Attacks that target network resources use a large volume of illegitimate traffic to try to consume, or flood, all of a victim's network bandwidth.
In a typical flooding attack, the offense is distributed among an army of thousands of volunteered or compromised computers - a botnet - that sends a huge amount of traffic to the targeted site, overwhelming its network.
An amplification attack takes advantage of a disparity between a request and a reply in technical communication. For instance, the attacker could use a router as an amplifier, taking advantage of the router's broadcast IP address feature to send messages to multiple IP addresses in which the source IP is spoofed to the target IP. Famous examples of amplification attacks include Smurf attacks (ICMP amplification) and Fraggle attacks (UDP amplification). Another example of a type of amplification attack is DNS amplification, in which an attacker, having previously compromised a recursive DNS name server to cache a large file, sends a query directly or asks for the large cached file. The return message, significantly amplified in size from the original request, is then sent to the victim's spoofed IP address, causing a denial of service condition.
An attack is reflective when the attacker uses a potentially legitimate third party to send the attack traffic, ultimately concealing the attacker's identity.
Connection-Oriented DDoS Attacks
A connection-oriented attack is one in which the attacker must first establish a connection prior to launching a DDoS attack. This type of attack usually affects server or web application security and resources. Examples include TCP and HTTP-based attacks.
Connectionless DDoS Attacks
A connectionless attack does not require the attacker to open a complete connection to the victim and is therefore much easier to launch. A connectionless attack affects network resources, causing denial of service before malicious packets can even reach the server. Examples include UDP floods, ICMP floods, and IGMP floods.
UDP Flood Attacks
User Datagram Protocol (UDP) is a connectionless protocol that uses datagrams embed in IP packets for communication without needing to create a session between two devices (it requires no handshake process).
A UDP flood attack does not exploit a specific vulnerability. Instead, it simply abuses normal behavior at a high enough level to cause congestion for a targeted network. It sends a large number of UDP datagrams from potentially spoofed IP addresses to random ports on a target server. The server receiving this traffic is unable to process every request and consumes all of its bandwidth attempting to send ICMP "destination unreachable" packet replies to confirm that no application was listening on the targeted ports. As a volumetric attack, a UDP flood is measured in Mbps (bandwidth) and PPS (packets per second).
ICMP Flood Attacks
Internet Control Message Protocol (ICMP) is a connectionless protocol used for IP operations, diagnostics, and errors. An ICMP flood, or Ping flood, is a non-vulnerability based attack that does not rely on any specific vulnerability to achieve denial of service, making it difficult to prevent DDoS attacks. An ICMP flood can involve any type of ICMP message, such as a ping request. Once enough ICMP traffic is sent to a target server, the server becomes overwhelmed from attempting to process every request, resulting in a denial of service condition. An ICMP flood is a volumetric attack, measured in Mbps (bandwidth) and PPS (packets per second).
IGMP Flood Attacks
Internet Group Management Protocol (IGMP) is a connectionless protocol used by IP hosts to report or leave multicast group memberships for adjacent routers. An IGMP flood is non-vulnerability based, as IGMP is designed to allow multicast. Such floods involve a large number of IGMP message reports being sent to a network or router, significantly slowing and eventually preventing legitimate traffic from being transmitted across the target network.
Protecting Against DDoS Network Attacks
During the seven network flood attacks described above, legitimate users trying to access a site will find the attacked site incredibly slow or unresponsive. These network flood attacks are simple, yet extremely effective, meaning that they require sophisticated DDoS mitigation and DDoS protection solutions.