By Tyler Burke, IP and DDoS Product Manager
How many DDoS attack types are there? Scores, really. In this blog, I’ve categorized them into three main groups: volumetric, application-layer, and protocol-layer attacks. And I explain why it just doesn’t matter which attack type targets your business.
What is a DDoS Attack?
A distributed denial of service (DDoS) attack – no matter the type – is a deliberate, targeted cyberattack that aims to overwhelm your organization’s Internet resources. The motivation of the attacker can range from profit to politics, from boredom to bragging rights, from revenge to ransom.
A successful attack disrupts your online presence. Your customers cannot reach your websites. Your systems are down. Your business stands still. And regaining the lost revenue, productivity, and brand reputation from an attack isn’t cheap. Companies spend an average of $200,000 recovering from a single attack.
A successful attack also reveals your organization’s security weaknesses to the attacker. You may feel that the short, 3-minute attack you endured last week wasn’t so bad. But now your attacker knows just where to strike for the next – more damaging – blitz.
If you’re into math, the odds are not in your favor.
We’ve seen a sharp rise in the number of DDoS attacks this year alone. Across industries, there were 387% more DDoS attacks in Q2 than in Q1.
Why the increase? The sophistication of automation removes human limitations from the activity. Botnets can be purchased on the web for less than $1000. The most amateur attacker can now easily launch an attack and profit from the damage caused.
Across all measurable metrics – the frequency, size, and duration of DDoS attacks are becoming worse.
The 3 Types of DDoS Attacks
DDoS attacks are becoming more surgical. Rather than clogging your entire IP space with bogus traffic, attacks can now target a particular application or protocol.
Let’s look at the different types of attacks you may experience:
1. Volumetric DDoS Attacks – saturates the network layer
Historically the most common, but least “elegant” of the DDoS attack types, volumetric attacks occur at the network layer. The intent of the attacker is to overwhelm your IP network bandwidth with a large amount of illegitimate traffic. When this happens, your users and customers (all that legitimate traffic) cannot get through to you.
How do you know you’re under a volumetric DDoS attack?
With no known cause for the increased traffic, across your network (not just for a single application) – you’re experiencing:
- Sudden and surging traffic spikes
- Your customers can’t reach your website or services
- Your users experience delays across network services
- Your firewall or IPS/IDS systems are sending alarms
- If you can see the source of incoming traffic – it’s all coming from the same place
These are easy attacks to carry out with particular brute force. They use simple methods, require little understanding of the technology involved, and can be purchased cheaply online.
Automation makes volumetric attacks more damaging – they last longer, they involve more bandwidth, and they’re occurring more frequently. Botnet attacks search and find weaknesses, can be easily amplified, and are inexpensive to execute.
Real life example of a volumetric attack
Activision Blizzard experienced a volumetric DDoS attack that flooded their authentication servers, rendering their most popular games – including World of Warcraft and Call of Duty – unreachable for players.
2. Application DDoS Attacks – target your online applications
Application-layer DDoS attacks are harder to detect than volumetric attacks, but they’re also harder to pull off for the attacker. These sophisticated attacks target an individual online application in order to disrupt the online services the application provides.
In order to launch a successful application layer attack, the attacker must craft requests (such as form fills on your website) that look like legitimate traffic. And in order to do that, they need an in-depth understanding of the target application’s behavior, logic, and weaknesses.
These attackers understand and manipulate sessions, cookies, and authentication tokens. And since the potential vulnerabilities are different for each application, the attacker must have sophisticated technical knowledge across a broad range of applications.
How do you know you’re under an application-layer DDoS attack?
Since attack traffic mimics legitimate user traffic, it’s harder to tell that you’re under an application-layer attack. Look for these signs:
- Sudden spikes in specific application traffic with no real cause
- Lots of reported errors – especially 5xx status codes (502, 503, or 504 errors) – a sign that your network is struggling to handle the increased traffic load
- Weird behavior such as repetitive login attempts or form submissions
- Strained server behavior, such as memory or CPU usage that seemingly cannot keep up with demand
Example of an application-layer DDoS attack
We’re seeing an increase in multi-vector application attacks – where an attack concurrently targets multiple components of the victim’s applications (such as simultaneously attacking HTTP web resources and database operations), pivoting to different components when the attacker detects protective security measures in place.
3. Protocol DDoS Attacks – disable the rules of the conversation
Of the three types of DDoS attacks, protocol-layer attacks are the newest on the scene, the most difficult to detect, and potentially the most disruptive. Protocol attacks target the protocols that devices and servers on your network use to communicate. Since protocols define the rules of machine-to-machine communication, taking them down can affect multiple services and applications that rely on the targeted protocol.
Protocol DDoS attacks are generally less sophisticated than application-layer DDoS attacks, making them increasingly common. The lower-layer network protocols attacked, such as TCP/IP, ICMP, and DNS, have well-defined conduct, whose weaknesses can be easy to exploit. Attackers need not know the subtleties of application-layer behavior to flood a vulnerable protocol with malicious traffic.
How do you know you’re under a protocol-layer DDoS attack?
These attacks target specific protocol resources like CPU, memory, or connection limits. Look for:
- Unexplained increases in resource usage
- Unusual patterns of responses such as excessive 4xx or 5xx error codes
- An increase in ICMP ping traffic
- Unusually elevated TCP SYN packets or other unusual protocol behavior
- Traffic spikes, increased latency, increased packet loss
Example of a protocol-layer DDoS attack
In DNS water torture attacks, the attacker floods DNS resolvers with DNS requests, overwhelming the network which can, in turn, trickle down to other layers
It Doesn’t Matter Which Type of DDoS Attack Targets You
While the attacker may care deeply about the type of DDoS attack he launches, it makes little difference to the victim, for two main reasons:
All DDoS attack types aim to disrupt, and (without protection) they succeed
You’ve likely noticed that the “symptoms” of each type of attack described above are similar, no matter the tactics used by the attacker. Further, since your online presence is a complex machine of intercommunicating parts, a wrench thrown into the machine, no matter where, will cause the disruption.
A robust DDoS mitigation program can stop them all
The overall response to DDoS attacks (all of them) is the same – establishing a baseline of “normal” traffic patterns for your organization, identifying when your traffic deviates from its normal behavior, and mitigating the damage the attack is attempting to cause. DDoS mitigation services are effective against all three attack types described in this blog.
If the attacker’s motives, the harmful outcomes of a DDoS attack, and the methods to counter it are alike, there’s no need for specific precautions against any individual attack type. However, safeguarding your organization against DDoS attacks as a whole remains essential.
How to Prevent DDoS Attacks
You can stay one step ahead of DDoS attackers by taking any number of steps to protect your organization. If ever an ounce of prevention is worth a pound of cure, DDoS protection is it.
1. Opt into DDoS protection from your network provider
Look for a DDoS Protection service with the following elements:
- The provider offers a network-based service, and has ample backbone capacity to mitigate even the largest attack
- The provider stops and diverts attack traffic before it impacts your business
- The provider uses BGP Flowspec (vs. GRE tunnels) so they can protect your individual IP addresses. Providers that use GRE tunnels will take the entire /24 (all 253 IP addresses) and scrub it all. That translates to greater latency, even for legitimate traffic.
- The provider mitigates all types of DDoS attack traffic
Combining an in-line protection scheme with a virtual cloud-based DDoS protection service will offer you comprehensive coverage.
2. Distribute incoming traffic
When you strategically distribute traffic, no single server handles it all. Do this by implementing:
- Load balancing: When you load balance your traffic, you distribute requests among multiple application servers in multiple data centers
- CDNs: If you’ve invested in a content distribution network (CDN) – you have a fully managed solution that offers some DDoS attack protection. Since CDNs hide the host IP address and distribute traffic using caching to geographically dispersed edge servers, you’re naturally protected against DDoS attacks. However, those host IP addresses are sometimes discovered, so even with a CDN, additional protection would be wise.
3. Restrict incoming traffic
Tools that restrict the number of incoming requests or the level of incoming traffic can identify and mitigate attack traffic. These tools include:
While inadequate as standalone DDoS protection, firewalls can provide a first level of defense with proper configuration that includes:
- Content filtering to identify and block known attack patterns, especially for application-layer attacks
- Rate limiting to limit the rate of incoming traffic from a single source, though be careful to not block legitimate traffic
- Stateful Packet Inspection to reject packets that don’t belong to established connections or sessions
- Load Balancing to eliminate single points of failure by distributing incoming traffic across multiple servers or data centers
- Anomaly Detection that identifies unusual traffic patterns and alerts the network to take action against a possible DDoS attack
- IP Blacklisting to prevent traffic from known bad IP addresses, and IP Whitelisting to allow traffic only from known, trusted IP addresses
Designed to distinguish humans from computers, CAPTCHAs can be an effective line of defense against bot attacks, especially on popular websites and pages. Be careful to strike the right balance between good security and potentially inconveniencing your customers.
4. Regularly test, train, and plan
Since a strategic combination of mitigation methods will provide the best protection, plan for the inevitable attack by:
- Testing your security by punching holes in it – find potential vulnerabilities
- Reducing your attack surface by disabling unused protocols, pages, forms, and other online entry points for an attack
- Conducting DDoS attack simulations as a team training exercise
- Creating and testing your business continuity plan so your team knows how to respond to minimize the damage from a DDoS attack
Conclusion
I know it’s tempting to save money and bide your time, only considering DDoS protection when you’re under an active attack, but when the average company spends over $200,000 to recover from a single attack, we also know that the benefits of protection far outweigh the costs.
Who is likely to be attacked? Consider that in the first half of 2023 alone, DDoS attackers targeted:
- Enterprises across all industries
- Very large to very small companies
- Airports, hospitals, utilities, and other critical infrastructure
- Federal, state, and local governments – including schools
- Telecom and cloud companies
- Many more
And they attack vulnerable organizations multiple times. Don’t wait until you’re attacked to protect your organization, learn more about Zayo DDoS Protection.