A DDoS attack is always launched from multiple compromised devices, often distributed in different locations, known as a botnet, usually controlled remotely by a single threat actor. It is different from a denial-of-service (DoS) attack because it uses an Internet-connected device (a single network connection) to flood a target with malicious traffic.
DoS and DDoS attacks can be divided in different ways. On a high level, a DDoS attack can be broken into different types:
- Connection-based: An attack that takes place after a connection between a client and a server has been made via certain standard protocols.
- Connectionless: An attack that does not need a session to be formally initiated before a server can send a receiver “data packets” over a digital network.
A DDoS attack also falls into the following three broad categories, depending on which part of the network infrastructure the attack is focused:
Volume-Based Attacks
The goal of a volume-based attack is to saturate the bandwidth of the attacked site by sending so much traffic that it takes the site down. They are also known as “floods”. Magnitude is measured in Bits per second (Bps). Attacks are usually executed via botnets.
Volume-based attacks include DNS floods, ICMP floods, and other spoofed-packet floods.
Protocol Attacks
A protocol attack consumes server resources, or the resources of intermediate communication equipment, including load balancers and firewalls, to disrupt connections. Protocol attacks are also known as TCP state-exhaustion attacks as they result in exhausting the finite number of concurrent connections the targeted device can support. Magnitude is measured in Packets per second (Pbs).
Protocol attacks include fragmented packet attacks, Ping of Death, Smurf DDoS and SYN floods.
Application Layer Attacks
This type of attack aims to crash the web server by apparently innocent, legitimate requests. Also known as Layer 7 attacks, they go after weaknesses in a server or application through establishing a connection and exhausting it by monopolizing processes and transactions. Magnitude is measured in Request per second (Rps). Application layer attacks are harder to detect than the other two types as they generate a low traffic rate that seems legitimate.
Application layer attacks include GET/POST floods, low-and-slow attacks and attacks that target Windows, Apache or Open BSD vulnerabilities.
Some DDoS attacks combine elements of all three types, which can make them even more challenging to mitigate.