The 3 Types of DDoS Attacks and How to Mitigate Them

Our earlier blog explained that a distributed denial-of-service (DDoS) attack is a cybercrime in which the attacker floods a server with internet traffic to disrupt the normal traffic from the legitimate users of a targeted server, service or network.   
 
Even though the aim of a DDoS attack is always to overwhelm the system, there are different methods to achieve that aim. Three broad types of DDoS attacks are as follows: 
 
Application layer attacks, Protocol attacks, and Volumetric attacks. Let’s get into how each of them work.

1. Application layer attacks 

The application layer is where the server generates the response to an incoming client request. For example, if a user enters https://inter.link/knowledgebase on their browser, an HTTP request is sent to the server, requesting the knowledgebase page. The server will get all the information related to the page, package it in a response, and send it back to the browser. 

This information fetching and packaging happens aton the application layer. An application layer attack occurs when a hacker uses different bots/machines to repeatedly request the same resource from the server, eventually overwhelming it. 

The most common type of application layer attacks are the HTTP flood attacks in which malicious actors just keep sending various HTTP requests to a server using different IP addresses. One example of this is asking a server to generate PDF documents over and over again. Since the IP address and other identifiers change in every request, the server can’t detect that it’s being attacked.

The goal of application layer attacks: 

Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the target’s resources to create a denial-of-service. Layer 7 attacks are difficult to defend against, since it can be hard to differentiate malicious traffic from legitimate traffic. 

2. Protocol attacks

Protocol attacks look to exhaust resources of a server or those of its networking systems like firewalls, routing engines, or load-balancers. An example of a protocol attack is the SYN flood attack. 

Before two computers can initiate a secure communication channel – they must perform a TCP handshake. A TCP handshake is a means for two parties to exchange preliminary information. A SYN packet is typically the first step of the TCP handshake, indicating to the server that the client wants to start a new channel. 

In a SYN flood attack, the attacker floods the server with numerous SYN packets, each containing spoofed IP addresses. The server responds to each packet (via SYN-ACKs), requesting the client to complete the handshake. However, the client(s) never respond, and the server keeps waiting, consuming more and more resources. Eventually, it crashes after waiting too long for too many responses. 

The goal of protocol attacks:

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible. 

3. Volumetric attacks 

Volumetric attacks are conducted by bombarding a server with so much traffic that its network bandwidth gets completely exhausted. The most common example of a volumetric attack is the DNS amplification attack. 

In such an attack, a malicious actor sends faked requests to a DNS server pretending to be from a server, using the spoofed IP address of the target server. The DNS server then sends its response to the target server. When done at scale, the deluge of DNS responses can wreak havoc on the target server.

The goal of volumetric attacks:

This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet. 

How do you mitigate or protect against a DDoS attack?

The key concern in mitigating a DDoS attack is differentiating between attack traffic and normal traffic. 

For example, if a product release has a company’s website swamped with eager customers, cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from attackers, efforts to alleviate an attack are necessary. 

The difficulty lies in telling the real customers apart from the attack traffic. 

In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks. 

A multi-vector DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways, potentially distracting mitigation efforts on any one trajectory. 

An attack that targets multiple layers of the protocol stack at the same time, such as a DNS amplification (targeting layers 3/4) coupled with an HTTP flood (targeting layer 7) is an example of multi-vector DDoS. Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories. 

Generally speaking, the more complex the attack, the more likely it is that the attack traffic will be difficult to separate from normal traffic - the goal of the attacker is to blend in as much as possible, making mitigation efforts as inefficient as possible. 

Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. In order to overcome a complex attempt at disruption, a layered solution will give the greatest benefit. 

Blackhole routing 

One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route, or blackhole, and dropped from the network. 

If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense. This is not an ideal solution, as it effectively gives the attacker their desired goal: it makes the network inaccessible. 

Rate limiting 

Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks. 
 
While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. 

Web application firewall 

A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic. 

By filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack.  

DDoS Traffic Scrubbing

Traffic scrubbing is when the traffic destined for a particular IP address range is redirected to datacentres, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination. 

This is the method of used by Inter.link, a particularly efficient technique since our DDoS Protection is tightly integrated with our IP connectivity services and we utilise our own Pan-European backbone with multiple scrubbing centres.