As companies evolve, they gain access to new technologies and face new threats. Today there are many types of DDoS attacks. They differ in how they have been carried out and the characteristics of the parasitic traffic generated by the botnets. Any even the smallest business can fall victim to attackers. Reasons for DDoS attacks abound, from hunting for valuable information to deliberate financial damage or a simple test of the site’s robustness.
Most Common Threats
Over the past few years, cloud infrastructure has grown in popularity. Thousands of companies around the world, from small businesses to well-known corporations, rely on cloud services. They are the main target for hackers organizing attacks. These attacks disrupt servers by sending an excessive stream of requests to them. Resources not designed for high load simply stop working, and as a result, all users lose access to them. In addition, DDoS attacks exploit vulnerabilities at the level of network protocols and applications.
Cybercriminals surreptitiously use entire networks of infected devices as a source of attacks. Often the owners are unaware that their devices and IP addresses are involved in the attack. IoT devices are particularly suited for such purposes. Their number is constantly growing, but security is still low. Almost half of all DDoS attacks are mixed, but three main categories stand out:
- Volumetric attacks (flood) – make a large number of requests to the server. The resulting traffic of up to several terabits per second overwhelms the entire bandwidth of the network, and soon the system stops responding to requests.
- Protocol attacks are a type of attack that exploits vulnerabilities in network protocols such as TCP, UDP, or ICMP. They overload the network with points actions.
- Application layer attacks target web servers and applications to incapacitate them. External requests provoke a large number of internal requests, resulting in server inaccessibility.
There is a simplified classification based on the main protocols used to transfer data on the Internet. Most often, hackers exploit Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) vulnerabilities. Such a classification helps to identify trends.
Cybersecurity specialists can see which protocols get more spurious traffic and which get less. This makes it possible to adjust protection strategies and makes it easier to work on new filtering algorithms.
Fragmented UDP Flood
Because of high efficiency, some methods are of particular interest to attackers. These include various types of flooding. For example, Fragmented UDP Flood with packets of maximum permissible size. When it is used, the channel is filled with the minimum number of falsified packets, which have nothing to do with real data. The attacked server starts to reserve resources to recover non-existent packets from fake fragments.
At a certain point, this leads to exhaustion of system resources and, as a consequence, server crashes. Fragmented UDP Flood attack is difficult to filter, and there is a great risk of channel overflow. At one time, a similar attack targeted the MMORPG Albion Online server; hackers correctly selected the parameters of packets and intensity of their sending, which allowed them to simulate legitimate traffic.
TCP SYN Flood
A typical example from the category of Volumetric attacks. TCP SYN Flood effectively exploits vulnerabilities in the network protocol stack. The client generates an SYN packet by requesting a new session from the server. A standard “three-step handshake” (TCP) algorithm is executed, after which the host begins to monitor and process each user session until it is closed. The attacked server receives SYN requests containing the spoofed source IP address at high speed. As a result, TCP SYN Flood occupies all of the Transmission Control Block (TCB) table memory used to store and process incoming packets. This causes critical performance degradation and hardware failure. The largest platform Amazon, the Italian sports betting site Eurobet, and several well-known companies in South Korea and Turkey were subjected to similar attacks.
ICMP Flood
ICMP packets do not require acknowledgment of receipt, so it is difficult to separate them from malicious traffic. Hackers try to flood the channel with spoofed ICMP packets from a wide range of IP addresses. They simply overload a particular server with a flood of requests. ICMP Flood is often implemented to collect preliminary information about a server. Open ports and destination addresses are used to launch a highly targeted attack on them later. As protection from ICMP Flood can serve to ban ICMP on border routers or special algorithms of traffic analysis.