DoS attacks can be divided into two general categories—application layer attacks and network layer attacks. Each of these types of DDoS attacks define certain parameters and behaviors used during the attack, as well as the target of the attack.
Application layer attacks: (a.k.a., layer 7 attacks) can be either DoS or DDoS threats that seek to overload a server by sending a large number of requests requiring resource-intensive handling and processing. Among other attack vectors, this category includes HTTP floods, slow attacks (e.g., Slowloris or RUDY) and DNS query flood attacks. The size of application layer attacks is typically measured in requests per second (RPS), with no more than 50 to 100 RPS being required to cripple most mid-sized websites. While this is still the case with L7 attacks, the efficiency of affecting both the targeted server and the network requires less total bandwidth to achieve the same disruptive effect; an application layer attack creates more damage with less total bandwidth.
Distinguishing between attack traffic and normal traffic is difficult, especially in the case of an application layer attack such as a botnet performing an HTTP Flood attack against a victim’s server. Because each bot in a botnet makes seemingly legitimate network requests the traffic is not spoofed and may appear “normal” in origin. With other attacks such as SYN floods or reflection attacks such as NTP amplification, strategies can be used to drop the traffic fairly efficiently provided the network itself has the bandwidth to receive them.
Common application layer attacks are as below:
BGP Hijacking: The Border Gateway Protocol (BGP) is used to direct traffic across the Internet, allowing networks to exchange “reachability information” to facilitate reaching other networks. BGP hijacking is a form of application-layer DDoS attack that allows an attacker to impersonate a network, using a legitimate network prefix as their own. When this “impersonated” information is accepted by other networks, traffic is inadvertently forwarded to the attacker instead of its proper destination.
Slowloris Attack: Slowloris is an application layer DDoS attack which uses partial HTTP requests to open connections between a single computer and a targeted Web server, then keeping those connections open for as long as possible, thus overwhelming and slowing down the target. This type of DDoS attack requires minimal bandwidth to launch and only impacts the target web server, leaving other services and ports unaffected.
Slow Post Attack: In a Slow Post DDoS attack, the attacker sends legitimate HTTP POST headers to a Web server. In these headers, the sizes of the message body that will follow are correctly specified. However, the message body is sent at a painfully low speed. These speeds may be as slow as one byte every two minutes. Since the message is handled normally, the targeted server will do its best to follow specified rules. The server will subsequently slow to a crawl. When attackers launch hundreds or even thousands Slow POST attacks at the same time, server resources are rapidly consumed, making legitimate connections unachievable.
Slow Read Attack: A slow read DDoS attack involves an attacker sending an appropriate HTTP request to a server, but then reading the response at a very slow speed, if at all. By reading the response slowly – sometimes as slow as one byte at a time – the attacker prevents the server from incurring an idle connection timeout. Since the attacker sends a Zero window to the server, the server assumes the client is actually reading the data and therefore keeps the connection open. A Slow Read attack is characterized by a very low number for the TCP Receive Window size, while at the same time draining the attacker’s TCP receive buffer slowly. This in turn creates a condition where the data flow rate is extremely low.
HTTP Flooding Attack: An HTTP flood attack utilizes what appear to be legitimate HTTP GET or POST requests to attack a web server or application. These flooding attacks often rely on a botnet, which is a group of Internet-connected computers that have been maliciously appropriated through the use of malware such as a Trojan horse. These types of DDoS attacks are designed to cause the targeted server or application to allocate the most resources possible in direct response to each request. In this way, the attacker hopes to overwhelm the server or application, “flooding” it with as many process-intensive requests as possible. HTTP POSTs are often used because they involve complex server-side processing, while HTTP GET attacks are easier to create, thus lending themselves to botnet attacks which rely on scale to achieve the desired disruption.
Large Payload Post Attack: This is also referred to as “Oversize Payload Attacks” or “Jumbo Payload Attacks.” A Large Payload Post is a class of HTTP DDoS attack where the attacker abuses XML encoding used by webservers. In this type of attack, a webserver is sent a data structure encoded in XML, which the server then attempts to decode, but is compelled to use an excessive amount of memory, thus overwhelming the system and crashing the service.
Mimicked User Browsing: A Mimicked User Browsing DDoS attack involves botnets that pose as legitimate users attempting to access a website. A sufficiently high volume of these bots will ultimately overwhelm the target website causing it to crash, or making it impossible for legitimate traffic to get through. This attack is designed to replicate the activity of a legitimate human browsing, it is difficult to detect. The website will quickly become heavily loaded as the bots outnumber the actual users, making it difficult to service legitimate requests.
Low and Slow Attack: also known as a slow-rate attack, involves what appears to be legitimate traffic at a very slow rate. This type of state exhaustion attack targets application and server resources and is difficult to distinguish from normal traffic. Common attack tools include Slowloris, Sockstress, and R.U.D.Y. (R U Dead Yet?), which create legitimate packets at a slow rate, thus allowing the packets to go undetected by traditional mitigation strategies. Detecting a low and slow attack can be accomplished by performing network behavioral analysis during normal operations and then comparing this data to periods when an attack might be occurring.
Network layer attacks: (a.k.a., layer 3–4 attacks) are almost always DDoS assaults set up to clog the “pipelines” connecting users network. Attack vectors in this category include UDP flood, SYN flood, NTP amplification and DNS amplification attacks, and more. L3 DDoS attacks typically accomplish this by targeting network equipment and infrastructure. There are a few important differences between layer 3 DDoS attacks and attacks at the higher layers:
- Layer 3 attacks target the network layer, not transport layer or application layer processes (as layer 4 and layer 7 DDoS attacks do)
- Layer 3 attacks do not have to open a TCP connection with the target first
- Layer 3 attacks do not target a specific port
Types of Network Layer Attacks:
- Ping flood: In a ping flood DDoS attack, the attacker sends thousands or even millions of ping requests to a server at once.
- Smurf attack: ICMP has no security or verification measures in place, making it possible for an attacker to spoof an IP address in an ICMP request. In a Smurf DDoS attack, the attacker sends out ping requests to thousands of servers, spoofing the target’s IP address in the ping requests so that the responses go to the target, not the attacker. Most modern networking hardware is no longer vulnerable to this attack.
- Ping of death: In an ICMP ping of death attack, an attacker sends a ping request that is larger than the maximum allowable size to the target. Routers along the way to the target will fragment the ping into smaller packets, so that the target accepts them, but when it tries to reassemble the large packet from the smaller fragments, the packet size exceeds the maximum and crashes the target. Like Smurf attack; Modern devices are not vulnerable to this attack as well.