DDoS Attacks Targeting Application Resources

January 5, 2016 02:00 PM

Attacks that target server resources attempt to exhaust a server's processing capabilities or memory and aim to cause a DDoS security weakness. An attacker takes advantage of an existing vulnerability on the target server or in a communication protocol. The target server - website, web application server, web application firewall, or intrusion prevention system - becomes so busy handling illegitimate requests that it can no longer handle legitimate requests.

TCP/IP Weakness Attacks

These types of DDoS attacks exploit some of the design weaknesses of the TCP/IP protocol. They typically misuse the six control bits, or flags, of the TCP/IP protocol - SYN, ACK, RST, PSH, FIN, and URG - to disrupt the normal mechanisms of TCP traffic. Unlike UDP and other connectionless protocols, TCP/IP is connection-based, requiring the packet sender to establish a full connection with the intended recipient prior to sending any packets. TCP/IP relies on a three-way handshake mechanism where every request creates a half-open connection (SYN), a request for a reply (SYN-ACK), and then an acknowledgement of the reply (ACK). Attacks attempting to abuse the TCP/IP protocol often send TCP packets in the wrong order, causing the target server to run out of computing resources as it tries to understand such abnormal traffic.

TCP SYN Flood Attacks

The TCP handshake mechanism requires agreement between each party to establish a connection. If the TCP client does not exist or is a non-requesting client with a spoofed IP, such an agreement is not possible. In a TCP SYN, or simple SYN flood attack, the attacking clients lead the server to believe that they are asking for legitimate connections through a series of TCP requests with TCP flags set to SYN. To handle each of these SYN requests, the target server opens threads and allocates corresponding buffers to prepare for a connection. Because server resources are limited and a SYN flood often involves a massive number of connection requests, a server is unable to time out its open requests before new requests arrive.

TCP RST Attacks

The TCP RST flag is intended to notify a server that it should immediately reset its corresponding TCP connection. In a TCP RST attack, an attacker interferes with an active TCP connection between two entities. The attacker sends packets with the RST Flag set to ON to host A, host B, or both. Since neither host knows that an attacker has sent these packets, they treat these packets normally, meaning that the valid TCP connection between the two hosts is terminated.

TCP PSH+ACK Flood Attacks

When a TCP sender sends a packet with its PUSH flag set to 1, the TCP data is immediately sent or "pushed" to the TCP receiver. This action forces the receiving server to empty its TCP stack buffer and send an acknowledgement when this action is complete. An attacker, usually using a botnet, can therefore flood a target server with many such requests, overwhelming the TCP stack buffer on the target server so it cannot process the requests or even acknowledge them - resulting in limited DDoS attack defense.

Protecting Against DDoS Attacks Targeting Server Resources

TCP/IP weakness attacks, TCP SYN flood attacks, TCP RST attacks, and TCP PS+ACK flood attacks are extremely effective since they overwhelm the server, making them difficult to stop. As a result, these serious DDoS attacks require sophisticated DDoS mitigation and DDoS protection solutions.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center