What is a DDoS attack? Common types of DDoS attacks
The online world is constantly bombarded with cybercrime. Over the last couple of decades, there has been a dramatic increase in online cybercrime and cyberattack rates with a drastically high number of instances of identity theft, privacy intrusion and website-targeted malicious operations.
In this article, we are going to be discussing the latter of these issues, while putting our focus on the infamous DDoS attacks.
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a common type of cyberattack, which is designed to disrupt the normal operations of a server and the website or application that it hosts.
How do DDoS attacks work?
Under normal conditions and real traffic, the server and the client software communicate with each other without issues or latency. The available server and network resources are enough to sustain normal spikes in usage, which can occasionally occur when multiple users visit a given website or application at the same time.
During a DDoS attack, a lot of infected computer devices (usually referred to as ‘botnet’) collectively send a tremendous amount of requests to the server or web application in order to overload it and clog the network.
Due to the fact that this artificial, malicious traffic mixes with real-time, legitimate traffic, it becomes very hard to filter out the fake requests, meaning that the attack is difficult to mitigate without impacting the performance, connections and requests of real users.
When the attack comes from a one single source it is referred to as a DoS attack.
DDoS attack consequences
There are several main intentions behind DDoS attacks. One example is to cause financial damages to the server owner. Another is to prevent information access by limiting public access and usability.
Furthermore, attacks like these can also damage the website’s search engine results pages (SERPs) performance, which can ultimately lead to unexpected ranking drops and even worse - search engine penalties.
Additionally, this can also tarnish the website’s reputation long-term, depending on the severity of the attack and the subsequent consequences.
What are the most effective network attacks?
The most effective network attacks are flood attacks because they do not require many resources to clog the network of the targeted server.
During the attack, the network remains blocked, limiting the usage of the website or application. It is impossible to filter this attack locally and no software solution can mitigate it, due to the fact that the network channel is already physically filled before it ever reaches the server.
Additionally, these attacks are fairly cheap to execute and the protection is very expensive due to the need for larger network capacity and, very often, additional cloud protection as a separate service.
DDoS attacks usually last around 30 minutes on average, but there are also those that can last for much longer - from a few hours to several days, which can cause severe damages to the business.
As an example, one of the largest DDoS attacks was registered in February 2018 and targeted GitHub - a popular platform for developers and repository management. The attack capacity reached 1.3 Tb/s. Fortunately, it was filtered in time.
What are the most common DoS and DDoS attacks?
There are a lot of different registered types of DDoS attacks. Hackers and malicious individuals continue to refine these algorithms, making artificial traffic harder to trace. The following are the most common types of such attacks.
UDP flood DDoS attack
This is an effective and easy-to-execute attack.The goal is to flood the server network with a huge amount of UDP packets simultaneously.
This overwhelms the network with a greater amount of traffic than the server network’s physical available capacity, thus blocking the legitimate requests from reaching the server.
SYN flood attack
This attack is based on a weakness in the TCP protocol. In order to initiate a connection, the server and the client must follow the so-called 3-way handshake rule.
Firstly, the attacker sends the initial packet (SYN) from a spoofed IP address. Next, the receiving server responds (SYN-ACK) that the packet has been received, opening the connection and waiting for further actions. However, due to the fact that the IP address is spoofed, the connection is not fully established but it is also not fully closed, staying in a waiting state.
By doing this, the attacker basically exhausts the system’s resources by employing all of the maximum simultaneous open connections. They do this by sending more SYN packets from fake IP addresses that remain open and waiting. Once the limit is reached, the server cannot accept any other connections and it becomes unavailable for the real users.
Slowloris is a DoS attack that is performed from a single computer using a specific software application. It is capable of incapacitating the attacked Web server completely.
Slowloris tries to keep as many open connections to the Web server as possible by periodically sending partial requests, disrupting its service with minimal bandwidth resources.
Amplification attacks are UDP flood attacks that use either the DNS or the NTP protocol to significantly amplify the bandwidth of the attack by leveraging open DNS resolvers to essentially generate and reflect more bandwidth than the attacker’s resources.
This happens by sending a specially crafted request to multiple public DNS servers with a spoofed IP address. The IP is that of the target and with the DNS response being multiple times larger than the request.
It is possible to amplify the amount of traffic from a 1 Gbps attack up to 20 Gbps.
HTTP attack (layer 7 attack)
This kind of attack simulates real user traffic to your website by sending GET and POST requests to the server.
The aim here is to create a number of fake website visitors, which are much larger in comparison to the number of users that the server can handle, resulting in the server being overloaded.
Application vulnerability attack
This kind of attack can be carried out by exploiting software vulnerabilities. As an example, this type of attack can be used to remotely execute code and crash the application.
It wasn’t that long ago when such a software vulnerability was found in WordPress, resulting in more than 50% of all active sites to be exposed to risk of such exploits.
We at VPSBG offer additional strong DDoS protection up to 1.8Tbps for our shared hosting, KVM VPS and VDS servers, meaning that your websites and applications will be secure at all times!
For some further information about DDoS attack protection, you can also check out our article on the most effective protection methods against DDoS attacks and their mitigation.