crash.
21. Ping of Death Attack
To set this raid in motion, cybercrooks poison a victim network with unconventional ping packets whose size significantly exceeds the maximum allowed value (64 bytes). This inconsistency causes the computer system to allocate too many resources for reassembling the rogue packets. In the aftermath of this, the system may encounter a buffer overflow or even crash.
This attack stands out from the crowd because it requires very low bandwidth and can be fulfilled using just one computer. It works by initiating multiple concurrent connections to a web server and keeping them open for a long period of time. The attacker sends partial requests and complements them with HTTP headers once a while to make sure they don’t reach a completion stage. As a result, the server’s capability to maintain simultaneous connections is drained and it can no longer process connections from legitimate clients.
23. Low Orbit Ion Cannon (LOIC)
Originally designed as a network stress testing tool, LOIC can be weaponized in real-world DDoS attacks. Coded in C#, this open-source software deluges a server with a large number of packets (UPD, TCP, or HTTP) in an attempt to disrupt a target’s operation. This onslaught is usually backed by a botnet consisting of thousands of machines and coordinated by a single user.
24. High Orbit Ion Cannon (HOIC)
HOIC is a publicly accessible application that superseded the above-mentioned LOIC program and has a much bigger disruptive potential than its precursor. It can be used to submit a plethora of “GET” and HTTP POST requests to a server concurrently, which ends up knocking a target website offline. HOIC can affect up to 256 different domains at the same time.
ReDoS stands for “regular expression denial-of-service.” Its goal is to overburden a program’s regular expression implementation with instances of highly complex string search patterns. A malicious actor can trigger a regular expression processing scenario whose algorithmic complexity causes the target system to waste superfluous resources and slow down or crash.
I bet, you didn’t know these many DDoS vectors existed. If you like this article and would like us to expand on the different DDoS vectors, do let us know in the comments.