A DDoS attack can have the potential to bring down any business to its knees.This document gives a brief overview of various types of DDoS attacks.

1. E N T E R P R I S E I T
S E C U R I T Y
WEB APPLICATION FIREWALL & DDOS
MITIGATION SOLUTION
12 TYPES OF DDOS ATTACK
www.haltdos.com

2. What is a
DDoS attack?
DDoS (Distributed Denial of Service) attack is a type of a cyber-
attack where an attacker use multiple compromised systems to
flood a network/web application with illegitimate traffic and
make it unavailable for the legitimate users who are trying to
access it.

3. During a DDoS attack, the incoming traffic which is
responsible for flooding the victim is originated
from many different sources. This efficiently
makes it impossible to stop the attack simply by
blocking a single IP address and thus, it is very
difficult to distinguish between legitimate user
traffic and attack traffic when it is spread across
too many points of origin which causes a denial of
service.
How DDoS
Attacks Work?

4. In today’s online businesses, DDoS attacks hold for a major concern.
According to the report presented by Akamai - Q3 2017 Security Report, it was
concluded that there’s a 179.66% increase in the total number of DDoS
attacks since the last 3 years.
Overview

5. Businesses from all over the world have suffered numerous high profile cyber incidents over the
past few years; with attacks on Github on Feb 2018 and several attacks on ISPs and Banks all over
the world showed us that even a single DDoS attack can have the potential to bring down any
business to its knees.
DDoS attacks have grown greater and urbane over the years, whether be it flooding a target with a
simple ping command based ICMP echo request or complex multi-vector attacks. In this
document, we shall overview the different types of DDoS attacks.

6. 1. Application Level Attacks
Application level attacks occur when an attacker attacks a specific application
or a website that is poorly coded in order to exploit its weakness. As a result,
the entire server gets exhausted and becomes unavailable to the legitimate
requests. Websites and applications with security loopholes also fall under the
susceptibility for hackers intending to steal information. These loopholes can
also be exploited with the help of a simple targeted attack that targets the
database. For example WordPress and Joomla are applications that can
exhaust a server’s resources.

7. 2. Zero Day (0day) DDoS
Zero Day DDoS attacks are the attacks that are unidentified yet they exploit
new vulnerabilities. These attacks are not traceable and have undefined
defensive mechanisms.

8. 3. Ping Flood
Ping Flood is an application specific type of DDoS attack that is an evolved
version of Internet Control Message Protocol (ICMP) flood. In this type of DDoS
attack the attacker sends multiple spoofed ping packets to the server through
a large set of source IP. The purpose of the attacker is to flood the target with
ping packets until it goes offline.
It is designed in such a way that it consumes all the resources and bandwidth
which are available in the network until it is completely exhausted and finally
shuts down. It is not very easily detectable as it closely resembles the
legitimate traffic.

9. 4. IP Null Attack
The IP packets contain IPv4 headers that enclose all the information about the
transport protocol which is being used in the protocol field. In IP Null attack,
the attacker sends packets containing null value (zero) in this field and these
packets can neglect security measures which are designed to scan TCP, IP and
ICMP. As a result, when the server which is targeted will try to process these
packets, it will exhaust its resources and will reboot.

10. 5. NTP Flood
NTP is an abbreviation used for Network Time Protocol. It is basically an
internet protocol which is used to synchronize the clocks of computers to
some time-reference. NTP Flood attack occurs when an attacker sends small
packets containing a spoofed IP of the target to internet enabled devices
running NTP. These spoofed requests then sends UDP floods as responses
from these devices to the target. When the target tries to identify this flood of
requests, all its resources gets exhausted and either it goes offline or will
reboot.

11. 6. ICMP Flood
In an Internet Control Message Protocol (ICMP) Flood Attack occurs when an
attacker sends highly-spoofed ICMP packets in huge amount to flood a
network. As a result, all the resources and available bandwidth are consumed
and the network gets exhausted and it goes offline. ICMP floods can
overpower a network with packets containing random or fixed source IP
addresses. This attack can be viewed as a Network-Level volumetric attack
and thus can be defeated by L3/L4 Packet Filtering.

12. 7. SYN Flood
SYN flood attack occurs when an attacker sends a succession of SYN requests
to a targeted system. All the server resources are consumed and the system
thus becomes unresponsive to legitimate traffic. By flooding multiple TCP
ports on the target system with SYN (synchronize) messages, a SYN-flood
DDoS attack takes advantage of the TCP (Transmission Control Protocol) three-
way handshake process in order to initiate a connection between the source
system and the target system, thus making the system unresponsive to
legitimate traffic.

13. 8. UDP Flood Attack
UDP stands for User Datagram Protocol that sends short packets of data,
called datagrams. UDP flood attack occurs when the attacker tries to flood the
target server with large number of spoofed data packets. As a result, all the
available bandwidth is consumed and exhausted. Thus, IP server gets down.
It is harder for defensive mechanisms to identify a UDP Flood attack since it is
an end to end process of communication between client and host.

14. 9. UDP Fragmented Floods
The activity generated by the UDP fragmented flood attacks is similar to the
UDP flood attack, with a difference that in this case the attacker sends the
fragmented data packets to the target server. The target server then tries to
put these unrelated and fake fragmented UDP data packets together and
eventually fails to do so. As a result, all the available resources get exhausted
and this may lead to server reboot.

15. 10. DNS Flood Attack
DNS Flood Attack occurs when the attacker sends a large amount of spoofed
DNS requests that are exact replica of the real DNS requests from a very large
set of source IP. Hence, it is not possible for the target server to differentiate
between the real and the fake DNS requests. In order to serve all the requests,
the server exhausts all its resources. As a result, the attack consumes all the
available bandwidth until it is completely drained out.

16. 11. SIP Flood Attack
Session Initiation Protocol (SIP) is a commonly used signaling protocol which is
used to support voice communication, video communication and other
multimedia applications. SIP Flood Attack occurs when an attacker sends
multiple INVITE requests without waiting for responses from the UAS or the
proxy with an aim to exhaust their respective resources.

17. 12. Slowloris Attack
In this type of attack first of all the TCP connection is established, then as the
multiple requests comes at regular intervals, all the connections are eventually
consumed that restrict other servers to connect until some of the connections
are released. Thus at this point of time, hackers with limited traffic resources
successfully mount a Slowloris attack.

18. info@haltdos.com
To learn more visit our website - www.haltdos.com
FREE TRIAL
S T A R T Y O U R
https://app.haltdos.com
W E B A P P L I C A T I O N
F I R E W A L L & D D O S
P R O T E C T I O N
Understand the current web application threat
landscape, know why traditional network security
solutions fail to provide a complete protection against
today’s emerging threats and why your organization
needs a web application firewall to mitigate IT risks.
Sign up at haltdos.com