Blog
DDoS Protection Primer: Types and Mitigation Explained
DDoS attack types, mitigation strategies, and how to protect your website
Chase Snyder
September 19, 2024
What Is DDoS?
A Distributed Denial of Service (DDoS) attack is an attempt to pile so much traffic onto a given computer, network, application, or service that it goes offline. DDoS attacks are a popular method of cyber attack because they're very effective at disrupting the target, and they're pretty simple to execute. Attackers can easily spread malware and build a network of infected computers (botnets) that can then be used against a target without their owners' knowledge, making the barrier to entry relatively low.
Because a successful DDoS attack literally silences its target, this method is particularly common among trolls, blackmailers, and hacktivists looking to make a statement. DDoS mitigation depends on network visibility, a good understanding of the different types of DDoS, and a fast reaction time, so read on to learn how to stop DDoS attacks against your network!
Types of DDoS Attacks
There are three main categories of DDoS attacks: Volume-Based Attacks, Protocol Attacks, and Application Attacks. The first type mobilizes surges in web traffic to flood network bandwidth. The second DDoS category focuses on exhausting server resources, such as connection tables or session-handling capabilities. The third DDoS category targets the application layer, overwhelming the server with requests until it crashes.
Below is a list of some of the most common DDoS attack types:
UDP Flood: A type of volume-based attack that targets the User Datagram Protocol (UDP) by sending UDP packets to a specific port on a target computer or network. After receiving the packets, the target system attempts to determine which application should handle the incoming traffic. If there is no application listening on the port where the UDP packet is sent, the target system responds with an ICMP (Destination Unreachable) packet to inform the sender that no service is running on that port. Note: UDP reflection attacks like Memcrashed amplify DDoS attacks by orders of magnitude. Here's one way to stop them.
SYN Flood: A type of protocol-based attack that exploits weaknesses in the Transmission Control Protocol (TCP) by spoofing synchronized messages to initiate the normal three-way handshake process with the target network. However, the attacker deliberately fails to send the final acknowledge (ACK) packet, which is used to confirm the receipt of data or the status of a connection between the two endpoints. Thus, the TCP handshake is never completed. The targeted server’s computing power and network performance are disrupted, as it allocates system resources to a large number of half-open connections that will never be resolved.
Ping of Death (POD): A type of protocol-based attack in which a threat actor sends malicious pings to a target system. Fortunately, POD attacks aren't so effective today because many of the weaknesses that allowed for successful exploits have been patched.
Smurf Attack: A type of protocol-based attack that exploits Internet Protocol (IP) and Internet Control Message Protocol (ICMP). In these attacks, threat actors use spoofed IP addresses and ICMP broadcast traffic to overwhelm a victim’s network.
Slowloris Attack: A type of application-layer attack that relies on HTTP flooding. In these DDoS attacks, threat actors send many partial HTTP requests to the target web server. The requests are sent in small, fragmented packets, which the attacker deliberately avoids resolving. The targeted server, expecting to receive the full request, keeps each connection open, waiting for the remaining data to arrive. Ultimately, the server's connection pool gets filled up with these incomplete connections, leading it to crash. This type of attack is also marked by its low resource consumption on the threat actor’s side. While attackers send minimal traffic, the targeted server is still forced to dedicate significant resources to resolving each incomplete connection.
DDoS Protection: How to Stop Attacks
Back in March 2018, the largest DDoS attack ever recorded (1.35 Tbps) targeted Github using memcache as a UDP reflection attack vector. (Read more about that, and how to detect similar attacks). That's an insane amount of malicious traffic, and one that is nigh unstoppable—which makes it more crucial than ever that you have a playbook in place for DDoS attacks against your organization so you can at least mitigate the damage.
In the next section we'll talk about what you can do if you find yourself a victim of a DDoS attack, but first let's go over a few preventative measures that every organization should take immediately. These won't necessarily stop a DDoS attack, but they can help slow them down and give you time to react.
#1: Know your network.
The more you know about what normal inbound traffic looks like, the quicker you'll spot anomalies that could be the start of a DDoS attack. Real-time visibility with network traffic analysis is by far the most efficient and accurate way to maintain a profile of what your network should look like, and machine learning solutions can help you detect suspicious surges immediately.
#2: If you run your own web server...
- Rate limit your router to prevent your server from being overwhelmed
- Use aggressive timeouts for half-open connections
- Automatically drop spoofed or malformed packages
#3: Overprovision, overprovision, overprovision.
Whether you host your own server or not, overprovisioning bandwidth will help you accomodate sudden spikes in network traffic (or at least will buy yourself a little more time to get help).
DDoS Mitigation Strategies
Say it happens. You're hit. (At least you're in good company; some of the big names who've featured in high-profile DDoS attacks in the last few years include the aforementioned Github, the Boston Globe, and the Danish rail company DSB.) What should you do to stop an attack or limit the damage to your business?
#1: Anticipate the critical assets (applications and network services) attackers are most likely to target, and make sure your monitoring, detection, and emergency response plans specifically align to those assets. Include an approved public statement in your response plan so you don't need to scramble for PR while under attack!
#2: Put procedures in place to re-route traffic for scrubbing in the cloud.
#3:This can't be overstated—enterprises need real-time visibility into their own network behavior with machine learning in place to detect anomalous traffic spikes. Perimeter defenses are unable to stop even the less sophisticated forms of DDoS attack, and will have a harder time detecting surges quickly enough to make a difference.
#4: Pay attention to your application layer! This means ensuring you have the ability to perform deep-packet inspection at the application layer (L7 in the OSI model), and if you can, adding redundancy by deploying critical applications on multiple public cloud providers so you can scale out to the next deployment if attacked.
The number one thing you can do to protect yourself from serious damage by DDoS attack is to invest in real-time visibility into east-west (internal) network traffic. There's a reason Gartner is talking about network traffic analysis and more and more enterprises are looking at network analytics as a source of security data.
Check out this blog post to learn more about network traffic analysis for security, including benefits, predictions, and vendors in the space!
Discover more
