Smaller organizations can outsource their responses to other, specialized firms, or to their ISP (or both). Unless the organization being attacked is a service provider or an extremely large organization, it's unlikely that this is realistic. Unfortunately, this can be extremely difficult depending on the size of the attack, and an attacker's ability to scale up their attack size in response. One way to deal with volumetric attacks is to scale up bandwidth in response. It's much hard to deal with a DDoS attempt after it has begun.
The most important part of protecting against a DDoS attack is the preparation itself. HTTP floods occur when an attacker sends a 'flood' of what appear to be legitimate HTTP requests to a server or application, exhausting its resources.Ĭache-busing attacks are a subset of HTTP floods which are designed to avoid CDN caching by varying the query string so the CDN must contact the origin server for every request, thus overloading it. These are usually divided into infrastructure attacks (such as UDP reflection and SYN floods) or application attacks (such as HTTP floods and cache-busting). Other Types of DDoS AttacksĪlternatively, DDoS attacks can be grouped based on the OSI model layer they impact. It occurs when an attacker sends HTTP requests without completing them, continuing (slowly) to send additional headers to keep the connection open.Īs the connections are never completed, they absorb all of the server's available resources so it cannot process legitimate connections. What Are Application DDoS Attacks?Īpplication DDoS attacks target weaknesses in how an application works (such as a Slowloris attack).Ī Slowloris attack is very similar to a SYN flood, but targets webservers. In the case of an attack, the attacker continues to send SYN requests without completing the connection, until the server is out of resources and unable to accept any additional traffic. Normally, the other server would respond with ACK, starting the connection. When an attacker sends large numbers of SYN packets to a machine, the server will allocate resources to this request and send a SYN ACK packet back – assuming that it is the beginning of a connection request.
A SYN flood exploits the way a three-way handshake works. Protocol DDoS attacks find a weakness in how a protocol operates (such as a SYN flood). In this way, an attacker can send many, smaller packets and the response packets will use up the resources of the target. For example, the response to a DNS query can be between 28 to 54 times larger than the original request. The advantage to going through an intermediate server rather than attacking the target directly is that response packets are typically much larger than the packet sent. Then, the responses to the spoofed packet will be sent to the target, rather than the attacker. Volumetric DDoS attacks aim to fill up a victim's bandwidth (such as UDP reflection attacks).Ī UDP reflection attack sends packets with the target's IP address spoofed as a the source. There are many different types of DDoS attacks, but we can broadly group them into three categories – volumetric, protocol, and application attacks. The difficult part of defending against DDoS attacks is that the hosts are distributed – if it were a single host or small group, you could easily block the traffic with a firewall rule.
PERFORMING A SLOWLORIS ATTACK OFFLINE
Distributed Denial of Service (DDoS) attacks aim to take an organization or service offline and originate from multiple, distributed hosts.