It is no exaggeration to say that all websites are targeted by hackers. In particular, DDoS attacks are causing damage from government agencies and municipalities to enterprise websites, regardless of target or size. However, we cannot just suffer damage. Understanding the enemy accurately is a shortcut to preventing damage, as the proverb goes, “If you know the enemy and know yourself, you will win 100 battles”. Therefore, I would like to classify DDoS attacks into four types and introduce them in detail.
Four types of DDoS attacks, categorized by technique
A DDoS (Distributed Denial of Service) attack usually means “an attack that remotely controls dozens to millions of PCs, connects them to a specific website at the same time and causes an overload in a short time.” Do you remember when Sharp recently started selling masks, the website went down(quote: PHILE WEB)? In this way, when many people access a single site, it often happens that the website stops working because all requests cannot be processed with the server’s capabilities. And it’s the DDoS attack that artificially creates that phenomenon.
However, not all DDoS attacks are done in the same way. Depending on the method, it can be divided into “volume-based attack”, “protocol-targeted attack”, “application layer attack”, and “blended threat attack”.
Volume based attacks
Volume-based attacks are the most common form of DDoS attack. The goal is to prevent even normal traffic from connecting to the website. Hackers use a large number of PCs connected to the Internet. And it blocks the bandwidth available to the server by sending more than limited amounts of traffic to the target site.
A typical example is “UDP Floods”. UDP (User Datagram Protocol) is a network protocol that does not have a session or wait for a response. Because UDP must exist in the product line, it is easy to use for hackers. Because hackers run UDP floods, they first steal the ports of the target host so that more UDP is received. As a result, more traffic is received than the system can handle the request, and the server goes down.
Attacks targeting the protocol
Unlike volume attacks, attacks aimed at protocols (so-called protocol attacks) occur in the form of consuming the server’s resources, not bandwidth. This type of attack aims at “intermediate communication equipment” that connects servers and websites such as firewalls and load balancers. Because hackers use target server resources, they first create malicious protocol requests and dominate websites and server resources.
A typical example is “Smurf DDoS”. Hackers exploit Internet Control Message Protocol (ICMP) packets, including IPs stolen from the target server. In particular, the “IP broadcast address” which is used to send messages and data packets to network systems, is mainly used. Basically, It is characterized that most of the devices on the network are set to respond. The hacker first sends the IP broadcast address of the target device to the network of the target equipment. Therefore, if there are enough devices on the network, traffic will be concentrated on the target’s device and the server will go down.
Application layer attack
Application layer attacks, as the name implies, are forms of attacking vulnerabilities of applications. Application programs such as Apache, Windows, and OpenBSD are the main targets. It generally requires fewer resources than volume and protocol attacks. Furthermore, it targets a specific application, therefore it can be difficult to grasp. There have been many cases of targeting specific website functions, such as online commerce. Hackers mimic the behavior of user traffic and send a large number of requests that are perceived as normal traffic to paralyze the server.
A typical example is “Slowloris”. It is a method to paralyze other servers through one Web server. Hackers use “HTTP headers”. HTTP headers are responsible for allowing clients and servers to exchange information. Hackers first connect to the target server, deliver only partial requests, and hold connections to many servers for as long as possible. It then persistently forwards only partial requests for a large number of HTTP headers. If the maximum request that the server can handle is exceeded, the request cannot be processed, then the server goes down.
Blended threat attack
Many DDoS attacks fall into three categories: volume attacks, protocol attacks, and application-layer attacks. However, as DDoS attacks are evolving with precision and sophistication every minute and second, it is impossible to include all of them. In fact, blended threat attacks are the most recently discovered technique these days. As the word says, it occurs in the form of repeating two or more attacks.
A typical example is a case where protocol attacks disturb attention, and additional application-layer attacks are performed. The process of finding a vulnerability in an application can be time-consuming, they make the target confused first, and then they buy time. Many other blended threat attacks have been discovered, and the frequency and scale of damage have been increasing.
Last but not least
DDoS attacks will continue to occur in the future. To get away from the damage, we need to get away from the relieved mindset such as “Our website will be safe”. Thorough preparation is the first step in protecting your website and corporate information. The easiest way for companies to defend DDoS attacks is to implement a web application firewall (WAF).
Cloudbric provides a Cloud-based WAF that can respond to DDoS attacks at the web application level. While maintaining high security, it can be easily implemented even by small and medium-sized companies. Check out the links below for reasonable steps to defend against DDoS attacks.
Check out Cloudbric’s product lines:
No.1 in the Asia Pacific – WAF with A.I & Logic-based detection engine: Cloudbric WAF+
Cloud-based DDoS attack defense service with edge computing: Cloudbric ADDoS
Zero Trust Network Access-based Remote Access Solution: Cloudbric RAS
Blockchain: Blockchain Security Solution