What is the attack vector of DDoS?

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic to a website or online service by overwhelming it with a flood of internet traffic from multiple sources (Cloudflare). The goal is to overwhelm the target’s resources so that genuine users cannot access the service. By flooding the target with more requests than it can handle, the attacker can cause the site to slow down or even crash, denying service to legitimate users.

DDoS attacks work by leveraging a botnet – a network of hundreds or thousands of compromised devices that have been infected with malware, allowing the attacker to control them. The attacker uses the processing power and bandwidth of the botnet to overwhelm the target system. Even a small botnet can generate huge amounts of traffic and bring down major websites (Fortinet).

DDoS attacks have a significant impact on victims. A successful attack can cause reputational damage, loss of customer trust, and huge financial losses due to the site being down. The attacks don’t damage networks or systems directly but cause disruption through resource exhaustion. DDoS attacks are on the rise and becoming more complex, making them a serious threat in today’s interconnected world.

Common DDoS Attack Vectors

There are three main types of DDoS attack vectors that cybercriminals use:

Volumetric Attacks

Volumetric attacks aim to saturate the bandwidth of the target with high volumes of traffic. These attacks overwhelm the target’s infrastructure by consuming available bandwidth, overloading the servers, and denying legitimate users access. Common volumetric attack types include UDP floods, ICMP floods, and other spoofed packet floods.

Protocol Attacks

Protocol attacks target the weaknesses in network infrastructure protocols. They consume actual server resources on the target system, starving out legitimate requests. Some examples are SYN floods, Ping of Death, and Smurf attacks.

Application Layer Attacks

Application layer attacks directly target web applications and servers by overloading them with expensive requests. These attacks are difficult to detect using traditional network monitoring and can cripple sites and APIs. Common examples include HTTP flooding, Slowloris, and RUDY attacks.

Volumetric Attacks

Volumetric attacks flood the network with traffic in an attempt to consume all available bandwidth (Source: Netscout). These attacks typically use a botnet composed of many compromised devices to generate huge amounts of traffic directed at the target. Common types of volumetric attacks include:

  • SYN floods – The attacker sends a continuous stream of TCP SYN packets to the target. This leaves many half-open connections that can overwhelm the system (Source: A10 Networks).
  • UDP floods – The attacker sends a large number of UDP packets to random ports on the target system. The target has to determine if the port is open or closed, consuming resources.
  • ICMP floods – The attacker overwhelms the target with ICMP echo request packets, more commonly known as ping requests.

These types of attacks can consume all available bandwidth, overwhelm connection state tables, or exhaust other server resources resulting in denial of service.

Protocol Attacks

Protocol attacks exploit weaknesses in network communication protocols like TCP, UDP, ICMP, etc. The goal is to consume the resources of network components like firewalls, load balancers, and application servers.

Common examples of protocol attacks include:

  • SYN floods – exploits TCP’s three-way handshake by sending many SYN packets but never acknowledging the SYN-ACK responses. This fills up the connection queue on the target server.
  • Ping of Death – sends malformed or oversized ICMP packets that crash the target system.
  • Smurf attacks – spoofs the victim’s IP address and broadcasts large numbers of ICMP packets to amplifiers that all respond and flood the victim.

Defending against protocol attacks involves tuning network components to detect and filter malicious traffic. For example, reducing TCP connection timeouts, limiting ICMP packet sizes, and blocking spoofed IP addresses. Cloudflare provides DDoS protection against protocol attacks by absorbing and scrubbing the malicious traffic before it hits customer networks.

Application Layer Attacks

Application layer attacks, also known as Layer 7 attacks, target web servers and applications directly to overwhelm them with traffic. The goal is to consume application resources and make the application slow or unresponsive for legitimate users. Some common methods of application layer attacks include:

HTTP floods – A HTTP flood sends a huge number of HTTP requests to the target web server. This overwhelms the server’s resources and blocks legitimate requests.

Slowloris – Slowloris opens multiple connections to the web server but sends partial HTTP requests very slowly. This gradually builds up connections until the server’s connection pool is filled, blocking new connections.

RUDY – RUDY rapidly opens POST connections to web servers and sends partial form data. Form submissions require more processing than normal requests, so this can easily overwhelm web servers.

By directly targeting application servers and web infrastructure, application layer attacks can take down websites and web applications by exploiting their limitations. Defending against them requires intelligent filtering and anomaly detection at the application layer.

DDoS Attack Tools

There are various tools and methods that attackers use to carry out DDoS attacks. Some of the most common include:

  • Botnets – A botnet is a network of compromised devices that are infected with malware and controlled remotely by an attacker. Botnets can include hundreds of thousands or even millions of devices that can be coordinated to flood a target with traffic. Popular botnet malware families include Mirai, Zombi, and Meris.

  • Booter/Stresser Services – Booter or stresser services are web-based tools that provide on-demand DDoS attacks for a fee. These services allow users to target an IP address or domain and generate various types of floods like UDP, SYN floods, etc. Booters make it easy for unskilled attackers to launch powerful DDoS attacks.

  • Reflective Attacks – Reflective amplification attacks leverage vulnerabilities in DNS, NTP, SNMP, memcache and other UDP-based protocols. The attacker spoofs the victim’s IP address and sends requests to publicly accessible servers running these protocols. The servers respond to the spoofed victim IP, flooding it with traffic that can magnify the attack.

Some popular free DDoS tools include LOIC, HOIC, Slowloris, RUDY, and more. However, skilled attackers often build their own DDoS tools or modify existing malware like Mirai. DDoS tools continue to grow in sophistication, making them a serious threat.[1]

DDoS Attack Sources

DDoS attacks can originate from a variety of sources, but some of the most common include individual hackers, hacktivist groups, and cybercriminals. Individual hackers may launch small-scale DDoS attacks just to see if they can take down a website or cause disruption. For example, in 2000, Canadian teenager Michael Calce, also known as “MafiaBoy”, launched a series of infamous DDoS attacks against high-profile websites like CNN, Amazon, and Yahoo!1.

Hacktivist groups like Anonymous have also been known to use DDoS attacks as a form of political protest. In 2010, Anonymous carried out DDoS attacks against PayPal, MasterCard, and others who had withdrawn support for WikiLeaks2. More recently in 2022, the hacktivist group Killnet claimed responsibility for DDoS attacks against government websites in Lithuania, Norway, and other countries3.

Cybercriminals frequently use DDoS attacks as a method of extortion, threatening to take down websites and networks unless a ransom is paid. The Mirai botnet, composed of hundreds of thousands of hacked Internet of Things devices, was used to launch massive DDoS attacks in 2016. Cybercriminals have also offered DDoS-for-hire services to enable anyone to easily rent a botnet and launch attacks.

DDoS Defense Strategies

There are several methods to defend against DDoS attacks and mitigate their impact:

Blackhole routing involves configuring routers to drop packets destined for the target of the attack, preventing resources from being consumed. This technique stops the attack traffic, but also temporarily blocks legitimate users (Cloudflare, n.d.).

Rate limiting sets a threshold on traffic allowed from a certain source. Requests above the threshold are dropped or delayed. This protects application servers from being overloaded (Indusface, 2023).

Whitelisting blocks traffic from any source not on an approved list. This filters out spoofed IP addresses used in DDoS attacks. However, a whitelist can be difficult to maintain as users access the application from new locations (Blogs.blackberry.com, 2022).

Other common strategies include load balancers to distribute traffic across servers, increased bandwidth to handle larger attacks, emergency switching to backup infrastructure, and specialized DDoS mitigation services (Cloudflare, n.d.).

An effective DDoS defense combines multiple techniques to block malicious traffic while allowing legitimate users through (Indusface, 2023). DDoS protection should be tested regularly to ensure effectiveness against evolving attack methods.

DDoS Protection Services

Organizations have several options for implementing DDoS protection, including cloud-based scrubbing services, on-premises hardware solutions, and hybrid approaches.

Cloud-based DDoS protection services offer the benefit of using a vendor’s global network infrastructure to scrub attack traffic before it hits an organization’s network. Popular options include Cloudflare, AWS Shield, and offerings from telecom providers.

On-premises DDoS mitigation hardware, such as solutions from Radware and Imperva, offer localized scrubbing and real-time DDoS attack detection. However, they require significant Capex investment and local expertise.

Hybrid options combine cloud scrubbing with some on-prem hardware for cost efficiency and flexibility. Organizations should evaluate their risk level, tolerance for downtime, and budget when selecting the right DDoS protection architecture.

The Future of DDoS Attacks

The future of DDoS attacks is likely to involve larger and more complex attacks as cybercriminals utilize new techniques and vectors. Some key trends that are emerging include:

IoT botnets – The proliferation of insecure Internet of Things (IoT) devices provides a massive base for attackers to build botnets capable of extremely powerful DDoS attacks. The Mirai botnet in 2016 harnessed unsecured IoT devices to launch some of the largest DDoS attacks on record at the time [1].

Higher throughput attacks – Bandwidth capacities are continually growing, enabling even larger volumetric DDoS attacks reaching 1 Tbps and above. Attacks are likely to scale up further as bandwidth expands [2].

Multi-vector attacks – Rather than relying on a single vector, attackers are combining multiple attack vectors in coordinated ways to create complex, multi-stage attacks that are harder to mitigate. These may involve both network and application layer components.