You’ve read about DDoS attacks like SYN flood, ping of death and zero-day in our blog and on news sites. The one thing they have in common is they’re not all the same. They all have different characteristics, methods, and attack vectors. Broadly speaking, there are three main types of attacks that all DDoS attacks fall under: volumetric (Gbps), protocol (pps) and application layer (rps) attacks. All three have the intent to disrupt some or all of its victim’s services, but each performs it a different way.
Since the acronyms are so similar, people often confuse the three. And to make it more complicated, while there are three distinct types of DDoS attacks, they can overlap during a single attack and are often combined for greater impact. We see these often on our network and have previously reported on them. In this post, we’ll look at how they work and what they mean.
Gbps or Volumetric Attacks
The volumetric DDoS attack is what most people envision when they hear about a DDoS attack because this kind of attack is the most common. It was actually the first attack that made the news in the late 1990s which then spawned an army of copycats.
Volumetric attacks are also known as floods, because they “flood” a victim’s resource with requests, like unwanted pings. Attacks are measured in bits per second (bps) or Gigabits per second (Gbps).
The concept of a volumetric attack is simple, which is to send as much traffic as possible to a site to overwhelm its bandwidth. Volumetric attacks typically (in the last decade) were produced using amplification techniques. The DNS amplification is the most common technique where the attacker sends small DNS requests with a spoofed source IP address of the victim to a DNS server. When the server receives the request it responds to the victim with a large response. In comparison, it is much easier today to create big botnets using IoT devices. IoT devices are less or not secure at all, connected to the Internet and can execute code. As a result the amplification technique has become less popular, but is still used sometimes.
The proliferation of cheap IoT devices like dolls, toasters, thermostats, security cameras and Wi-Fi routers makes it easy to launch an effective attack with just a few clicks. A hacker can easily leverage the extensibility of the internet to launch a volumetric DDoS attack at little or no cost.
The Mirai botnet is an example of the devastation of leveraged unsecured IoT devices. Mirai targeted IoT devices, using each infected device to join a volumetric DDoS attack. It compromised Airbnb, Twitter, the New York Times, CNN, Fox News, Netflix and many other organizations.
pps or Network Protocol DDoS Attacks
Very broadly, an internet protocol is a discrete set of rules to exchange information on the internet. One of the most well known is TCP/IP which is a set of rules used for exchanging requests and data. By exploiting those rules, a bad actor can bring a service to its knees.
For example, the ping of death (POD) attack is an IP fragmentation attack that exploits the inherent size limitation that a packet can be transmitted in. By manipulating parts of the packet or fragments, the exploit can overflow the memory buffers allocated to that packet and then deny service to legitimate packets.
A TCP SYN flood is another common protocol attack. Here a surge of TCP SYN requests directed towards a target overwhelms the target and makes it unresponsive.
Protocol attacks often work at layers 3 and 4 of the OSI model on network devices like routers. And because they are on the network layer, they are measured in packets per second (pps).
Network layer DDoS attack types include:
- UDP floods
- SYN floods
- NTP amplification
- DNS amplification
- SSDP amplification
- IP fragmentation
- SYN-ACK floods and more.
This is a simplified description of the complexity of an attack and the labeling of an attack. While we can categorize UDP floods, SYN floods and NTP, DNS and SSCP amplification attacks under pps or network protocol DDoS attacks, they can just as easily be categorized as bps attacks depending on the vector and packet size.
rps or Application Layer DDoS Attacks
While volumetric attacks, and — to a lesser extent — protocol attacks compromise a service with the sheer number of requests, application layer attacks or layer 7 attacks, target an edge server that executes a web application like WordPress. These threats are harder to detect as attackers in most cases make legitimate requests like a website user, and need far fewer bots to attack. Consequently, these attacks also show up as much smaller traffic spikes.
Application layer attacks are measured in requests per second (rps) or the number of requests made of an application. It takes far fewer requests to bring down an application because the attack is focused on overwhelming the CPU and memory. An application layer attack is considered a resource-based attack.
An application layer attack typically includes hitting the web server, running PHP scripts and contacting the database to load web pages. A single HTTP request which is simple to execute on the client side, can cause a server to execute a large number of internal requests and load numerous files to fulfil the request, which is what slows the system.
The Mirai botnet was the highest-profile DDoS story in 2016. In addition to executing network layer attacks, it has two vectors of application layer DDoS attacks: GET/POST flood and STOMP attack. Try the Incapsula scanner to check if one or more devices on your network is infected by or vulnerable to Mirai.
Typically, an application layer attack may also be a multi-vector attack that uses a combination of volumetric and protocol attacks to increase the likelihood of taking a service offline.
Hackers don’t make such clean distinctions between the three types of attacks. Their goal is to disrupt your business and a more effective way for them to do that is to attack with more than one vector. When attacking your service they’ll combine volumetric, protocol and application layer attacks into a multi-vector attack. Multi-vector attacks hit the target in varying forms and disrupt the processes at a higher level.
Because of their complexity and subsequently their effectiveness, we find that multi-vector attacks are the fastest growing types of DDoS attacks. In fact, 40.5 percent of all attacks were multi-vector attacks, compared to 29 percent in Q4 2016.
|DDoS Attack Type||Metric||Fast Fact||Category||Characteristics||Examples||Mitigation|
|Volumetric Attack||Bits per second (bps), Giga bits per second (Gbps), flood||Was the first famous DDoS attack||Connectionless||High volume, using bots||Dyn, UDP flood||Volumetric attacks are absorbed in a global network of scrubbing centers that scale on demand to counter multi-gigabyte DDoS attacks.|
|Protocol attack||Packets per second (pps)||Traces its origins back to 1996||Connection-based||Attacks the network layer||Syn flood, ping of death||This type of attack is mitigated by blocking “bad” traffic before it reaches the site. Uses visitor identification technology to differentiate legitimate website visitors (humans, search engines) and automated or malicious clients.|
|Application layer attack||Requests per second (rps), low-rate||Made famous by Mirai malware||Connection-based||Difficult to detect||SQL injection, XSS||Application layer attacks are blocked by monitoring visitor behavior, blocking known bad bots, and challenging suspicious or unrecognized entities with JS test, cookie challenge, and even CAPTCHAs.|
Mitigating Gbps, pps and rps Attacks
Hackers may use all types of vectors during a DDoS attack, but to mitigate them you’ll need different approaches to block the the specific vectors.
Volumetric attacks are routed to a DDoS mitigation service that absorbs the attack in its network of scrubbing centers that scale on demand to counter multi-gigabit DDoS attacks.
Security services deal with protocol attacks by blocking “bad” traffic before it even reaches the site. Here visitor identification technology differentiates between legitimate website visitors (humans, search engines) and automated or malicious clients.
Application layer attacks are blocked by technology that monitors visitor behavior, blocks known bad bots, and challenges suspicious or unrecognized entities with JS test, cookie challenge and when necessary, CAPTCHAs.
In reality, it’s hard to accurately compare the danger of Gbps, pps and rps attacks, as it depends on varying factors. The main factors that influence an attack are the services that the victim is running and on their inbound traffic capacity. Basically, the larger the attack (either in terms of bandwidth, packets per second or requests per second, depending on the attack type), the higher the damage.
And like I said earlier, multi-vector attacks make it still harder to quantify their differences. And, in fact, this is exactly what we see trending:
- Pulse-wave attacks, which try to evade some hybrid on-prem first DDoS mitigation solutions. In the most extreme cases, they lasted for days at a time and scaled as high as 350 Gbps
- Multi-vector attacks, which comprise two or more vectors from the attack types listed above
- Smart and large botnets (such as mobile- and IoT-based ones), which try to mimic the legitimate traffic of the victim as much as possible
All types of DDoS attacks have the same goal — to disrupt your service. DDoS attacks come in three broad types, but deploy in many forms. Intelligent DDoS mitigation services are designed to handle any, all or a combination of them.