DoS and DDoS Attacks

Not all DDoS attacks are created equal. While the goal is always the same—denying service to legitimate users—the methods vary dramatically in sophistication, resource requirements, and the specific vulnerabilities they exploit.

Understanding the taxonomy of attack types is essential for effective defense. A mitigation strategy optimized for volumetric attacks may be completely ineffective against application-layer attacks. Network-layer defenses won't stop HTTP floods. Each attack category demands specific countermeasures, and modern attacks often combine multiple types simultaneously.

This page provides exhaustive coverage of the major attack categories, examining their mechanics at the protocol level and understanding why each remains effective despite decades of security research.

Before examining specific attacks, we need a framework for understanding how they differ. The most common classification divides attacks by which layer of the network stack they target and the resource they exhaust.

The Three-Tier Model:

DDoS attacks are typically categorized into three broad categories based on their primary mechanism:

Why Layer Classification Matters:

Each layer requires different instrumentation and countermeasures:

Volumetric attacks must be stopped upstream—if the traffic reaches your network, you've already lost, because your link is saturated. Defense requires traffic to be absorbed elsewhere (CDN, scrubbing center).

Protocol attacks can often be mitigated at the network edge using specialized hardware (firewalls, load balancers) with optimized connection tracking.

Application attacks require application-aware defenses that understand what constitutes legitimate versus malicious requests in context.

The OSI Layer Perspective:

Multi-Vector Reality:

Modern sophisticated attacks rarely use a single vector. A typical advanced DDoS might combine:

1. Volumetric component to saturate bandwidth and distract operations
2. Protocol component to exhaust connection tracking resources
3. Application component to actually bring down the service

Defenders must be prepared for all attack types simultaneously. A defense optimized for one category creates vulnerability to others.

The Bits-per-Second vs. Packets-per-Second Distinction:

Two different metrics matter for DDoS:

• Bits per second (bps): Measures bandwidth consumption. Important for volumetric attacks.
• Packets per second (pps): Measures packet processing load. Important for protocol attacks.

A single large packet has high bps but low pps. Many small packets have high pps but may have moderate bps. Different attacks optimize for different metrics, targeting different bottlenecks.

Volumetric attacks are the blunt instruments of DDoS. Their goal is simple: send more traffic than the target can handle. When a 10 Gbps network link receives 100 Gbps of traffic, 90% of packets—including legitimate user requests—are dropped.

The Fundamental Principle:

Every network path has finite capacity. Volumetric attacks exploit this by generating traffic volumes that exceed:

1. The target's Internet connection capacity
2. The capacity of intermediate network equipment (routers, switches)
3. The target's upstream provider's willingness to forward attack traffic

UDP Flood Attack:

The UDP flood is the most common volumetric attack due to UDP's stateless nature:

ICMP Flood Attack (Ping Flood):

ICMP floods send massive quantities of ICMP Echo Request (ping) packets:

Mechanics:

• Each ping packet requires the target to generate a reply
• Processing each packet consumes CPU cycles
• Replies consume outbound bandwidth
• Link saturation prevents legitimate traffic

Variations:

• ICMP Echo Request flood: Classic ping flood
• ICMP Destination Unreachable flood: Forces target to process error messages
• ICMP Redirect flood: Can disrupt routing tables

Fragmented Packet Flood:

IP fragmentation attacks exploit how systems reassemble fragmented packets:

Characteristics of Volumetric Attacks:

Protocol attacks target the fundamental design of network protocols. Rather than overwhelming bandwidth, they exhaust connection state tables, processing resources, or exploit protocol quirks. These attacks often require less raw bandwidth while achieving devastating effects.

SYN Flood Attack (Deep Dive):

The SYN flood remains one of the most prevalent and effective attacks, exploiting the TCP three-way handshake:

SYN Flood Mitigations (Brief Overview):

Several techniques exist to mitigate SYN floods:

• SYN Cookies: Server doesn't allocate state until ACK received; encodes state in initial sequence number
• Increased Backlog: More queue space delays exhaustion but doesn't prevent
• Reduced Timeout: Faster cleanup of half-open connections
• SYN Proxy: Upstream device handles handshake before forwarding to server

ACK Flood Attack:

ACK floods send massive quantities of TCP ACK packets:

TCP Connection Exhaustion Attack:

Unlike SYN floods which use half-open connections, this attack completes connections:

1. Attacker completes full TCP handshake
2. Connection established successfully
3. Attacker does nothing (or minimal traffic)
4. Connection remains open, consuming server resources
5. Repeat until max connections reached

Why This Works:

• Servers have limited concurrent connection capacity
• Each connection consumes file descriptors, memory, and server worker threads
• Unlike SYN flood, SYN cookies don't help
• Attackers don't need to spoof IPs (connection must complete)

RST Flood Attack:

RST (reset) packets normally terminate connections immediately:

PUSH and URG Floods:

The TCP PUSH flag indicates data should be passed immediately to the application. URG indicates urgent data requiring immediate processing. Floods using these flags force increased CPU usage as the system processes each packet's urgency or push request.

Protocol Attack Sophistication:

Advanced protocol attacks combine multiple packet types:

1. Start with SYN flood to exhaust new connection capacity
2. Simultaneously ACK flood established connections
3. Blend in RST packets to disrupt legitimate sessions
4. Vary packet sizes and flags to defeat simple filtering

Application-layer attacks (Layer 7) represent the most sophisticated attack category. Instead of flooding networks with random data, they send seemingly legitimate requests that consume server resources through normal application processing.

Why Application-Layer Attacks Are Dangerous:

1. Legitimate-Looking Traffic: Each request may be indistinguishable from a real user
2. Low Bandwidth Requirement: Hundreds of requests/second instead of millions
3. Bypass Network Defenses: Volumetric and protocol filters don't help
4. Target Real Bottlenecks: Exploit actual application weaknesses
5. Detection Difficulty: No obvious anomaly in packet structure

HTTP Flood Attack:

HTTP floods send large volumes of HTTP requests to web servers:

Slowloris Attack:

Slowloris takes the opposite approach to floods—instead of overwhelming with volume, it holds connections open indefinitely with minimal traffic:

Slow Read Attack:

The reverse of Slowloris—instead of sending slowly, the attacker reads slowly:

1. Complete a normal HTTP request
2. Advertise a very small TCP receive window
3. Read the response extremely slowly (bytes per second)
4. Server must keep the response in memory waiting for client to receive

Slow POST Attack (RUDY - R U Dead Yet):

Similar to Slowloris but using POST:

1. Send POST request with Content-Length header indicating large body
2. Send body one byte at a time, very slowly
3. Server waits for complete body before processing
4. Connection held open with minimal bandwidth

DNS Query Flood:

DNS servers are targeted with massive query volumes:

Random Subdomain Attack (DNS Water Torture):

This particularly insidious attack targets authoritative DNS servers:

1. Attacker queries: random123.target.com, random456.target.com, etc.
2. Recursive resolvers cannot cache (each subdomain is unique)
3. Every query goes to authoritative nameservers
4. Authoritative servers overwhelmed
5. Legitimate DNS queries fail
6. All services using the domain become unreachable

TLS/SSL Exhaustion Attacks:

SSL/TLS handshakes are cryptographically expensive:

1. Attack connects via HTTPS
2. Immediate renegotiation request after handshake
3. Server performs expensive RSA/ECDSA operations
4. Repeat at high rate
5. Server's crypto resources exhausted

Crypto operations like RSA decryption consume orders of magnitude more CPU than normal data processing.

Beyond the major categories, several specialized attack types target specific protocols, services, or exploit unique characteristics of modern Internet infrastructure.

QUIC Floods:

QUIC, the successor to TCP for HTTP/3, introduces new attack surfaces:

• QUIC runs over UDP, complicating stateful filtering
• Initial packets contain cryptographic handshakes
• Servers must perform crypto operations before rejecting invalid clients
• Attackers can force expensive processing with spoofed initial packets

WebSocket Attacks:

WebSocket connections create persistent application-layer channels:

1. Establish many WebSocket connections
2. Send minimal keep-alive traffic
3. Each connection consumes server resources indefinitely
4. Unlike HTTP, connections persist without continuous requests
5. Resource exhaustion through "idle" connections

API-Specific Attacks:

Modern applications expose APIs with complex processing:

Algorithmic Complexity Attacks:

These attacks target known worst-case behaviors in algorithms:

Hash Collision Attacks:

• Send inputs that all hash to the same bucket
• Hash table lookup degrades from O(1) to O(n)
• Relatively few carefully crafted requests cause massive slowdowns

Regular Expression DoS (ReDoS):

• Submit inputs triggering catastrophic backtracking
• Single regex evaluation takes hours
• Common in input validation, web application firewalls

Sorting/Search Attacks:

• Provide inputs that trigger worst-case sort behavior
• O(n log n) becomes O(n²)
• Affects any system that sorts user-provided data

IoT Protocol Attacks:

IoT introduces protocols rarely seen in traditional IT:

• CoAP (Constrained Application Protocol): UDP-based, amplifiable
• MQTT (Message Queuing Telemetry Transport): Publish/subscribe floods
• AMQP (Advanced Message Queuing Protocol): Queue exhaustion
• Modbus/DNP3: Industrial control protocol attacks

Gaming Protocol Attacks:

Online gaming servers face unique attack patterns:

• Source Engine Query Flood: Attacks Valve game servers
• Minecraft Server Query Flood: Attacks authentication services
• Voice Server Attacks: TeamSpeak, Discord server disruption
• Matchmaking Exhaustion: Overwhelm matchmaking services

Sophisticated attackers rarely rely on a single attack type. Multi-vector attacks combine multiple techniques simultaneously, exploiting the fact that defenses optimized for one attack type may leave vulnerabilities against others.

Why Multi-Vector Attacks Are Effective:

1. Defense Segmentation: Different teams/tools handle different attack types
2. Resource Division: Defenders must respond on multiple fronts simultaneously
3. Distraction: Obvious attacks distract from subtle ones
4. Defense Exhaustion: Switching between attack types exhausts defense coordination
5. Bypass Potential: If one vector is blocked, others may succeed

Common Multi-Vector Combinations:

The Coordination Challenge:

Multi-vector attacks require coordination between different botnet capabilities:

• Not all bots can generate all attack types
• Different bots may have different bandwidth capacities
• Timing synchronization across attack types is crucial
• Adaptive attacks require real-time monitoring of target state

Pulse Attacks:

Instead of sustained flooding, pulse attacks send brief intense bursts:

• 30-second intense attack
• 2-minute pause
• Repeat with different vector
• Overwhelms defenses that need time to adapt
• Evades rate-limiting based on sustained rates

Carpet Bombing:

Instead of attacking one IP, attack many IPs simultaneously:

• Target entire IP range (e.g., /24 subnet = 256 IPs)
• Each IP receives small attack volume
• Aggregate volume is massive
• Per-IP defenses don't trigger
• Saturates network links to entire address range

Understanding how to measure and describe DDoS attacks is essential for communicating about threats, comparing attacks, and sizing defenses appropriately.

Primary Attack Metrics:

Understanding the Metrics:

Bits per Second (bps): Measures raw bandwidth consumption. A 1 Tbps attack means 1 trillion bits of data arriving every second. This is the headline number for volumetric attacks.

• Modern large attacks: 1-3 Tbps
• Major organization's total capacity: 10-100 Gbps typically
• DDoS mitigation services: 20-100+ Tbps capacity

Packets per Second (pps): Measures packet processing burden. Network equipment must parse each packet's headers:

• Modern routers: Can process 10-100+ Mpps
• Attack creating 100 Mpps with 64-byte packets = ~50 Gbps
• Small packets maximize pps for given bandwidth
• High pps attacks exhaust CPU before bandwidth

The Size vs. Sophistication Tradeoff:

Generally, attack sophistication is inversely correlated with size:

• Simple UDP floods can reach Tbps but are easily filtered
• Application-layer attacks may be only Kbps but devastating
• Most sophisticated attacks balance volume with targeting

This page has provided exhaustive coverage of DDoS attack types. Let's consolidate the essential knowledge:

Looking Ahead:

With a comprehensive understanding of attack types, the next page explores amplification attacks in detail—a special category of attacks that leverage third-party infrastructure to multiply attack power, enabling attackers with limited resources to generate massive traffic volumes.