DDoS attacks are generally classified into the following 3 categories:
- Volumetric attacks: This category of exploited method attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.
- Protocol attacks: Protocol attacks utilize weaknesses in layer 3, layer 4, and layer 7 of the protocol stack to render the target inaccessible. It includes SYN flood attacks, reflection attacks, and other protocol attacks.
- Application layer attacks: Layer 7 DDoS attack such as HTTP Flood or CC attack. HTTP flood or CC attacks generate high volumes of HTTP GET or POST requests from multiple sources, targeting the application layer to cause service degradation or unavailability. Application attack traffic is difficult to tell apart from normal traffic as attacker adopt an attack method called user mimicking. It requires an advanced mitigation method will be illustrated later of this article.
Besides this, HTTP idle attacks have another use which could be executing high-level attacks, because it would interfere with the website in certain ways that would prevent the termination of a session, due to which, unlimited packets would be conveyed via the same connection.
Before accessing any website, there also comes many other milestones, which include, cloud service level, network level, web server level, and web application level. It is almost impossible for almost every company to establish high-level security at all these level, moreover, as in a website case, all these levels are usually owned by different vendors, so, if an attacker would become able to compromise any one of these levels, denial of service would definitely occur. In fact, the number of levels would be compromised, an increase would be the denial of service effect.
Ping of death attack
POD (ping of death) is about the sending illegal or malicious pings from the attacker to victim’s computer. IP packet has a maximum packet length of 65,535 bytes. Whereas Data Link Layer usually has a maximum frame size limit – for example, 1500 bytes over an Ethernet network. So, in case of DDoS attack, a ping of death packet is sent from attacker computer to a victim machine, the ping packet gets fragmented into smaller groups of packets these packets always arrive in fragments. When these packets received at target computer it reassembles the malicious packets that’s were in chunks and in this process the buffer overflow occurs at target’s computer. The system usually crashes on buffer overflow and make it vulnerable for hackers to penetrate.
Conventional attacks, otherwise called a state-depletion attack, because of this, service disturbance occurs by expending the accessible limit of web hosting servers or middle of the road assets like firewalls and load balancers. Convention attacks use shortcomings of the layer convention queue to make the object being rendered out of reach.
SYN flood is a form of denial of service attack in which an attacker sends a series of SYN requests to the target system in order to consume enough server resources so that the system does not respond to legitimate traffic. The attacker sends over and over SYN requests to each port using forged IP address, but doesn’t either reply to the host’s SYN-ACK, or sends the SYN requests from a spoofed IP address. In any way, the host system goes on to wait for confirmation from each and every one of the requests until that time when no new connections can be done and eventually resulting in a denial of service.
Application layer attacks
HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. These attacks often use interconnected computers that have been taken over with the aid of malware such as Trojan Horses. Instead of using malformed packets, spoofing and reflection techniques, HTTP floods require less bandwidth to attack the targeted sites or servers.
A DNS amplification attack is a distributed denial of service (DDoS) attack. The attacker imputes the identity of search queries to the Domain Name System (DNS) servers to hide the origin of the exploit and direct the response to the target. Through various techniques, the attacker converts a small DNS query into a much larger payload directed to the target network.
This attack misuses the TCP authentication with the help of sending an objective an expansive number for TCP request for the starting of the connection. The attacked system reacts to every association demand and after that sits tight for the last advance in the handshake, which never happens, depleting the objective’s assets all the while.