Corero’s Distributed Denial of Service (DDoS) attack glossary provides a high-level overview of the various DDoS attack types and their typical characteristics.
The definition of a Distributed Denial of Service (DDoS) attack is where many compromised systems attack a single target, causing a flood of incoming messages which overwhelms the system, causing it to shut down or become unresponsive. This is distinct from a Denial of Service (DoS) attack which typically involves a much lower rate of traffic, sourced from a single device.
Common DDoS Attack Types
ACK Attack or ACK-PUSH Flood
DNS Amplified (Reflective)
Excessive Verb – Single Session
Excessive Verb (HTTP GET Flood)
Fake Session Attack
Fragmented ACK Flood
ICMP Fragmentation Flood
Multiple Verb – Single Request
Non-Spoofed UDP Flood
NTP Amplified (Reflective)
Other Amplified Attacks (Reflective)
Random Recursive GET
Same Source/Dest Flood (LAND Attack)
In an ACK flood attack or ACK-PUSH Flood, attackers send spoofed ACK (or ACK-PUSH) packets at very high packet rates that fail to belong to any current session within the firewall’s state-table and/or server’s connection list. The ACK (or ACK-PUSH) flood exhausts a victim’s firewalls by forcing state-table lookups and servers by depleting their system resources used to match these incoming packets to an existing flow.
Another possible way of taking advantage of DNS flood is through attackers spoofing a victim’s DNS infrastructure and through the use of Open Recursive DNS servers and extensions to the DNS protocol. Very small DNS requests can result in very large and a high-volume of DNS responses (i.e. Amplification Factor). Read more about DNS Amplification Attacks.
In a DNS Flood, attackers use DNS as a variant of a UDP flood. Attackers send valid but spoofed DNS request packets at a very high packet rate and from a very large group of source IP addresses. Since these appear as valid requests, the victim’s DNS servers proceeds to respond to all requests. The DNS server can be overwhelmed by the vast number of requests. This DNS attack consumes large amounts of network resources that exhaust the DNS infrastructure until it goes offline, taking the victim’s Internet access (www) down with it.
In an Excessive Verb Attack, attackers take advantage of a feature of HTTP 1.1 that allows multiple client requests within a single HTTP session. In this case, attackers can lower the session request rate of an HTTP attack in order to come under the radar of request rate-limiting features found on some attack defense systems deployed today. This attack is viewed as a low-and-slow Application-Layer attack and normally consumes little bandwidth but eventually renders the victim’s servers unresponsive.
In a GET Flood, attackers send large numbers of valid HTTP requests to a victim’s web server. The HTTP request is most often a GET request and is directed to the most CPU intensive process on the victim web server. Each attacker can generate large numbers of valid GET requests so the attacker can use a relatively small number of attacking machines to take a system offline. HTTP GET Floods are non-spoofed and the source IP address is the actual public IP of the attacker machine (or NAT Firewall). The most common variant of this attack uses GET requests but an attacker can also use HEAD, POST, PUT, OPTIONS or any other HTTP method to cause an outage. This attack is viewed as a low-and-slow Application-Layer attack and normally consumes little bandwidth but eventually renders the victim’s servers unresponsive.
In a Fake Session Denial of Service Attack, an attacker sends forged SYN packets, multiple ACK packets and then one or more FIN/RST packets. When these packets appear together, they look like a valid TCP session from one direction only. Since many modern networks utilize asymmetric routing techniques whereby incoming packets and outgoing packets traverse different internet links to improve cost and performance, this attack is harder to detect. This attack simulates a complete TCP communication and is designed to confuse new attack defense tools that only monitor incoming traffic to the network and not bi-directionally monitoring server responses. There are two common variants of this DDoS attack most often observed: the first variant sends multiple SYNs, then multiple ACKs, followed by one or more FIN/RST packets. The second variant skips the initial SYN and starts by sending multiple ACKs, followed by one or more FIN/RST packets. The slow TCP-SYN rate makes the attack harder to detect than a typical SYN flood.
In a Fraggle Attack, attackers send spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network resulting in a denial of service.
In a fragmented ACK Flood DDoS attack, large fragmented (1500+ byte) packets are sent to consume large amounts of bandwidth, while generating a relatively small packet rate. While the protocols allow for fragmentation these packets usually pass through border routers, firewalls and IDS/IPS devices uninspected or can consume excessive resources attempting to reassemble and inspect fragmented packets. The packet contents can be randomized, irrelevant data that can consume resources. However, this method can also be used as an Advanced Evasion Technique designed to bypass deep packet inspection devices altogether. The attacker’s goal can be to consume all bandwidth of the victim’s network or use fragmentation to hide insidious low-and-slow application-layer DDoS attacks, malware, overflows, brute-force etc.
In an HTTP Fragmentation Attack, a non-spoofed attacker establishes a valid HTTP connection with a web server. The attacker proceeds to fragment legitimate HTTP packets into the smallest fragments possible and sends each fragment as slow as the server time-out will allow, which eventually holds the HTTP connection open for a long period of time without raising any alarms. By opening multiple extended sessions per attacker, the attacker can silently force a web application offline with just a handful of attacking machines.
In an ICMP Flood Attack, attackers send highly-spoofed ICMP packets at large enough volumes to flood a network. The victim’s network resources are overwhelmed by the large number of incoming ICMP packets. The attack consumes resources and available bandwidth, exhausting the network until it goes offline. ICMP floods can overwhelm a network with packets containing random or fixed source IP addresses. This attack is often viewed as a Network-Level volumetric attack and can be defeated by L3/L4 Packet Filtering.
In an ICMP Fragmentation Flood, attackers send highly-spoofed, large fragmented ICMP packets (1500+ byte) at a very high packet rate and these packets cannot be reassembled. The large packet size can enlarge the bandwidth of an ICMP attack overall. In addition, it causes wasted CPU resources in an attempt to reassemble useless packets.
In an IP NULL Attack, attackers send packets whereby the IPv4 header field used to specify which Transport Protocol is being used in its payload (e.g.TCP and/or UDP) and sets this field to a value of zero. Firewalls configured for just TCP, UDP, and ICMP may allow this type of packet through. If these packets arrive as a flood, a victim server’s CPU resources may be wasted handling these packets.
Memcached is just one service or process (often called a daemon hence the “d”) that runs on a server. The server itself could primarily be a mail server, a web server, a DNS server, etc. Most of the time the vulnerable Memcached service is there by accident, installed as a default in case anyone wants to use the service. Attackers are exploiting Memcached reflection vulnerabilities to launch large denial-of-service attacks against target organizations. Read more about Memcached Attack.
The Mirai botnet code infects poorly protected internet devices by using telnet to find those that are still using their factory default username and password. The effectiveness of Mirai is due to its ability to infect tens of thousands of these insecure devices and co-ordinate them to mount a DDOS attack against a chosen victim. Read more about Mirai Botnet.
In a Multiple Verb Attack, attackers use a variation of the Excessive Verb attack vector. The attacking machines create multiple HTTP requests, not by creating them one after another for example during a single HTTP session attack, but instead by creating a single packet filled with multiple requests. It’s a variant of the Excessive VERB attack whereby the attacker can maintain high CPU processing loads on the victim server with very low attack packet rates. The low packet rates make the attacker nearly invisible to NetFlow attack detection techniques. Also if the attacker selects the HTTP VERB carefully these attacks will also bypass deep packet inspection technologies as well. This attack is viewed as a low-and-slow Application-Layer attack and normally consumes little bandwidth but eventually renders the victim’s servers unresponsive.
In a Non-Spoofed UDP Flood, attackers send non-spoofed UDP packets at a very high packet rate resulting in networks becoming overwhelmed by the large amount of incoming UDP packets. The attack consumes vast amounts of network resources and bandwidth, exhausting the network and forcing denial of service. The packets contain a valid public IP address of the attacker. This type of attack is harder to identify because it resembles good traffic.
In a NTP Amlification Attack, attackers spoofing a victim’s NTP infrastructure and use Open NTP servers, which send small requests resulting in a very high-volume of NTP responses. Read more about NTP Amplification DDoS Attacks.
In a NTP Flood, attackers use NTP as a variant of a UDP flood. Attackers send valid but spoofed NTP request packets at a very high packet rate and from a very large group of source IP addresses. Since these appear as valid requests, the victim’s NTP servers proceeds to respond to all requests. The NTP server can be overwhelmed by the vast number of requests. This attack consumes large amounts of network resources that exhaust the NTP infrastructure until it goes offline.
According to US CERT, certain UDP protocols have been identified as potential attack vectors using Amplified (Reflective) Attacks. Most attacks using these protocols would be performed similarly to the DNS and NTP attacks. DNS, NTP, SNMPv2, NetBIOS, SSDP, CharGEN, QOTD, BitTorrent, Kad, Quake Network Protocol, Steam Protocol.
In a Ping Flood, attackers use “ping” which is a variant of an ICMP and send highly-spoofed ping (IMCP echo requests) packets at a very high rate and from random source IP ranges or as the IP address of the victim. Attackers can consume all available network resources and bandwidth exhausting the network until it goes offline. Since the PING requests are most often well-formed and highly-spoofed, a PING attack cannot be easily detected by deep packet inspection or other detection techniques.
In a Random Recursive GET Attack, attackers use a modified version of a Recursive GET. This attack is designed primarily for forum sites or news sites whereby web pages are indexed numerically, usually in a sequential manner. The attacking GET statements will insert a random number within a valid range of page reference numbers making each GET statement different than the previous one.
A Recursive GET Attack is a variant of the Excessive Verb attack. In this case, an attacker identifies multiple pages and/or images and generates HTTP GET requests that appear to “scroll” through these pages or images trying to replicate a normal user. This attack can be combined with any of the VERB attack methods to make this attack vector very difficult to detect because the requests appear to be very legitimate.
In a RST/FIN Flood, attackers send highly-spoofed RST or FIN packets at an extremely high rate that do not belong to any session within the firewall’s state-table and/or server’s session tables. The RST or FIN flood DDoS attack exhausts a victim’s firewalls and/or servers by depleting its system resources used to look up and match these incoming packets to an existing session.
In a LAND DDoS Attack, a victim receives spoofed SYN packets at a very high rate that have the victim’s IP range in both the Source IP and the Destination IP fields in the IP header. This attack exhausts a victim’s firewalls and/or servers by exhausting its system resources used to compute this protocol violation. Although the packet’s Source and Destination IP are identically defined within a Same Source/Dest attack, the content of the packets are often irrelevant because the attacker is simply attempting to deplete system resources.
In a Slow Read DDoS Attack, attackers send valid TCP-SYN packets and perform TCP three-way handshakes with the victim to establish valid sessions between the attacker and victim. The attacker first establishes a large number of valid sessions and begins to request to download a document or large object from each attacking machine. Once the download begins the attacking machines begin to slow down the acknowledgement of received packets. The attackers will continue to slow down the receipt of packets, which consumes excess resources on the delivering server since all the associated processes appear to be in a very slow receiving network. Slow Read Attacks are always non-spoofed in order to hold sessions open for long periods of time.
In a Slow Session Attack, attackers send valid TCP-SYN packets and perform TCP three-way handshakes with the victim to establish valid sessions between the attacker and victim. The attacker first establishes a large number of valid sessions then slowly responds with an ACK packet and incomplete requests to keep the sessions open for long periods of time. Normally, the attacker will set the attack to send an ACK packet with an incompleted request typically before the session time-out is triggered by the server. The “held-open” sessions can eventually exhaust the victim server’s resources used to compute this irregularity. Low-and-slow tools have also been designed to consume all 65,536 available “sockets” (source ports) resulting in a server’s inability to establish any new sessions. Slow Session Attacks are always non-spoofed in order to hold sessions open for long periods of time.
Slowloris sends partial requests to the target server, opening connections, then sending HTTP headers, augmenting but never completing the request. Slow HTTP POST sends headers to signal how much data is to be sent, but sends the data very slowly, using thousands of HTTP POST connections to DDoS the web server. Read more about the Slowloris DDoS Attack.
What is smurfing? In a Smurf Attack, attackers send large numbers of ICMP packets with the intended victim’s spoofed source IP address and are broadcast to a computer network using an IP Broadcast address. This causes all hosts on the network to reply to the ICMP request, causing significant traffic to the victim’s computer. Read more about Smurf DDoS Attacks.
In a Specially Crafted Packet Attack, attackers take advantage of websites with poor designs, vulnerable web applications and/or have improper integration with backend databases. For example, attackers can exploit vulnerabilities in HTTP, SQL, SIP, DNS etc., and generate specially crafted packets to take advantage of these protocol “stack” vulnerabilities to ultimately take the servers offline. They can also generate requests that will lock up database queries. These attacks are highly specific and effective because they consume huge amounts of server resources and often are launched from a single attacker. An example of a Specially Crafted Denial of Service attack is MS13-039.
SSDP otherwise known as the Simple Service Discovery Protocol is a network based protocol used for the advertisement and discovery of network services. SSPD allows universal plug and play devices to send and receive information using UDP on port 1900. SSDP DDoS is attractive to DDoS attackers because of its open state that allows spoofing and amplification. Read more about SSDP Amplification DDoS Attacks.
In a SYN Flood, the source network sockets become totally random and overwhelming and at the same time the destination network sockets become much more narrowed. In extreme cases over 99% of the incoming packets are to one destination network socket. Read more about SYN Floods.
In a SYN-ACK Flood, attackers either flood a network with SYN-ACK packets from a sizeable botnet or spoof a victim’s IP address range. Typically, a smaller botnet sends spoofed SYN packets to large numbers of servers and proxies on the Internet that generate large numbers of SYN-ACK packets in response to incoming SYN requests from the spoofed attackers. Read more about SYN-ACK Flood.
In a TCP NULL Attack, attackers send packets that have the no TCP segment flags set (six possible) which is invalid. This type of segment may be used in reconnaissance, such as port scanning.
In a TOS (Type of Service) Flood, attackers use the ‘TOS’ field of an IP header. This field has evolved over time and is now used for Explicit Congestion Notification (ECN) and Differentiated Services (DiffServ). While this type of flood isn’t seen too often, there are two types of attacks which may be launched based on this field. In the first, the attacker spoofs ECN packets in order to reduce the throughput of individual connections. This could cause the server to appear out of service or unresponsive to customers. In the second, the attacker utilizes the DiffServ class flags in order to potentially increase the priority of the attack traffic over that of non-attack traffic. Utilizing DiffServ flags isn’t a DDoS attack in itself; this function is aimed at increasing the effectiveness of the attack.
In a UDP Flood Attack, DDoS attackers send highly-spoofed UDP packets at a very high packet rate using a large source IP range. The victim’s network (routers, firewalls, IPS/IDS, SLB, WAF and/or servers) is overwhelmed by the large number of incoming UDP packets. This attack normally consumes network resources and available bandwidth, exhausting the network until it goes offline. Read more about UDP Flood Attacks.
In a UDP Fragmentation attack, attackers send large UDP packets (1500+ bytes) to consume more bandwidth with fewer packets. Since these fragmented packets are normally forged and have no ability to be re-assembled, the victim’s resources will receive these packets which can possibly consume significant CPU resources to “reassembfirewalls in order to remain up and running, will begin to indiscriminately drop all good and bad traffic to the destination server being flooded. Some firewalls perform an Early Random Drop process blocking both good and bad traffic. SYN floods are often used to potentially consume all network bandwidth and negatively impact routers, firewalls, IPS/IDS, SLB, WAF as well as the victim servers.
A volumetric attack sends a high amount of traffic, or request packets, to a targeted network in an effort to overwhelm its bandwidth capabilities. These attacks work to flood the target in the hopes of slowing or stopping their services. Typically request sizes are in the 100’s of Gbps; however, recent attacks have scaled to over 1Tbps. Read more about volumetric ddos attacks.