DDoS attacks can take many different forms, called vectors, each aiming at disrupting a different component of a network connection. Nowadays, DDoS attacks tend to use multiple vectors to be more difficult to block. Here is a quick recap of the three main different types of DDoS attack vectors.
This category of attacks attempts to create congestion on the victim’s links, or cut off the victim from Internet, and eventually disrupt the victim’s Internet service provider as a collateral damage. Large amounts of data packets are sent to a target by using a form of “reflection and amplification” technique that makes use of open public services that can be abused by attackers (Open DNS servers, open NTP servers).
Volumetric attacks range from tens of Gigabit per second to over a Terabit per second. The largest attack NETSCOUT has observed was a 1.7 Terabit leveraging the UDP Memcached protocol.
A TCP state-exhaustion attack aims at disrupting stateful devices like firewalls, IPS devices, VPN gateways, or Load Balancers. These devices are called stateful because they are using session tables to keep track of TCP sessions.
These attacks are relatively low in terms of bandwidth (less than 10 Gbps on average) and are thus difficult to differentiate from legitimate traffic. But the throughput with TCP small packets is generally very high with millions of packets per second. Firewalls and VPN gateways could stop processing new legitimate TCP sessions, and eventually collapse and cut off your VPN access or your whole datacenter in case the Firewall was your first line of defense.
Here the goal is to flood the application server with requests that look legitimate, preventing it from processing the truly legitimate requests. A cybercriminal may for example flood a DNS server with DNS requests for random domain names. The DNS server will attempt to service all the requests and eventually reach its maximum capacity and start dropping all requests including legitimate ones.
Because they imitate normal user behavior, Layer 7 attacks are some of the most difficult attacks to mitigate.
These are just three of the most common DDoS attack vectors but there are others, and new ones regularly appear, forcing DDoS protection platforms and providers to rapidly design effective countermeasures. Are you sure your platform is keeping up?
For more details on the different types of DDoS attacks, refer to NETSCOUT DDoS attacks glossary.
