Knowledge base

Knowledge baseAttacks

Zero Day (0day DDoS) attack

When the term is used in relation to popular protocols, it means a DDoS attack that exploits vulnerabilities previously unknown to security experts. If used when talking about popular software products, the term refers to security bugs of which their developers were previously unaware. Often, a DDoS-attack can be referred to as zero-day if it is implemented using brand new methods that were never used before.

UDP flood

A network-based DoS attack carried out by sending large amounts of UDP packets to a remote host’s ports, which results in traffic being congested by bogus messages.

Smurf attack

A kind of amplification DoS attack carried out using network broadcasting (by exploiting the namesake abilities provided by various network protocols): forged ICMP Echo requests are sent to broadcast addresses, with a victim's IP address spoofed as the source IP of the requests. This causes the nodes of the network offering a broadcast service to send large amount of responses, resulting in the victim’s node overload.

Teardrop Attack

A DDoS attack carried out using fragmented packets with an offset, based on exploiting a TCP/IP stack vulnerability. During the attack, a victim's server is bombarded with large counts of fragmented packets, which it tries to handle unsuccessfully, wasting a huge amount of resources.

ICMP flood

A DoS attack against a victim server, carried out by sending a huge flood of forged ICMP packets from multiple IP addresses, which results in the server's being overwhelmed due to processing the packets.

Ping flood

A type of DoS attack targeting network equipment – a variant of ICMP flood attack that is carried out using programs or utilities being a part of desktop operating systems, such as the diagnostic ping utility: a server is overwhelmed by ping (ICMP Echo) requests, leading to a denial of service.

IP fragmentation attack

DoS attacks based on fragmentation of IP packets. A typical attack of this kind involves sending datagrams formed in such a way that a victim node would not be able to reassemble them while wasting a lot of resources, which would lead to a severe drop in node performance.

SYN/ACK flood

A type of DoS attack targeting TCP servers that involves sending a huge flood of spoofed packets with both SYN and ACK flags set, which causes a server overload.

RST/FIN flood

DoS attacks against TCP servers that exploit vulnerabilities in TCP-SYN session closure: a server overload is achieved by sending a flood of forged RST or FIN packets.

Slowloris, or session attacks

A type of DoS attacks targeting streaming web servers – the attacker tries to establish many HTTP connections with the targeted server and keep them open as long as possible by sending partial requests and HTTP headers, with the requests never completing. With the server keeping the connections open, its pool of simultaneous connections eventually maxes out, so the server begins to refuse further connections to clients.

HTTP flood

A kind of DoS attack targeting web servers that uses bots to send multiple HTTP GET requests for accessing the largest site elements, which causes a great load on the server, leading to it being unable to process other requests. Aside from GET requests, similar results could be achieved by POST requests or some other HTTP-based actions. Attacks of this kind can often be very efficient as they do not require to use a large number of bots.

Recursive HTTP GET flood

A type of DoS attack, a variant of HTTP flood where the attacker requests a number of pages from a web site, analyzes the responses and then recursively requests every object available at the site. As long as recursive requests created this way look legitimate, using the approach significantly lowers the probability of detecting the attack.

VoIP flood

A DoS attack, a variant of UDP flood implemented by sending large amounts of forged VoIP packets from a wide range of IP addresses to a VoIP server, usually used by a call center. As a result, the server wastes too much of its resources trying to handle the bogus requests. Due to some aspects of UDP protocol, a VoIP flood attack can be very hard to detect.

NTP flood

A variant of UDP flood, a DoS attack targeting servers that use NTP (Network Time Protocol), a protocol for synchronizing computers’ internal clocks. An NTP server overload is achieved by sending multiple spoofed NTP requests from a large number of IP addresses.

DNS Amplification

This type of amplified DoS attacks exploit the way DNS services operate – a forged domain request is sent to a vulnerable DNS server, and its response, being of a significant size, is forwarded to a victim server, resulting in its link getting overwhelmed with the responses. This type of attack is distinctive in that it is almost impossible to detect where the forged requests come from.

IP Null Attack

A kind of DoS attack that uses IP protocol features – a victim server is sent a large stream of packets with their Protocol field value set to zero (usually, the field contains the code of transport level protocol, except for IPv6 packets). This results in server wasting its resources trying to process the packets in a correct way.

UDP flood

DoS attacks involving the use of UDP packets – large amounts of such packets with the source IP set to a victim server address are sent to ports of an amplification network. As a result, the victim server is forced to focus on processing the vast counts of spoofed packets.

MITM (man-in-the-middle) attack

A class of attacks involving an intermediary acting for its own benefit: after inserting itself between two parties exchanging data, a third participant receives unauthorized access to their traffic with the ability to do virtually anything with it. The intermediary makes effort to hide itself in order not to evoke any legitimate parties’ suspicions of breaching the privacy and integrity of their traffic.

SYN flood, or SYN attack

A variant of DoS attack implemented at the TCP protocol level – during the attack, a victim node is overloaded by sending a large amount of SYN TCP segments to it (usually, a node is unable to handle more than several thousands of the segments at once). Attacks of this kind are highly efficient.

SIP malformed attack

A type of DoS attack exploiting vulnerabilities of Session Initiation Protocol (SIP) used in VoIP services and applications: a SIP server overload is achieved by sending it a flood of messages containing deliberately malformed data. Attacks of this kind generally result in disrupting normal operation of VoIP services.

SNMP reflection attack

A DDoS attack variant that exploits vulnerabilities of the SNMP network management protocol and resembles DNS amplification attacks: using a spoofed victim IP address, the attacker sends a large amount of SNMP GetBulk requests with MaxRepetitions parameter set to the highest possible value (2250) to multiple connected devices, which in turn send streams of responses to the attacked network until it gets down. The streams can come at rates of up to hundreds of gigabits per second. Attacks of this type have a very high destructive capacity.

CharGEN flood

A type of transport level amplification DDoS attack, similar to NTP amplification. The attack exploits vulnerabilities of the very old CharGEN character generator protocol, sending small packets with a spoofed victim IP address to devices supporting the protocol (such as printers, copying machines, etc.). The devices’ responses are sent as UDP packets to Port 19 of the victim server, causing it to waste too much resources trying to handle them.

MS SQL reflection DDoS attack

An attack type that exploits vulnerabilities of the MC-SQLR protocol used for sending queries to Microsoft SQL Server. An overload of a victim’s link is achieved as a result of getting lists of all database instances stored on multiple public SQL servers (including those hosted by service and cloud providers), along with the information on how to connect to those instances. The data is provided in response to a stream of spoofed scripted requests containing the attacked node’s IP address, sent to those SQL servers.

Memcached DDoS attack

A type of amplification attack exploiting features of Memcached system, which is widely used for in-memory caching of data in order to accelerate websites’ operation. The attacks involve making large amounts of spoofed requests to a victim Memcached server, which results in its overloading and getting down.
1 2 3