Distributed Denial of Service Attack (DDoS) Definition
DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server.
Unlike a Denial of Service (DoS) attack, in which a single Internet-connected device (one network connection) is used to flood targeted resource with packets, a DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet.
"And that concludes our DDoS party: Escapist Magazine, Eve Online, Minecraft, League of Legends + 8 phone requests.”Tweeted by LulzSec - June 14, 2011, 11:07PM
DDoS attacks can be broadly divided into three types:
Specific DDoS Attacks Types
Some specific and particularly popular and dangerous types of DDoS attacks include:UDP Flood
This DDoS attack leverages the User Datagram Protocol (UDP), a sessionless networking protocol. This type of attack floods random ports on a remote host with numerous UDP packets, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process saps host resources, and can ultimately lead to inaccessibility.ICMP (Ping) Flood
Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.SYN Flood
A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.Ping of Death
A ping of death ("POD") attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size - for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.Slowloris
Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.NTP Amplification
In NTP Amplification attacks the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic. In an NTP amplification attack, the query-to-response ratio is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack.HTTP Flood
In HTTP flood DDoS attack the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to each single request.Zero-day DDoS Attacks
“Zero-day” are simply unknown or new attacks, exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading Zero-day vulnerabilities has become a popular activity.Incapsula mitigates a massive HTTP flood: 690,000,000 DDoS requests from 180,000 botnets IPs.
Sources of DDoS Attacks
DDoS attacks are quickly becoming the most prevalent types of attacks, growing rapidly in the past year in both number and volume, according to recent market research. The trend is towards shorter attack duration, but bigger packet-per-second attack volume, and the overall number of attacks reported has grown markedly, as well.
During the Q4-2011, one survey found 45% more DDoS attacks compared to the parallel period of 2010, and over double the number of attacks observed during Q3-2011. The average attack bandwidth observed during this period was 5.2G bps, which is 148% higher than the previous quarter.
Another survey of DDoS attacks found that more than 40% of respondents experienced attacks that exceeded 1Gbps in bandwidth in 2013, and 13% were targeted by at least one attack that exceeded 10G bps.
From a motivational perspective, recent research found that ideologically motivated DDoS attacks are on the rise. The research also mentioned financial reasons (e.g., competitive feuds) as another common reason for such attacks.LOIC (Low Orbit Ion Cannon): an "entry-level" DoS attack tool
Incapsula Solutions Mitigate DDoS Damage
Incapsula seamlessly and comprehensively protects web sites against all three types of DDoS attacks, addressing each with a unique toolset and defense strategy:
In all these scenarios, Incapsula applies its DDoS protection solutions outside of your network, meaning that only filtered traffic reaches your hosts. Moreover, Incapsula maintains an extensive DDoS threat knowledge base, which includes new and emerging attack methods. This constantly-updated information is aggregated across our entire network - identifying new threats as they emerge, detecting known malicious users, and applying remedies in real-time across all Incapsula-protected websites.