DDoS (distributed denial of service) attacks have been growing in size and frequency as cybercriminals use sophisticated attack methods to avoid upgraded security measures.

Malicious actors have found ways to use new attack methods and upgrade old attack methods to conduct attacks that consume greater bandwidth.

Recent events have demonstrated how destructive and dangerous DDoS attacks could be; they represent one of the most feared offensive forms for their ability. Attack patterns employed by cyber criminals evolve over time as the corporate world seeks to defend itself against popular attacking strategies, in what is being compared to an arms race.

Attackers are even selling DDoS attack methods for as little as $5 on the web, and denial of service is also getting popular among hacktivists like Anonymous, who are using DDoS attacks to wipe out government websites and agencies to demonstrate a political protest, or what can some dub as terrorism.

DDoS attacks classification

DDoS in simple words describe a cyber-attack that is used to make resources on a server or a service unavailable to users. DDoS are usually classified into three categories:

Application Layer attacks: The goal is to target applications. Application Layer attacks usually target HTTP in an attempt to exhaust the resource limits of internet services. They target specific apps on the web and make requests to tie up resources deep inside the affected network. Examples include Zero-day DDoS attacks and attacks geared towards OpenBSD and Apache vulnerabilities.

Protocol attacks: The cyber criminal conducts the attack with the aim to saturate service resources of the targets or of firewalls, load balancers, and other intermediate communication equipment. It exploits network protocol to abuse the victim’s resources. Examples include Smurf attacks and SYN Floods.

Volume based attacks: The aim is to saturate the victim’s bandwidth. Examples include ICMP flood and other spoofed-packet traffic floods.

Popular DDoS attack types

Sophistication in the DDoS marketplace has given birth to a variety of threats that come under the three categories described above. Some of these threats have even made their own separate categories.

Here are the most popular DDoS attacks that have been witnessed in recent times:

POD (Ping of Death): An attack that manipulates IP protocol by sending packets that are bigger than the maximum byte allocated, which is 65,535 bytes under IPv4. Larger packets are spread across multiple IP packets (fragments) and once they are reassembled, they create a packet larger than the byte allowance. The behemoth packet then causes servers to crash or reboot. Most organizations have implemented stronger checks in the reassembly procedure, which makes POD rarely a problem, but modern DDoS attacks are outsmarting these implementations by sending numerous smaller pings instead.

NTP (Network Time Protocol): NTP is a subset of IP that enables computers to connect to a specified server to set their internal clocks. These attacks have a feature that allows a tiny ping request to be replied to by the host featuring the last 600 machines that the clocks were set for by the server, which is a MUCH larger reply than the initial ping request, making it ripe for DDoS attacks. This type of NTP request can overload a server, and the outbound reply data can overload the network in return. Online gaming services have been victims of NTP DDoS attacks.

Reflection attack: This is a DDoS attack that sends floods of requests to a list of third-party services, making use of the spoofed IP address of the intended target. The victims, which may include gaming servers, DNS (domain name services), printers and networked devices, will direct the responses to the spoofed address, which is with the attacker’s target. The unwanted flood of data from a large number of servers can lead to a denial of service that impairs the target’s availability.

Slowloris: This DDoS attack can be difficult to mitigate. It’s a tool that enables hackers to utilize fewer resources during the attack. Connections to the target systems are opened with partial requests and allowed to stay open for the maximum possible time. It also sends HTTP headers at specific intervals, which adds to the requests, but does not lead to completion – keeping more connections open for a long time until the victim website is no longer able to function on the web.

UDP (User Datagram Protocol) Flood: This is a sessionless networking protocol. It involves flooding random ports on the victim’s machine with packets that cause it to listen for applications on those ports and report back with ICMP packets. When several UDP packets have the source IP address forged to a single address, the server responds to the victim, resulting in denial of service.

SYN Flood: A DDoS attack that exploits a TCP connection sequence vulnerability. The SYN request is made to form a connection with a host and it’s answered by a SYN-ACK response, and then confirmed through an ACK response from the requester’s side. Multiple SYN requests are sent from a spoofed address, which eats up resources until new connections are no longer possible, resulting in denial of service. SYN Flood attacks are usually geared towards data centres.

Nuke: Corrupt ICMP packets are sent via modified ping utilities to deliver the malicious packets to the target. Eventually, the target machine is taken offline. The attack focuses on compromising a victim’s network.

P2P (Peer-to-Peer): The attacker, instead of leveraging a botnet to siphon traffic towards a victim, utilizes a peer-to-peer server to route traffic. When successful, individuals using P2P servers are redirected to the target until the target is overwhelmed and has to go offline.

Predicting DDoS attacks

Prediction of DDoS attacks is becoming more important than mitigation strategies because the damage is often done in the later before an appropriate response takes place.

DDoS attacks can be predicted by Massive’s Strixus service through the monitoring of a client’s IP ranges and other digital signatures pertaining to the servers. The service sets itself apart from other DDoS security offerings by predicting the attack beforehand and giving your organization enough time to bump server security and increase bandwidth, which is something other solutions don’t offer.

The size and force of a DDoS attack can never be predicted unless the threat actors involved are actively monitored. Massive provides a unique form of defence against DDoS attacks and this accomplished through external intelligence sources and data interception. Through these external threat feeds, we can provide you with actionable attack intelligence and detailed strategies as they appear on the underground.

By tracking your unique data signatures and digital identifiers, should your IP range, domains, system information or exploits appear — you will be notified with a human-verified report.  This intelligence has allowed our clients to get up to 4 months warning on an impending DDoS attack against them, allowing them to make provisions to actively block and nullify the attacks.

With such solutions, you can protect your servers, applications and networks without impacting performance or requiring extensive modifications. Strixus service saves time and labor by requiring no changes to existing network devices or applications.