When major cyber attacks are made public, we often hear about their magnitude and strength. More often than not, the media is talking about DDoS attacks. Deloitte for example revealed that the year 2016 “saw the first two [DDoS] attacks of one terabit per second (Tbps) or more.” But what does this actually mean? One terabit in itself sounds huge, but in order to understand what these measurements mean it’s important to understand the different types of DDoS attacks. It’s likely that you’ve heard of very specific DDoS attacks with unique names like ‘Ping of Death’ and ‘Smurf DDoS.’ But in spite of these fancy names DDoS attacks can generally be divided into three broad categories: volume-based attacks, protocol attacks, and application layer attacks. With these frameworks in mind, you’ll be able to decode all that talk about DDoS – even if you consider yourself to be among the non-tech-savvy.
Volume-based DDoS attacks are the most common out of the three. To carry out this kind of cyber attack, hackers utilize many computers and internet connections (often distributed around the world) to flood a website with traffic so that an overwhelming amount clogs up the website’s available bandwidth. As a result, legitimate traffic is unable to pass through, and hackers are able to successfully take down the website. Volume-based attacks are measured in bits per second (Bps).
An example of a volume based attack is the UDP flood. Hackers take advantage of a sessionless networking protocol known as the User Datagram Protocol (UDP), which is essential to the Internet protocol (IP) suite. (To read about how UDP works read here). In a UDP flood, a hacker overwhelms random ports on the targeted host so that as more UDP packets are received and answered, the system is unable to handle the volume of requests and thus becomes unresponsive.
Unlike volume-based attacks, protocol attacks aim to exhaust server resources instead of bandwidth. They also target what is known as “intermediate communication equipment,” which in simpler terms refers to intermediaries between the server and website, such as firewalls and load balancers. Hackers overwhelm websites and these server resources by making phony protocol requests in order to consume the available resources. The strength of these attacks are measured in packets per second (Pps).
One example of this type of attack is the Smurf DDoS. Hackers exploit Internet Control Message Protocol (ICMP) packets which contain the victim’s spoofed IP and then broadcast the IP to a computer network using an IP broadcast address (used to transmit messages and data packets to network systems). If the number of devices on the network is large enough, the victim’s computer will be flooded with traffic since most devices on network respond by default to the source IP address.
Application Layer Attacks
Generally, application layer attacks require fewer resources than volume-based attacks and protocol attacks. This type of attack targets vulnerabilities within applications (hence their name) such as Apache, Windows and OpenBSD. In true DDoS nature, application layer attacks bring down servers by making a large number of requests that appear legitimate at first by mimicking a users’ traffic behavior. But because application layer attacks are only targeting specific application packets, they can go unnoticed. Application layer attacks look to disrupt specific functions or features of a website such as online transactions. The strength of these attacks are measured in requests per second (Rps).
One example of an application layer attack is the Slowloris. Slowloris is able to cause one web server to take down another. By establishing connections to the target server and only sending partial requests, Slowloris “holds” open many connections to the server for as long as possible. As it constantly sends more HTTP headers (HTTP headers allow the client and the server to exchange additional information) and only sends partial requests, it never completes a request which eventually overwhelms the maximum allowed and prevents further connections from being made.
While volume-based attacks, protocol attacks, and application layer attacks define broad categories of DDoS attacks, not all attacks fall into a perfect category. This is because DDoS attack methods are evolving everyday. In fact, a new trend includes “blended attacks.” Hackers may launch a protocol attack to create a distraction and then launch an application layer attack since they take more time to find the vulnerabilities within the application layer. Blended attacks are increasing in frequency, complexity and size. Without the proper defense system in place, they have the potential to cause unimaginable damage. To read more about how DDoS attacks affect different industries check the blog post, “DDoS Attacks: Their Top 5 Favorite Industry Targets.”