DDos Attack Types Guide

DDoS types which commonly target businesses

Below, we explore some of the types of DDoS attacks that pose a risk to companies in different sectors.

ICMP flood

An ICMP (or Ping) flood is made to overwhelm a targeted resource with ICMP Echo Request packets. Essentially, unlike other DDoS types, this one sends a high number of packets as quickly as possible — but without taking time to wait for any replies.

As a result, ICMP flood attacks may consume a business’s incoming and outgoing bandwidth as servers will try to use ICMP Echo Reply packets to reply. This can ultimately cause major slowdown in systems.

UDP (User Datagram Protocol) flood

Essentially, a UDP flood is a DDoS attack which causes a storm of UDP packets with an intent to cause floods in a remote host’s ports randomly.

Such an attack can cause hosts to continually search for application listening in certain ports. When applications aren’t located, the host will reply with an ICMP “destination unreachable” packet — which consumes resources and potentially causes inaccessibility.

SYN flood

This DDoS attack type is unleashed to take advantage of a vulnerability in the TCP connect sequence, in which a SYN request to trigger a TCP connection to the target host needs to be responded to with a SYN-ACK reply. It is then to be confirmed by the requester’s ACK response.

In this DDoS attack type, a requester would launch a number of SYN requests but doesn’t respond to the SYN-ACK response or triggers the requests from a spoofed address. In any case, the host system is left waiting for each request’s acknowledgement — leaving resources bound until no fresh connections can be initiated. This leads to a denial of service.

Slowloris

A Slowloris is an attack designed to help one web server bring another down without having an effect on other ports or services within the network targeted. How? By keeping as many of the target server’s connections open for as long as it can, by making connections to the server but sending just partial requests.

So, a Slowloris keeps sending HTTP headers without ever completing a request, and the server keeps all of them open. Eventually, this creates an overflow in the connection pool and causes denial of additional connections from innocent clients.

POD (Ping of Death)

The so-called ping of death is a DDoS attack type which involves sending several malicious pings to a target computer, giving recipient hosts oversized packets, which overflows those memory buffers which have been allocated for the received packet. This leads to denial of service for any packets which may be legitimate.

This works on the basis that an IP packet’s maximum length is 65,535 bytes, but Data Link Layers typically impose limits on a maximum frame size. In ping of death attacks, a massive packet becomes separated across more than one, causing the recipient host to reassemble it into the oversized packet.

HTTP flood

Attackers use HTTP floods to target an application or web server by taking advantage of HTTP GET or POST requests which may appear genuine.

This type of attack doesn’t involve malformed packets or spoofing, and puts less strain on bandwidth than other DDoS types. HTTP floods tend to be most impactful when forcing an application or server to allocate all of the resources available in response to all requests.

Zero day

Zero day types of DDos attacks refers to all new or unknown forms of threats, which depend on vulnerabilities for which patches are yet to be issued. Hackers usually exchange zero day opportunities regularly.

NTP amplification

Attackers use an NTP amplification to target Network Time Protocol servers and overwhelm them with UDP traffic. These DDoS attacks are described as “amplification”-based because of the query to response ratio.

This tends to be between 1:20 and 1:200 or higher, enabling attackers to achieve major disruptions if they have access to multiple open Network Time Protocols.