Exploring the Shift Toward TCP DDoS Attack Vectors

As any cybersecurity-minded team knows, the threat landscape is constantly evolving to take advantage of new targets and vectors.

One vector that’s been growing in popularity is distributed denial of service (DDoS) attacks based on the widely used Transmission Control Protocol (TCP). As a reliable and commonly utilized networking protocol, TCP plays a critical role in facilitating seamless communication across the internet. However, its widespread adoption has inadvertently made it an attractive target for cybercriminals seeking to disrupt online services.

The recent data we’ve compiled in our 2023 Corero Threat Intelligence Report underscores the severity of this emerging vector, revealing a 70% increase in TCP-based DDoS attacks. We’ve also noted several distinct challenges that arise from this kind of cyberattack.

In this blog post, we’ll delve deeper into what’s happening with TCP-based DDoS attacks. We’ll also cover their implications for businesses and some actionable strategies to defend against them.

UDP vs TCP: What’s the difference?

While both UDP and TCP are both communications protocols, there are significant differences between the two.

User Datagram Protocol (UDP) is a fast, efficient transport protocol used for devices to communicate over the internet. It operates in a connectionless manner, which means it does not establish a dedicated connection before sending data packets. Instead, UDP simply sends datagrams to the destination without verifying if they reach their intended recipient. This approach makes UDP faster and more suitable for real-time applications such as video streaming, online gaming, and DNS queries.

However, the trade-off for this speed is a lack of reliability and error-checking mechanisms. Since UDP does not acknowledge whether data is successfully transferred, applications using this protocol have to implement their own error recovery and reliability mechanisms to ensure data integrity.

In contrast to UDP, TCP provides a reliable and connection-oriented communication channel. TCP establishes a connection between the sender and receiver before data transmission, ensuring data integrity, order, and flow control.

TCP is more reliable than UDP, making it well suited to applications that require error-free and ordered delivery of data, such as web browsing, file transfers, email, and database transactions. However, its added verification mechanisms make it comparatively slower and more resource-intensive than UDP.

The UDP-based DDoS attack vector

Traditionally, the vast majority of DDoS attacks have been dominated by malicious traffic carried by UDP. This is likely because of the prevalence of exploitable UDP-based reflection and amplification hosts — as well as the ease of leveraging these vectors using source-spoofing attack initiation botnets.

Among these UDP-based attacks, more than 50% of the malicious DDoS traffic is arriving for three destination ports:

Port 53 (Domain Name Service, DNS)
Port 80 (web servers/QUIC)
Port 123 (Network Time Protocol, NTP)

These specific ports are likely chosen because many firewalls leave them open in order to support the correct operation of important internet services like DNS, NTP, and web servers. (That is, while DDoS attackers are not attacking those specific internet services, they are using their ports as entry points precisely because they are left open for legitimate reasons.)

Another possible reason that attackers choose these three ports for malicious attacks is because less sophisticated DDoS protection solutions will generate false positives when trying to detect DDoS traffic riding along with legitimate traffic on the same protocol and destination ports.

Regardless of the exact motivation for attackers, though, it’s clear that the UDP DDoS vector presents challenges for IT and security teams.

The shift toward TCP DDoS attacks

Although the vast majority of DDoS attacks have been dominated by malicious traffic carried by UDP, the landscape is shifting. During 2022, our threat research team saw a significant 70% increase in successfully detected and mitigated DDoS attacks using TCP-based vectors. (Generally speaking, TCP-based DDoS vectors can be more difficult to detect and mitigate without false positives, and they are more likely to penetrate simplistic access control lists and firewall protection policies.)

When our team analyzed the recent UDP and TCP attack vector traffic, they saw that nearly half of all malicious packets were distributed indiscriminately across a wide range of destination ports. As opposed to the three specific UDP destination ports we discussed above, this more indiscriminate DDoS traffic most likely overlaps with legitimate ephemeral port traffic, such as outbound DNS requests (via UDP) or outbound SYN requests (via TCP), from users on the victim network.

This presents a problem for organizations. Since the malicious DDoS traffic overlaps strongly with the legitimate traffic, companies cannot respond by simply blocking all traffic. Instead, they need to invest in better detection strategies so they can block attacks more accurately.

Why are TCP DDoS attacks so challenging to stop?

TCP DDoS attacks are particularly difficult to counter because — as we’ll illustrate with two examples below — attackers can take advantage of the TCP protocol’s connection-oriented nature. They can also be difficult to detect and mitigate without triggering false positives.

SYN floods. One specific kind of TCP attack, a SYN attack or SYN flooding, attempts to exhaust the available resources of a system by leaving connections in a half-open state. Normally, when a user initiates a connection with a web server, they send a TCP SYN packet. The server responds with an acknowledgment, and the client reciprocates with its own acknowledgement, thereby completing the three-way handshake. However, in a TCP SYN flood, the final acknowledgment is intentionally omitted, and the server is left waiting for a response. This disruptive tactic can prevent other users from establishing connections with the server.

ACK floods. Another type of TCP attack, ACK flooding, also takes advantage of the connection-oriented nature of the TCP protocol. This vector involves overwhelming the target with a flood of ACK (acknowledgment) packets. These malicious packets will reference nonexistent connections, prompting the operating system (OS) to search its entire state table for an established TCP connection. A flood of these packets can place a heavy computational burden on the server, causing it to slow down or even become unresponsive. As a result, the server’s resources become severely constrained, impeding its ability to provide the intended service effectively.

Conclusion: stopping TCP DDoS attacks in their tracks

Regardless of what kind of TCP-based DDoS attack they’re facing, organizations must be proactive in understanding new threat vectors and implementing effective security measures. This includes a multi-layered defense strategy with robust network infrastructure and advanced traffic monitoring and analysis. It also includes flexible DDoS mitigation and protection solutions with automatic detection and response, personalized customer support, and industry-leading threat research.

You can learn more about our DDoS protection platform can help protect your organization from advanced DDoS attacks by scheduling time to speak with an expert.