DDoS category attack types
Explore the different types of DDoS (Distribution Denial of Service) attacks by reading our comprehensive table detailing the various attack types and their characteristics.
Volumetric attack types
| Volumetric attack types | Definition | Impact |
|---|---|---|
| ICMP Flood | ICMP (Internet Control Message Protocol) is a type of message that computers use to communicate with each other over the internet. These messages are meant to assist computers troubleshoot and manage their network connections. | In an ICMP flood attack, the malicious party sends a massive number of ICMP messages to a target computer or network. Due to the flood of messages, it overwhelms the computer or network's ability to process them, resulting in it becoming slow or unresponsive. Therefore, legitimate traffic may not be able to get through. |
| IP/ICMP Fragmentation | Data packages can be too big to send all at once. Therefore, they are broken up into smaller fragments to be sent. This type of attack happens when a malicious actor sends a large amount of fragmented data packets to a computer or network. | When the target computer or network receives these packets, it slows things down or even crashes the system because it's trying to reassemble the packages back to it's original datagram. |
| UDP Flood | UDP (User Datagram Protocol) is a method for sending data over the internet, mostly used for online gaming and streaming video. An attacker will send a massive number of UDP packets to the target. The goal of these attacks is almost always to fill up the pipe with traffic to congest the port. The packets could be completely random or pretend to be from a fake source. | The target computer or network gets bombarded by all of these packets, trying to process them all. Since the target is spending all of its resources dealing with these useless packets, it will not be able to handle legitimate requests properly. As a result, it might slow down, or even crash entirely. |
| IPSec Flood (IKE/ISAKMP association attempts) | IKE (Internet Key Exchange) and ISAKMP (Internet Security and Key Management Protocol) are protocols within IPSec that help to set up secure connections between devices. In this attack type, the malicious actor bombards a target device or network with a ton of requests to establish secure connections using IKE/ISAKMP, hoping one of those connections will work. These attacks are typically aimed at firewalls or nodes that are expected to be tunnel endpoints. The goal is to either occupy the target with bogus connection attempts. As a result, it's swamped trying to sort through them causing failures on the real tunnels. | This results in the target computer or network becoming slow or unresponsive. |
| DNS reflection amplification DDoS attack | This is an attack similar to a reflection amplification DDoS attack, but the only difference is with this type, it exploits vulnerable DNS (Domain Name System) servers to amplify the attack traffic. The attacker spoofs the source IP address in their DNS queries from arbitrary source IP addresses. These servers are then exploited to amplifying the attack traffic. | As the responses from the vulnerable DNS servers are directed towards the target server or network, they consume its available bandwidth, computational resources, or other network resources, causing it to become overwhelmed. Moreover, this flood of traffic prevents legitimate users from accessing the targeted service or website, resulting in a denial of service. |
State exhaustion attack types
| State Exhaustion Attacks | Definition | Impact |
|---|---|---|
| HTTP/S Flood | In an attack, the malicious actor floods the website with an enormous amount of HTTP or HTTPS requests in a short amount of time. | Dealing with the flood of requests ties up the server's resources such as processing power, memory, and network bandwidth. As a result, the server becomes slow or unresponsive. When legitimate users are trying to access the website will experience delays, timeouts of even denial of service since the server cannot handle their requests amidst the flood of malicious ones. |
| SYN Flood | A SYN packet is a communication protocol by which simply put, a computer tries to connect with another network or computer. The attacker sends a flood of SYN packets (Synchronize) to start a connection with no intention of continuing the connection, which leaves the target hanging. The goal is to typically fill up the connection state table on the server. | As a result, it leads to being unable to process any new connections. This causes troubles for new users or systems trying to connect. |
| SSL Exhaustion | An SSL (Secure Sockets Layer) is a technology that encrypts data sent between your computer and a website. In an attack, the malicious actor floods the target server with a huge number of requests to set up secure connections (the SSL handshake). | Each request requires the server to generate new encryption keys. The flood of requests can quickly use up the server's capacity for delivering keys. This in turn legitimate users trying to access the website might experience delays or find the site unresponsive. |
| DNS query / NXDOMAIN floods | When your computer wants to visit a website, it sends a request to the DNS server asking for the IP address associated with the website's name. If the website doesn't exist, the DNS server will respond with an NXDOMAIN error. | An attacker floods the target DNS server with a massive number of requests, asking for the IP address of non-existent or random domain names, making it unable to handle legitimate requests. This results in slowing down internet access for others. |
Application layer attack types
| Application layer attacks | Definition | Impact |
|---|---|---|
| Slowloris attack | In a Slowloris attack, the attacker will open many connections to the target web server, but will send data very slowly or in tiny, incomplete chunks. | Because web servers have a limit on the number of connections they can handle at once, the server struggles to handle new legitimate requests from other users. As a result, the web server will become unresponsive or slow for others trying to access the website. |
| Slow POST attack | In a Slow POST attack, the malicious actor sends a series of requests to the server, pretending to upload data, but sending it slowly. | The web server keeps the connection open and reserves resources to handle the slow upload. This results in the served to become overwhelmed and struggles to handle new legitimate requests. |
| Slow Read attack | When you visit a website, your web browser sends requests to the server asking for web pages. In turn the server responds back the requested web page, by which your browser then displays. In a Slow Read attack, the attacker will send requests to the server for a web page, but then will read the response extremely slowly. | While the server is waiting for the slow reader to finish, it keeps the connection open and reserves resources to handle it. As a result, with many slow connections tying up its resources, the server becomes overwhelmed and slow since it struggles to handle new legitimate requests. |
| Low and Slow attack | In this attack, the malicious actor does not bombard the target system with a massive number of requests all at once, they send requests at a slow pace in order to evade detection. | Despite the slow pace, the continuous stream of requests eventually adds up, overwhelming the target system's resources over time. |
| Large payload POST attacks | These attacks are also referred as Oversize payload attacks or Jumbo payload attacks. The attacked exploits the HTTP POST method to overwhelm a web server by sending it an abnormally large amount of data in each request. | In this attack, the targeted web server may become unresponsive or inaccessible to legitimate users attempting to access the website or submit valid requests because it's struggling with resource exhaustion by handling the large requests. |
| Replay attack | This attack uses "recorded" bits of network traffic, which the attacker then replays (often on loop and from many sources) to mimic "real" traffic. Sequence numbers and such will not line up, so it will typically not establish a real session, but as it is valid protocol traffic it does tie up the server and/or application in needing to process the packet before rejecting it | The impact is typically that the application will be busy trying to process the replayed packets before rejecting them as invalid. This will usually either result in an increased CPU/memory load (which slows the experience for connected users) or session tables becoming full (hindering new users/sessions from connecting) |