Distributed denial-of-service (DDoS) attacks are an ever-growing threat to small and mid-sized businesses, growing in scope and frequency every year.
Arbor Network’s 10th annual Worldwide Infrastructure Security Report (WISR), a survey of people within the operational security
community, only confirms this reality.
More than one-third (38%) of respondents in 2014 reporting over 21 DDoS attacks a month—up from over 25% in 2013.
These aren’t the measly 8 Gbps attacks we’re used to either. The largest reported attack in 2014 was 400Gbps, with several others reported at over 100 Gbps.
As DDoS attacks have grown in size, they’ve also become increasingly sophisticated in their efficacy and implementation, and can be much more difficult to detect than in years past.
The infrastructure that enables these attacks has also grown. Similar to Amazon Web Services (AWS), attackers can easily purchase on-demand botnet services for DDoS attacks and brute-force password cracking – among other tasks.
Below we’ll review the most common types of DDoS attacks experienced today, and highlight a few significant findings of the Arbor report.
Types of DDoS Attacks
Type #1: Volumetric attacks
Volumetric are the most common types of DDoS attack, making up for about 65% of the total reported, according to Arbor.
These attacks use multiple infected systems—which are often part of a botnet– to flood the network layers with a substantial amount of seemingly legitimate traffic. This consumes an excessive amount of bandwidth within and/or outside of the network and drives network operations to become painfully sluggish or simply nonfunctional.
Since volumetric attacks essentially “gang rush” a network, they’re much more difficult to mitigate than attacks from a single source.
Volumetric attacks come in a variety of forms, including:
- User Datagram Protocol (UDP) Floods. Random ports on a server are flooded with UDP packets, causing the server to repeatedly check for and respond to non-existent applications at the ports. As a result of the UDP Flood, the system is unable to respond to legitimate applications.
- ICMP floods. A server is flooded with ICMP echo requests from multiple spoofed IP addresses. As the targeted server processes and replies to these phony requests, it is eventually overloaded and unable to process valid ICMP echo requests.
Type #2. Application-layer attacks
Application-layer attacks comprise about 17% of all reported DDoS attacks. They target web application packets in order to disrupt the transmission of data between hosts.
For example, a HTTP Flood uses multiple infected machines to force a target to expend an excessive amount of resources when responding to a HTTP request.
From the attacker’s standpoint, a HTTP Flood is a far more effective threat than other types of attacks since it doesn’t need to consume a great deal of bandwidth to handcuff a server.
Though a HTTP Flood is typically the most common application-layer attack experienced, it’s merely one of many application-layer attack tools available. The table below from Arbor demonstrates how attackers are constantly finding new ways to compromise the application-layer.
Since HTTP floods and other application-layer DDoS attacks mimic human-user behavior, they’re also much more difficult to detect than other types of attacks. Additionally, application layer attacks can also come from a single machine, which causes less traffic to be generated. In turn, these attacks often go under the radar of detection systems.
While HTTP and DNS services are the primary targets of application-layer attacks, HTTPS and SMTP were also commonly targeted in 2014, although less often, according to the Arbor Network report.
The chart below shows the percentage of respondents who received attacks to the application-layer targets listed.
Type #3. State-exhaustion attacks
Also known as protocol attacks, state-exhaustion attacks target the connection state tables in firewalls, web application servers, and other infrastructure components.
State-exhaustion attacks occur somewhat more frequently than application-layer attacks, accounting for about 20% of reported DDoS attacks in 2014, according to Arbor.
One of the most common state-exhaustion attacks is the notorious ping of death, in which a 65,536-byte ping packet is defragmented and sent to a target server as fast as possible.
Once the target reassembles the large packet, a buffer overload typically occurs. In the likely scenario that the target attempts to respond to the pings, even more bandwidth is consumed, eventually causing the targeted system to crash.
It’s important to note that these types of DDoS attacks are often used in conjunction with one another to compromise a single target. 42% of respondents in the Arbor Networks report claim to have experienced a multiple-threat attack in 2014, a 3% increase from 2013.
DDoS attack motivations
While any individual or organization can be the target of a DDoS attack, the attacks typically serve to extort money or disrupt the operations of a private or government enterprise.
With that said, an understanding of DDoS motivations is essential for establishing an effective method of mitigating the damage of these attacks.
Participants in the Arbor Networks survey were asked what motivations they believed were behind the DDoS attacks they experienced in 2014. The results are as follows:
Based on these motivations, it’s easy to see why DDoS attacks have become more complex, widespread, and difficult to detect over the years.