Types of DDoS attacks and ways to protect against them

Types of DDoS attacks and ways to protect against them

13:07, 08.07.2021
Author: Artur Berezhnoy
2 min.
51

Dirty play by competitors, blackmailing or even training - hackers today can put down dedicated servers for a large online store, or VPS for the website of a small company. They use the so-called DDoS for this purpose. Therefore, everyone who cares about the safety of your business should be prepared for this attack. To do this you need to know what is a DDoS-attack, the types of it, and most importantly: what server protection from DDoS is effective - and how to deal with this with help from our article!

What is DDoS?

DDoS is short for Distributed Denial of Service. What happens is that the server receives too many requests from users at the same time, literally in thousands, and the channel becomes full, and the equipment stops responding - "denial of service". This leads to reduced traffic, financial and reputational losses. Important: a DDoS attack is launched from many real, virus-infected devices in a botnet controlled by a hacker (hence the term "distributed" because there is a simple DoS, with requests from a single computer). This makes the attack larger and more difficult to detect and neutralize.

Type of DDoS attacks

There are many ways to artificially overload someone else's server - and they are very diverse. For a better understanding of the situation it is worth knowing at least the popular types of DDoS attacks:

  • HTTP flooding. A simple but effective application layer method: sending HTTP headers specifying the desired resource, browser data, etc. that the server has to process. The headers can be made different, which makes it difficult to identify DDoS, and sent over HTTPS, which puts even more stress on the server, which has to decrypt them all first.


  • SYN flooding. Traffic is generated using synchronization packets (or SYN packets), in response to which the server has to send acknowledgement packets (SYN+ACK), create a connection and receive the same response. However, it is exactly the latter that doesn't happen, which causes connections to hang until a timeout. This causes a queue of waits (essentially a network protocol vulnerability).


  • MAC flooding. Such DDoS attack generates a lot of empty Ethernet frames with different MAC addresses. Resources are allocated for each of them on the switch until they are exhausted. This can cause the switch to stop responding, shut down and "lose" the routing tables, bringing the whole network to a halt, not just one device.


  • UDP flooding. The mass of UDP packets from random and real IP can cause a lot of problems - because in UDP, in contrast to TCP, there is no concept of connection establishment and session checking mechanisms. Filtering the traffic is difficult, and often the defense against DDoS is already to shut down the server. Subtypes: DNS and NTP floods aimed at the respective servers.


  • ICMP flood. Spoofed ICMP packets are also difficult to distinguish from real ones, because Internet Control Message Protocol doesn't require acknowledgement of receipt. The attack can also be used to obtain information about a server for future point to point attacks. A separate type: with large fragmented ICMP packets to exhaust server resources.

It is important to remember that these are only the most common and understandable types of DDoS attacks, but in reality there are many more, and their nature can vary quite noticeably. That is why we could write not just a short article about them, but at least a manual!

OSI Classification Attacks

DDoS attacks are distinguished by the OSI network model, Open Systems Interconnection, which defines levels of system interaction. There are 7 levels in total, and each level has its own type of server attack:

  1. The physical layer, with the transmission of bits, binary data, through the 100 BaseT and 1000 Base-X protocols. Essentially, attacks at this base layer are the actual destruction of servers and related equipment (like hubs, patch panels, etc.).
  2. The data link layer, where data is transmitted as frames via PPP, IEEE, 802.22, etc. MAC flooding is possible in this layer, loading the network switches. DDoS protection is to configure equipment to MAC addresses that have been authenticated, authorized, and accounted for on the server.
  3. Network layer with routing and transmission of already packets. Protocols: IP, ICMP, ARP, etc. Accordingly, the main method of attack is ICMP flooding. Therefore you should limit the number of requests through this protocol, which will limit the impact on the firewall and channel bandwidth.
  4. Transport layer for transmitting segments and datagrams. Its main protocols: UDP and TCP. Therefore, the key types in DDoS - UDP- and SYN-flood. To fight them often filtering blackholing is used - it saves the equipment, although the site will not be available even for real users.
  5. Session layer, which already works with data via RPC, PAP and L2TP protocols. Telnet server vulnerabilities are used to affect it, due to which the owner ceases to control the switch tied to it. Regular software updates are the only solution.
  6. Representative level is used to transmit data to the recipient. ASCII and EBCDIC protocols are used for data compression and encoding. Layer 6 attacks use spoofed SSL requests. The best way to protect the server from this type of DDoS is to correctly distribute the SSL infrastructure.
  7. Application layer for data in "user" protocols: HTTP, SMTP, FTP, POP3. Accordingly, the main danger is HTTP flooding in any of its manifestations. It can be combated with software monitoring to find application vulnerabilities and trace the beginning of attacks.

As you can easily guess from the above two lists, the most common types of DDoS attacks according to OSI are Layer 3, Layer 4 and Layer 7.

Executing DDoS

It is worth noting that massive attacks on servers and websites can still be divided by the method of exposure to the "victim''. There are three variants:

  • Standard DDoS attack. The flow of traffic from the cybercriminal botnet grows gradually, reaching the maximums not immediately - and stays there for a long time. It's hard to detect it in time, but afterwards the situation is quite understandable.


  • Pulse Wave. "Pulse wave" looks like a series of sharp and powerful, but short bursts of requests to the server. These attacks are dangerous precisely because of their unpredictability; their periodicity online is extremely difficult to guess.


  • APDoS. This acronym stands for Advanced Persistent DoS, Advanced Persistent DoS. Protecting against this type of DDoS is extremely difficult - the strategy here is very variable: it changes the types and their duration.

types of ddos attacks and ways to protect against them

How to defend against DDoS?

Countering distributed attacks by hackers on servers must be truly comprehensive. Therefore the work should be divided into two equally important areas.

Preventing an attack

Any problem is easier to circumvent than to correct. And while it is impossible to avoid an attack, it is possible to reduce the likelihood or consequences. To do so, you need to:

  • Have auxiliary resources. It is possible to paralyze any channel and server, but a reserve of bandwidth and hardware power will not be superfluous - it will help to buy time at the beginning of the attack. You should also divide your virtual server infrastructure into several data centers with traffic distribution - this way it will be more difficult to load the whole system.


  • Configure the hardware. To protect servers from DDoS the correct configuration of routers, firewalls, etc. is extremely important. There are a lot of options here, they depend on the peculiarities of the construction of your project. For example, you may block responses from the DNS server outside your network or set the ICMP packet drop.


  • Use anti-DDoS. This may include both hardware and software systems, network and web application firewalls, as well as load balancers and tools aimed at specific threats (for example, limiting the number of open SYN connections per IP address per time unit).


  • Use special software. There are quite a few systems on the market developed by major international companies that help quickly identify and block popular DDoS types. They are usually based on the principle of artificial intelligence, which analyzes the signatures of incoming traffic.

Countering an attack

It is impossible to describe universal ways to combat an attack on a website, server or corporate network - everything is individual. But there are some general principles:

  • Prepare your staff. Technical and other network infrastructure-related employees must clearly understand what to do in the event of a DDoS attack. To do this, you should develop step-by-step instructions for their possible actions and hold a series of special training sessions to prepare them for such situations.


  • Monitor incoming traffic. The first step in counteracting any artificial server overload is to detect such attempts as soon as possible. To do this, set up automatic monitoring of all connections, their number, volume and locations - with notification of the beginning of strange bursts and the launch of the first anti-DDoS tools.


  • Protect the perimeter. To minimize the effects of congestion, you can play around with your network settings. For example, you should limit the speed of your router and install a filter for dropping packets from an already detected source of "bad" traffic, lower the thresholds for UDP-, ICMP- and SYN-flooding, reduce the timeout of half-open connections to the limit, and so on.


  • Ask for help. It is important to realize that simple solutions only work against simple attacks. The level of hackers is growing, they know the ways to fight them and develop more sophisticated scripts. That is why DDoS protection often requires specialized support from a hosting provider or independent companies.

The last point is most important for protection against intruders and is already at the level of renting VPS-servers or dedicated servers. You need to be confident in the reliability and stability of the equipment and in the technical qualifications and availability of technical support. That's why you should contact HostZealot! We offer a wide range of different server solutions with competitive pricing plans and will provide you with 24/7 responsive and attentive support in any situation - whether it's a choice of VDS, its setup or protection. After all, we have competent and experienced partner companies that will help you cope with all types of DDoS attacks by hackers.

Related Articles