When it comes to denial of service, there are many different types of DDoS attacks. The various terms and acronyms can be confusing. The following glossary of DDoS attack types explains the common terms. To learn even more, follow the links to other State of the Internet resources.
A Record DDoS Attack
During an A record DDoS attack, malicious actors spoof the source IP address and flood victim domain name system (DNS) servers with requests for A records (commonly used to request an IP address for a domain name) using malformed domain names. The source IP spoofing technique makes it appear the requests came from the attacker’s primary target, causing the victim DNS servers to respond to the target. In a distributed reflection denial of service (DrDoS) attack, large numbers of A record queries from multiple sources can impact DNS availability on the primary target. Details about this attack method are explained in the DrDoS white paper on DNS attacks, including the A record DDoS attack.
ACK Flood DDoS Attack
ACK is an abbreviation for acknowledgement, and indicates the successful receipt of a packet of data through the three way handshake of the TCP protocol. A typical TCP request is in the format of SYN, SYN-ACK, and ACK. When attackers make use of SYN reflection attack techniques, victim servers generate ACK floods towards the intended target systems. Learn more in the DrDoS white paper about SYN reflection attacks.
Amplification Attack DDoS
Amplification is when an attacker makes a request that generates a larger response. Examples of common amplification attacks include DNS requests for large TXT records and HTTP GET requests for large image files. Learn more about amplification attacks in the SNMP Amplification (SAD) Threat Advisory.
Application DDoS Attack (Layer 7 Attack)
An application-level attack is a DDoS attack that overloads an application server, such as by making excessive log-in, database-lookup or search requests. Application DDoS attacks, also called Layer 7 attacks, are harder to detect than other kinds of DDoS attacks, because the connection has already been established and the requests may appear to be from legitimate users. However, once identified, these attacks can be stopped and traced back to a specific source more easily than other types of DDoS attacks. Learn more about the recent use of application DDoS attacks in the latest State of the Internet – Security report.
CHARGEN Attack DDoS
Character Generator Protocol (CHARGEN) protocol is a legacy service available in the TCP and UDP protocols. The CHARGEN functionality can be abused by malicious actors to create distributed reflection denial of service (DrDoS) attacks. The problem of CHARGEN attacks is more than a decade old, and in 1996 the US-CERT issued an advisory that recommended reconsidering whether the CHARGEN protocol needed to be used within an enterprise environment. To this day, however, CHARGEN is still widely deployed, often by default and without the knowledge of administrators. Learn more about CHARGEN DDoS attacks in a white paper.
DNS Flood DDoS Attack (Domain Name System)
The Domain Name System translates Internet domain names into Internet protocol addresses. DNS transforms a domain name such as www.stateoftheinternet.com and converts it into the actual IP address, much as a contacts list takes a name and converts it to a phone number. It is possible for many domain names to have the same IP address because one server can support a huge number of domain names. One DNS name can also be configured to map to several IP addresses. For example, if a URL maps to five different addresses, a web browser will go to any one of them to access the site.
DNS flood DDoS attacks are used for attacking both the infrastructure and a DNS application. This denial of service attack type allows DDoS attackers to use both reflection and spoofed direct attacks that can overwhelm a target’s infrastructure by consuming all available network bandwidth. Learn more about DNS flood DDoS attacks in the IptabLes and IptabLex Threat Advisory.
DNS Reflection or Amplification DDoS Attack
A DNS reflection and amplification DDoS attack is a type of DDoS attack where the response from the server is typically larger than the request. When combined with spoofed IP addresses, the server’s response to this type of amplified DDoS attack will go to the attacker’s true target, not the attacker. The victim and target will not know who actually originated the attack.
A common form of DNS reflection attack involves an attacker making many spoofed queries to many public DNS servers. The spoofing is created in such a way where the source IP address is forged to be that of the target of the attack. When a DNS server receives the forged request it replies, but the reply is directed to the forged source address. This is the reflection component. The target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the source.
If the queries (which are small packets) generate larger responses (some DNS requests, especially to TXT records) then the attack is said to have an amplifying characteristic. Reflection and amplification are two separate attributes of an attack. A reflection attack does not get amplified unless the responses are bigger than the requests. Learn more aboutDNS reflection in this white paper and in the Crafted DNS TXT Threat Advisory.
DrDoS Attack (Reflection DDoS Attack)
A distributed reflection denial of service attack, also known as a DrDoS attack, is a DDoS attack that sends floods of requests to a list of third-party servers while utilizing the spoofed IP address of the intended target. The third-party victims, which may include domain name system (DNS) servers, gaming servers, or even printers and other networked devices, will direct their responses to the spoofed address, which belongs to the attacker’s target. This unwanted and unexpected flood from a large number of third-party servers can create a denial of service condition that impairs the availability of the target. Learn more about distributed reflection attacks in a series of DrDoS white papers.
GET Flood DDoS Attack (a Layer 7 DDoS Attack)
A GET flood is an application layer (Layer 7) DDoS attack method. GET requests are used by web applications to make legitimate requests for server resources. An HTTP GET request is a method that makes a request for information from the server. A GET request asks the server to give you something, such as an image or script so that it may be rendered by your browser. An HTTP GET Flood is a Layer 7 DDoS attack method in which attackers send a huge flood of GET requests to the server to overwhelm its resources. As a result, the server cannot respond to legitimate requests from users.
An HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it. An HTTPS GET Flood is an HTTP GET Flood sent over an SSL session. Due to the use of SSL, it is necessary to decrypt the requests in order to mitigate the flood. Learn more about a GET flood in the Spike DDoS Toolkit Threat Advisory.
ICMP Flood DDoS Attack
Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany TCP packets when connecting to a server. An ICMP message may come back if a browser cannot reach a server. An ICMP flood is an infrastructure (Layer 3) DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth. Learn more about DDoS attack types, including ICMP floods, in this DDoS attack report.
IGMP Flood DDoS Attack
IGMP floods are uncommon in modern DDoS attacks, but they use protocol 2 with limited message variations. This type of flood has the ability to consume large amounts of network bandwidth.
Infrastructure DDoS Attack
An infrastructure attack is a DDoS attack that overloads the network infrastructure by consuming large amounts of bandwidth, for example by making excessive connection requests without responding to confirm the connection, as in the case of a SYN flood. A proxy server can protect against these kinds of attacks by using cryptographic hashtags and SYN cookies. Learn more about infrastructure DDoS attacks in the latest State of the Internet – Security report.
IP Flood DDoS Attack
An IP flood is a name used by some DDoS toolkits to refer to either a SYN flood or a UDP flood. In an IP flood, a malicious actor will launch a DDoS attack that sends excessive data to a target IP address, as opposed to a host name or URL. The Drive DDoS toolkit launches an IP flood and even has a slight variant attack known as IP flood2, which is essentially the same attack branded differently. Learn how to stop DDoS attacks from the Drive toolkit, a Dirt Jumper variant.
Layer 3 DDoS and Layer 4 DDoS Attacks
Layer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure. Layer 3 DDoS (network layer) and Layer 4 DDoS (transport layer) attacks rely on extremely high volumes (floods) of data to slow down web server performance, consume bandwidth and eventually degrade access for legitimate users. These attack types typically include ICMP, SYN and UDP floods. Learn more about the most popular Layer 3 DDoS and Layer 7 DDoS attacks in the latest State of the Internet – Security report.
Layer 7 DDoS Attack
A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server infrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble legitimate website traffic. Even simple Layer 7 DDoS attacks – for example those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites – can critically overload CPUs and databases. Also, Layer 7 DDoS attackers can randomize or repeatedly change the signatures of an attack, making it more difficult to detect and mitigate. Learn more about the most popular Layer 7 DDoS attacks in the latest State of the Internet – Security report.
NTP Attack DDoS
Network Time Protocol (NTP) is used to synchronize computer clocks with Internet time repositories. The NTP protocol can be leveraged by malicious actors launching a distributed reflection denial of service (DrDoS) attack. Because NTP uses the UDP protocol, it is susceptible to spoofing of the source IP address. Misconfigured network equipment can allow components of an organization’s infrastructure to become unwilling victim participants in an NTP DDoS attack against a target server via the NTP protocol. Learn more about how to protect your network from participation in NTP attacks in this white paper.
POST Flood DDoS Attack (a Layer 7 DDoS Attack)
A POST flood DDoS attack is an application layer (Layer 7) DDoS attack method. Web applications use POST requests to make legitimate requests for server resources, such as during a form submission. An HTTP POST request is a method that submits data in the body of the request to be processed by the server. For example, a POST request takes the information in a form and encodes it, then posts the content of the form to the server.
An HTTP POST flood is a type of DDoS attack in which the volume of POST requests overwhelms the server so that the server cannot respond to them all. This can result in exceptionally high utilization of system resources and consequently crash the server. An HTTPS POST flood DDoS attack is an HTTP POST flood sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it. Learn more about the DDoS attack trends, including use of POST flood DDoS attacks in the latest State of the Internet – Security report.
The Amos POST flood script is PHP code that was popular during the itsoknoproblembro DDoS campaigns. The Amos PHP script launches Layer 7 application attacks against targets that originate from web compromised web servers. The Amos POST flood PHP script is sent as encoded content within a request to an infected server, and once the script executes it begins a POST flood against the target. Learn more about how to stop DDoS attacks involving the itsoknoproblembro DDoS toolkit.
Reflection Attack DDoS (a DrDoS Attack)
A distributed reflection denial of service attack, also known as a DrDoS attack, is a DDoS attack that sends floods of requests to a list of third-party servers, utilizing the spoofed IP address of the intended target. The third-party victims, which may include domain name system (DNS) servers, gaming servers, or even printers and other networked devices, will direct their responses to the spoofed address, which belongs to the attacker’s target. This unwanted and unexpected flood of data from a large number of third-party servers can create a denial of service condition that impairs the availability of the target. Learn more about reflection DDoS attacks in a series of DrDoS white papers.
SSDP Reflection DDoS Attack
The Simple Service Discovery Protocol (SSDP) is common to millions of devices using the Universal Plug and Play (UPnP) Protocol standard—including routers, media servers, web cams, smart TVs and printers—to allow them to discover each other on a network, establish communication and coordinate activities. Attackers abuse SSDP reflection to launch DDoS attacks that amplify and reflect network traffic to their targets. PLXsert observed UPnP reflection attacks for the first time in July 2014. Since then the attacks have become more common as malicious actors identify more and more open UPnP devices and share scanning and attack tools. Learn more in the SSDP Reflection Threat Advisory.
SNMP Attack DDoS
Simple Network Management Protocol (SNMP) is an application layer protocol commonly used for the management of devices with IP addresses, such as routers, servers, printers, IP video cameras, alarms and thermometers. The SNMP protocol transmits sensor readings and other variables over the network. SNMP can be exploited maliciously in distributed reflection denial of service (DrDoS) attacks that query the device with a spoofed source IP request, which elicits the SNMP response to be directed to the attacker’s primary target. Learn more about how to identify and mitigate SNMP attacks in this white paper.
SSL Flood DDoS Attack
SSL was a popular protocol for encrypting TCP/IP streams over the Internet. SSL was first publicly available in 1995 and the last version of SSL published was version 3.0 in 1996. SSL has been replaced by the TLS (Transport Layer Security) protocol, which grew from the SSL 3.0 specification. The HTTPS protocol now typically uses TLS, although popular vernacular still refers to HTTPS as using SSL, which is not strictly true. HTTPS can negotiate the encryption protocols to be used and client/server negotiation converges on TLS in most websites today.
An SSL attack, such as an SSL GET flood, uses the secure sockets layer in TCP to send encrypted attack data. The use of SSL requires more processing power by the recipient, thus increasing the effect of the attack. Furthermore, an SSL flood can be more difficult to detect and mitigate, because the incoming packets are not human readable by default. Learn more about SSL in the Poodle SSLv3 Vulnerability Threat Advisory.
SYN Flood DDoS Attack
A SYN packet starts all communication between an Internet request and a server. A SYN packet determines the nature of how the communication is established and how the interchange of information will be completed. SYN packets consist of a combination of the TCP flag, packet sequence number, window size, acknowledgement number, and other information needed to complete the request. A SYN flood is a Layer 4 DDoS (infrastructure) attack method in which attackers send a huge flood of TCP SYN packets, often with a forged sender address to the server. SYN flood DDoS attacks bring down a network connection by using up the number of available connections the server can accept. Consequently, it becomes impossible for the server to respond to legitimate connection requests during this type of DDoS denial of service attack. Learn more about SYN floods.
In a spoofed SYN flood (SSYN DDoS), attackers send a huge flood of TCP SYN packets with a spoofed source IP address to intermediary victim servers. The victim servers direct their acknowledgements to the attacker’s spoofed target, filling up the available connections and making it impossible for legitimate users to access the site. Learn more about SYN flood DDoS attacks in this white paper.
TCP Flood DDoS Attack
Transmission Control Protocol (TCP) is a stateful protocol that is part of the Internet protocol suite. Using the three-way handshake of SYN, ACK and FIN messages, TCP provides reliable delivery of information or requests transferred from one computer to another. TCP is a polite protocol that establishes communication back and forth with the server upon arrival of a SYN request. It requires a conversation with a response or acknowledgement (ACK) to each SYN request that is sent to the server. Because it complements the Internet Protocol (IP), TCP is often referred to as TCP/IP. A TCP header is a header within the IP header that contains additional information in the packet besides source and destination.
TCP Flood DDoS attacks include TCP Fragment floods and TCP Flag Abuse Floods. TCP Fragment floods are DDoS attacks that try to overload the target’s processing of TCP messages due to the expense incurred in reconstructing the datagrams. These floods often consume significant amounts of bandwidth. TCP Flag Abuse floods (URG, ACK, PSH, RST, SYN, FIN) are stateless streams of protocol 6 (TCP) messages with odd combinations or out-of-state requests. With modification to the control bits in the TCP header, many different types of these floods are possible. TCP flags are bits within a TCP protocol header that describe the status of the connection and give information on how a packet should be handled. Learn more about a TCP Flag Abuse floods in the Q4 2014 State of the Internet – Security Report.
UDP Flood DDoS Attack
The UDP protocol is a stateless transmission protocol with an emphasis on minimal latency rather than reliability in transmitting information and requests over the Internet. User Datagram Protocol (UDP) allows information and requests to be sent to a server without requiring a response or acknowledgement that the request was received. UDP is considered an unreliable protocol because information packets or requests may arrive out of order, may be delayed, or may appear to be duplicated. There is no guarantee that the information you transmit will be received. A UDP header is a component of the User Datagram Protocol (UDP) that includes source port number, destination port number, length in bytes of the entire datagram, and the checksum field for error checking.
UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages. UDP Fragment floods are UDP floods that typically contain messages larger than the maximum transmission units that are sent from the malicious actor(s) to the target, consuming network bandwidth. Learn more about the UDP floods in the Drive DDoS Toolkit (a Dirt Jumper Variant) Threat Advisory.
Volumetric DDoS Attack
Volumetric DDoS attacks are also known as floods. DDoS attackers seek to overwhelm the target with excessive data, often gained through reflection and amplification DDoS techniques. Volumetric attacks seek so make use of as much bandwidth as possible.