DDoS attacks are one of the most common threats across today’s landscape. But to stop them from crashing or degrading your web application, you must understand what they are and how they work.
Put simply, a Distributed Denial of Service (DDoS) attack happens when a malicious person uses an infected army of computers, known as a botnet, to send non-stop requests to their chosen website and overwhelm their traffic system.
The main types of attacks can be summarized as the following:
- Volume-based attacks: This type of attack uses a form of amplification or utilizes requests from a botnet to create huge amounts of traffic and overwhelm a system.
- Protocol attacks: Also known as state-exhaustion attacks, protocol attacks are focused on exploiting vulnerabilities in network resources, overwhelming server setups such as firewalls and load balancers.
- Application layer attacks: Also known as Layer 7 attacks, this type of strike aims to crash the web server and can be thought of as refreshing a web browser over and over across thousands of computers at once.
For a more detailed explanation of how DDoS works, check out this previous blog post. This time, we will dive into specific types of attacks and understand what makes them different from each other.
Most Common Types of DDoS Attacks
While looking at security reports and DDoS post-mortems, you might have encountered many different names, regarding various types of attacks. Basically, all DDoS attacks aim to overwhelm systems with requests.
But what are the differences between them, you may ask? What do those letters even mean? Read on and let us explain:
DNS Amplification
Amplification attacks in general are reflection-based volumetric DDoS attacks. In this case, the attacker uses this process to open DNS resolvers to overwhelm target servers or networks with large amounts of traffic, making it inaccessible to the rest of its infrastructure.
- Type of Attack: Volume-based
- Solution: Using a network with high capacity and programmable firewall
UDP Flood
As the name suggests, a UDP flood is a denial-of-service attack that floods its target with User Datagram Protocol (UDP) packets. Aiming to flood random ports on remote hosts, it causes them to check for application listenings and return with ICMP ‘Destination Unreachable’ packets. As this process is done over and over, the protocol’s resources are overwhelmed as the firewall tries to process and respond to all of these requests.
- Type of Attack: Volume-based
- Solution: Dropping UDP requests not related to DNS at the edge of the network and balancing load across a high-capacity network of servers
SYN Flood
SYN floods exploit the three-way handshake in the TCP connection sequence, where SYN requests to initiate a TCP connection must be answered by the host and confirmed by the requester. In an SYN flood, the attacker sends repeated SYN requests to its target without acknowledging the response, tying up resources as the targeted device waits to complete the sequence, resulting in reduced performance or even unavailable services.
- Type of attack: Protocol based
- Solution: Using reverse proxies or firewalls to filter requests
HTTP Flood
HTTP floods are another hard-to-block attack, as they are specially crafted to target a specific application or server, using seemingly legitimate requests rather than malformed packets, spoofing, or reflection techniques. Instead, the attacker’s botnet inundates the server with as many processing-intensive GET or POST requests as possible, eventually overwhelming the target’s resources.
- Type of attack: Application layer
- Solution: Advanced bot mitigation and WAF
NTP Amplification
NTP is a network protocol that Internet-connected machines use to synchronize their clocks. Older versions of NTP also allow administrators to monitor traffic using a command called the “monlist,” which sends a list of the last 600 hosts that connected to the queried server. In NTP amplification attacks, the attacker repeatedly sends the “get monlist” request to a publicly accessible NTP server while spoofing the target’s server. As a result, the list is repeatedly sent to the target’s server, amplifying the amount of traffic and resulting in degraded or unavailable service for legitimate users.
- Type of attack: Volume-based
- Solution: Disabling monlist, ingress filtering, and balancing traffic across a high-capacity network to avoid overwhelming a single IP address
How to Protect Against DDoS Attacks
DDoS attacks come in many forms and types, some of which can be almost indistinguishable from legitimate requests. Without an experienced DDoS mitigation partner, a company’s security policies may generate false positives that deny legitimate traffic or false negatives that leave them open to attack.
Azion’s Edge Network uses a reverse proxy structure that provides a layer of protection against DDoS attacks by obscuring the identity of our clients’ origin servers and delivering a high percentage of requests directly from the edge, preventing malicious traffic from reaching their origin infrastructure.
In addition, our integrated security stack, Edge Firewall, provides programmable security at the edge of the network, including DDoS Protection, Network Layer Protection, WAF, and Bot Mitigation. These modules provide the tools needed to craft zero-trust security policies and mitigate the largest and most complex attacks:
- Fast time-to-mitigate (typically under one second)
- 100% uptime, backed by SLA
- Full-stack security enables high visibility, automated responses, and easy integration with leading analytics solutions
- SDN router isolates customers and uses advanced algorithms to maintain performance during complex attacks
To learn more about DDoS attacks, check out this blog post on recent attack trends, or talk to an expert about how Azion can protect your company from DDoS attacks.