Glossary of Common DDoS Attacks
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have plagued commercial and enterprise networks since early 1970. In terms of damage to network infrastructure, service continuity and business reputation, DoS/DDoS attacks have racked up some of the most successful cyberattacks to date. The Allot DDoS Attack Handbook outlines the most common attacks and their implications for CSP network assets and business. For each attack, real customer success stories demonstrate how Allot’s DDoS Protection solution, powered by Allot DDoS Secure, helps CSPs and enterprises establish a highly effective first line of defense against cyber threats.
To learn more about DDoS attack types see our DDoS Attack Handbook – Click here to download your copy.
ACK Flood (or ACK-PUSH Flood)
In an ACK or ACK-PUSH Flood, attackers send spoofed ACK (or ACK-PUSH) packets at very high packet rates. In other words, they acknowledge session requests that were never sent and do not exist. Packets that do not belong to any existing session on the victim’s ﬁrewall or any security device along the path, generate unnecessary lookups in the state tables. This extra load exhausts system resources.
Read how Allot helps an ISP in North America stop ACK Floods.
An Ampliﬁed DNS Flood is a DNS attack on steroids! It takes advantage of the Open Recursive DNS server infrastructure to overwhelm the spoofed target victim with large volumes of trafﬁc. The attacker sends small DNS requests with a spoofed IP address to open DNS resolvers on the Internet. The DNS resolvers reply to the spoofed IP address with responses that are far larger than the request. All of the reﬂected/ampliﬁed responses come back to ﬂood the victim’s DNS server(s), whitypes of DDoS attacks ch usually takes them ofﬂine.
Read how Allot helps VOO stop Amplified DNS Floods.
CHARGEN Reflection attacks take advantage of the Character Generation Protocol, originally designed for troubleshooting, which allows sending a random number of characters. The attacker sends tens of thousands of CHARGEN requests by utilizing botnets to one or more publicly-accessible systems offering the CHARGEN service.
Read how Allot helped stop CHARGEN Reflective Flood attacks.
A CLDAP Reﬂection Attack exploits the Connectionless Lightweight Directory Access Protocol (CLDAP), which is an efﬁcient alternative to LDAP queries over UDP. Attacker sends an CLDAP request to a LDAP server with a spoofed sender IP address (the target’s IP). The server responds with a bulked-up response to the target’s IP causing the reﬂection attack. The victim’s machine cannot process the massive amount of CLDAP data at the same time.
Read how Allot helped MSSP in Australia stop CLSAP Reflection attacks.
A DNS Flood sends spoofed DNS requests at a high packet rate and from a wide range of source IP addresses to the target network. Since the requests appear to be valid, the victim’s DNS servers respond to all the spoofed requests, and their capacity can be overwhelmed by the sheer number of requests.
Read how Allot helps a National Broadband Carrier in Africa stop DNS Floods.
HTTP (and its encrypted form HTTPS) is a transport protocol for browser-based Internet requests, commonly used to load webpages or to send form content over the Internet. In an HTTP/S flood attack the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web service or application. These attacks often utilize many botnets such as infected IoT devices.
Read how Allot helped stop HTTP/S Flood attacks.
IoT botnets are created as hackers infect numerous Internet-connected (IoT) devices and recruit them to launch large-scale DDoS attacks that have been measured in Terabits/sec! These attacks are difﬁcult to detect and mitigate because they use hit-and-run tactics that originate from numerous IoT vectors distributed across many locations – often worldwide.
Read how Allot stopped IoT DDoS attacks powered by Mirai.
LDAP Ampliﬁcation attacks leverage the Lightweight Directory Access Protocol (LDAP) which is used by Microsoft Active Directory and millions of organizations to verify username and password information and permit access to applications. The attacker sends small requests to a publicly available vulnerable LDAP server with open TCP port 389 in order to produce large (ampliﬁed) replies, reﬂected to a target server.
Read how Allot helps MSSP in Australia stop LDAP Amplification attacks.
In an NTP (Network Time Protocol) ampliﬁcation, an attacker uses a spoofed IP address of the victim’s NTP infrastructure and sends small NTP requests to servers on the Internet, resulting in a very high volume of NTP responses. Since attackers spoof the victim’s NTP infrastructure, all of the reﬂected/ampliﬁed responses ﬂood the victim’s NTP server.
Read how Allot helps VOO fight NTP Amplification attacks.
In a Ping Flood, an attacker sends spoofed ICMP echo request (pings) packets at a high rate from random source IP ranges or using the victim’s IP address. Most devices on a network will, by default, respond to the ping by sending a reply to the source IP address.
Read how Allot helps BVU fight UDP Floods.
In TCP, a FIN packet says, “We’re done talking, please acknowledge” and waits for an ACK response. An RST packet says, “Session over” and resets the connection without an ACK. In an RST/FIN Flood, attackers send a high rate of spoofed RST or FIN packets in an attempt to use up resources on the target.
Read how Allot helps a Tier-1 operator in LATAM fight RST/FIN Flood attacks.
SNMP reflected amplification attacks leverage the Simple Network Management Protocol (SNMP) used for configuring and collecting information from network devices like servers, switches, routers and printers. Similar to other reflection attacks, the attacker uses SNMP to trigger a flood of responses to the target. The perpetrator sends out a large number of SNMP queries with a spoofed IP address (the target’s) to numerous connected devices that, in turn, reply to that forged address.
Read how Allot helped stop SNMP Reflected Amplification attack.
Simple Service Discovery Protocol (SSDP) is a network protocol that enables universal plug and play (UPnP) devices to send and receive information using UDP on port 1900. Vulnerable devices such as home routers, ﬁrewalls, printers, access points and the like, respond with UPnP “reply” packets sent to the spoofed IP address of victim’s network, overwhelming it.
Read how Allot helps an MSSP in Australia stop SSDP attacks.
A SYN Flood, often generated by botnets, is designed to consume resources of the victim server, such as ﬁrewalls or other perimeter defense elements, in an attempt to overwhelm their capacity limits and bring them down. The target receives SYN packets at very high rates which rapidly ﬁll up its connection state table, resulting in disconnections, dropping of legitimate trafﬁc packets, or even worse – element reboot.
Read how Allot helps a tier-1 service provider in North America fight SYN Flood attacks.
In a TOS (Type of Service) Flood, attackers forge the ‘TOS’ field of the IP packet header, which is used for Explicit Congestion Notification (ECN) and Differentiated Services (DiffServ) flags. There are two known types of TOS attack scenarios. In the first, the attacker spoofs the ECN flag, which reduces the throughput of individual connections thereby Allot’s DDoS Secure causing a server to appear out of service or non-responsive. In the second, the attacker utilizes the DiffServ class flags in the TOS field to increase the priority of attack traffic over legitimate traffic in order to intensify the impact of the DDoS attack.
Read how Allot helps a tier-1 operator in LATAM fight TOS Flood attacks.
A SYN flood attack is a flood of multiple TCP SYN messages requesting to initiate a connection between the source system and the target, filling up its state table and exhausting its resources. The Tsunami SYN flood attack is a flood of SYN packets containing about 1,000 bytes per packet as opposed to the low data footprint a regular SYN packet would usually contain.
Read how Allot helped stop Tsunami SYN Floods attacks.
In a UDP Flood, attackers send small spoofed UDP packets at a high rate to random ports on the victim’s system using a large range of source IPs. This consumes essential network element resources on the victim’s network which are overwhelmed by the large number of incoming UDP packets.
Read how Allot helps BVU fight UDP Floods.
UDP Fragmentation attacks send large UDP packets (1500+ bytes) which consume more network bandwidth. Since the fragmented packets usually cannot be reassembled, they consume significant resources on stateful devices such as firewalls along the traffic path.
Read how Allot helps VOO fight UDP Fragmentation attacks.