Distributed Denial of Service (DDoS) attacks have been a popular topic of discussion in the past few months. We have seen a flurry of prominent DDoS attacks, such as the attacks on DNS root servers and the Dyn DNS outage, with widespread impact and the potential to disrupt communications worldwide. In today’s blog post we will analyze the most common types of DDoS attacks and how they differ from each other.
What is a DDoS Attack?
As the name suggests, a Denial-of-Service (DoS) attack is intended to render any type of service in-accessible. For example, shutting down access to an external-facing online asset like an ecommerce site constitutes a denial-of-service. A distributed denial-of-service (DDoS) is when the same result is achieved but initiated from multiple connected devices. The main intention behind DoS or DDoS attacks is to make a service unavailable and cause havoc rather than trying to breach the security perimeter of the target. For example, the DDoS attack that brought Yelp down a few months ago was targeted at the availability of Yelp’s service provider, not an attack intended to steal user credentials or sensitive data. But as always, there are exceptions and in some cases DDoS attacks might be used as a smokescreen for other types of cyber attacks.
Types of DDoS Attacks
DDoS attacks come in a variety of flavors. Broadly speaking, they are classified based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target. DDoS attacks are grouped into three categories: Volumetric Attacks, Protocol Attacks and Application Attacks.
|Volumetric Attacks||Protocol Attacks||Application Attacks|
|What is it?||Attacks that use massive amount of traffic saturating the bandwidth of the target. Volumetric attacks are easy to generate by employing simple amplification techniques.||Attacks that render a target in-accessible by exploiting a weakness in the Layer 3 and Layer 4 protocol stack.||Attacks that exploit a weakness in the Layer 7 protocol stack. The most sophisticated of attacks and most challenging to identify/mitigate.|
|How does it cripple the target?||The sheer quantity of traffic generated by the attack can completely block access to the end-resource (a website or a service). The magnitude of the attack is commonly measured in bits or packets per second.||Protocol attacks consume all the processing capacity of the attacked-target or intermediate critical resources like a firewall causing service disruption.||Application attacks establish a connection with the target and then exhaust the server resources by monopolizing processes and transactions.|
|Examples||NTP Amplification, DNS Amplification, UDP Flood, TCP Flood||Syn Flood, Ping of Death||HTTP Flood, Attack on DNS Services|
It is important to note that while most common DDoS attacks broadly fall into these three categories, some attacks can also be a combination. For example, the recent attack on Dyn’s DNS infrastructure was a combination of an application and protocol attack on DNS services that expanded into a volumetric attack. It is also noteworthy to mention that while some attacks target the DNS infrastructure directly, others can use DNS as a means to trigger an attack. Read along to learn how.
Volumetric DDoS Attack
Volumetric attacks are by far the most common type of DDoS attacks. According to Arbor Networks, 65% of DDoS attacks are volumetric in nature. Although volumetric attacks are characterized by an enormous amount of traffic (sometimes in excess of 100 Gbps), they do not mandate large amount of traffic to be generated by the hackers themselves. This makes a volumetric attack the most simplest type of DDoS attack. By inserting a reflection medium, a small amount of traffic can be used to generate gigabits of traffic. Reflection-based volumetric attacks target a service by sending legitimate requests to a DNS or NTP server using a spoofed source IP address. When the DNS or NTP servers respond to the legitimate request they end up responding to the source address of the request, which happens to be the spoofed IP address. In such a scenario, the spoofed IP address is the target of the attack which then gets bombarded with the amplified data stream.
Legitimate requests to a single DNS open resolver from a single spoofed IP address requesting ANY records can amplify traffic up to 70 times. For example, DNS response for a ANY record query will grab all record types (A, CNAME, NS, MX), thereby inflating the size of the DNS response packets. If the same request is sent to hundreds of open resolvers, the traffic generated can be in the realm of few hundred Gbps, significant enough to cripple the infrastructure where the target IP is located.
In the snapshot below, we have captured the impact of a DNS-based volumetric attack that generated 30 Gbps of traffic crippling the entire data center where the attacked IP address was hosted. In this particular example, although the target of the attack was not a critical service, availability of a critical online asset hosted in the same data center was impacted.
Protocol-based DDoS Attack
Protocol-based attacks primarily focus on exploiting a weakness in Layer 3 or Layer 4 of the OSI layer. The most common example of a protocol-based DDoS attack is the TCP Syn Flood, wherein a succession of TCP SYN requests directed towards a target can overwhelm the target and make it unresponsive. The recent Dyn outage, apart from being an application-layer attack also consisted of TCP Syn floods targeting port 53 of Dyn’s DNS servers.
Application-based DDoS Attack
Application attacks are the trickiest of the DDoS attacks as they are harder to identify and in some cases even mitigate. Arbor Networks quotes “Application-layer attacks are the most sophisticated and stealthy attacks because they can be very effective with as few as one attacking machine generating traffic at a low rate. This makes these attacks very difficult to proactively detect with traditional flow-based monitoring solutions.” Hackers leveraging application-type attacks are highly skilled and have deep knowledge of the intricate workings of the application or protocol. Attack traffic is usually legitimate, targeting the application layer and involves triggering a back-end process that hogs the resources and making it unavailable. For this reason, these types of attacks are comparatively harder to mitigate.
A few months ago, NS1 the cloud-based DNS service provider experienced a DDoS attack on their anycast DNS infrastructure. The attack impacted some of the well-known websites including Yelp. NS1 acknowledged the attack, confirming that it was a combination of a volumetric attack and an application-based attack that included malicious direct DNS queries and malformed packet attacks. This attack was interesting as the attackers not only targeted NS1’s DNS infrastructure but also attacked their hosting provider that affected www.ns1.com. Figure 3 shows the impact of the outage across the globe.
Safeguard Your Network
DDoS attacks come in different shapes and sizes. Irrespective of how the attack unfolds and the service it affects, it creates havoc. It is recommended that enterprises bake in a mitigation plan while designing networks. Deploying distributed and redundant networks to minimize impact and having a service contract with a DDoS mitigation vendors should be considered. For example, if DNS is a critical part of your infrastructure then consider distributing your DNS services among two or more DNS providers.
At the end of the day, you can’t fool-proof your network from DDoS attacks. Over time, the complexity of these attacks have elevated and hackers find new and challenging ways to penetrate the network. You might not be able to control a DDoS attack, but you can proactively monitor your network and critical assets for potential threats. Interested in finding out how ThousandEyes can monitor your network and quickly identify if you are a victim of a DDoS attack? Register for our upcoming webinar on DDoS monitoring and mitigation!