What Are the Types DDoS Attacks?
The most popular way to categorize DDoS attacks is according to the part of a network connection they target. You can think of connections as layers of protocols and data formats, with each layer depending on the one below it. For example, the web’s HTTP depends on the lower-level TCP protocol.
Why does this matter? Because the techniques used to mitigate DDoS attacks depend on the network layer they target.
The popular Open Systems Interconnection model (OSI) divides connections into seven layers.
- Layer 1 – the physical layer that transmits raw data over the network’s hardware.
- Layer 2 – the datalink layer, which determines the data’s format.
- Layer 3 – the network layer, which decides which route data takes.
- Layer 4 – the transport layer, which is the level of the TCP and UDP transmission protocols.
- Layer 5 – the session layer, which manages connections and sessions.
- Layer 6 – the presentation layer, which handles data formats and encryption.
- Layer 7 – the application layer, which is the layer we interact with when we click on links or communicate with web applications.
DDoS attacks are typically attributed to one of these layers. A Layer 7 attack targets the application layer, which includes web applications, web servers, and the NTP amplification attack we looked at earlier. Layer 6 attacks often focus on SSL connections. The popular SYN flood attack targets Layer 4, the transport layer, exploiting a weakness in the TCP protocol.
Broadly speaking, DoS and DDoS attacks can be divided into three types:
Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (Pps).
Application Layer Attacks
Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second (Rps).
Attackers are primarily motivated by:
- Ideology – So called “hacktivists” use DDoS attacks as a means of targeting websites they disagree with ideologically.
- Business feuds – Businesses can use DDoS attacks to strategically take down competitor websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
- Boredom – Cyber vandals, a.k.a., “script-kiddies” use prewritten scripts to launch DDoS attacks. The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline rush.
- Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks as a means of extorting money from their targets.
- Cyber warfare – Government authorized DDoS attacks can be used to both cripple opposition websites and an enemy country’s infrastructure.