147 02.04.2019

We have already talked about DDoS attacks. They are a modern plague terrorizing the Internet. Throughout the years they have become stronger and more frequent. The variety of DDoS attacks has increased too. Now there are many different types of DDoS attacks. We will show you the most common types.

There are 3 main types of DDoS attacks:

Volume-based attacks

These attacks use strong traffic waves to overwhelm the targeted servers. They are measured in data per second. For example, GitHub got crippled with 1.35 TBPS traffic.

Examples: UDP flood and ICMP flood.

Protocol attacks

These attacks take advantage of the flaws in the protocols. They “confuse” or make the servers work extra. Eventually the servers crash if the attack is strong enough.

Examples: SYN flood, Smurf Attack, Ping of Death.

Application layer attacks

Attacks that try to crash web servers (Windows, OpenBSD or Apache). Here the emphasis is not on the data, but on the number of requests. Too many requests that seem legit.

Examples: HTTP Flood, Slowloris

Popular DDoS attacks

Now that we know what the types are, let’s check out the most common variations of them:

Teardrop Attack

The server will start receiving packets of data. The packets are corrupted, so when the server gets them, it can’t understand them. This happens because of a bug in the TCP/IP fragmentation re-assembly. The victim server eventually crashes.

Ping of Death

Ping of Death, as the name suggests, uses the ping tool. The server gets packets that are greater than the limit that the IP protocol allows. This “confuses” the server. As a result of the confusion it can crash, freeze or reboot.

Smurf Attack

Another ping attack. It uses ICMP echo requests and a malware called Smurf. Many connected devices all around the world send a ping request, but the confirmation is then redirected to the targeted server. This creates a strong wave of traffic that can cripple the victim.

ICMP (Ping) Flood

It is very similar to the Smurf Attack. It uses the same technique of sending countless ping requests, disregarding the answers.

SYN Flood

The purpose of the SYN Flood attack is to overwhelm the server. It takes advantage of a TCP connection sequence called a three-way handshake. The process is simple; the server gets an SYN (synchronized) message. Then the server answers with an SYN-ACK (acknowledge of the message). In the last step, the server needs to receive an ACK from the client, but this never happens and the server keeps waiting. This shake is activated multiple times until the regular client can’t connect due to overload.

UDP Flood

UDP – User Datagram Protocol – is a network protocol that is used by DNS. The host will get strong traffic on a random port. It will try to check for the application on that port, but it won’t find a thing. The Fraggle attack is one variation of the UDP Flood attacks.

HTTP Flood

The Http Flood looks like a legit GET or POST request, but it is sent by the hacker. It forces the servers to react to all of the requests and uses a lot of resources.


This one acts like David vs Goliath. A single computer can take down a web server. Slowloris opens multiple connections to the victim’s web server and keeps them open for as long as it can. It sends incomplete HTTP requests. Its goal is to open up the maximum amount of connections possible until the server can’t open any for regular users. It is very dangerous for Apache 1.x, 2.x web servers, and others.

Zero-day DDoS Attacks

This term is used for attacks that exploit new security vulnerabilities. These that the developers are still not aware of. The vulnerabilities can be there from the beginning, or they can arise after an update or a patch.

DDoS Amplification. It uses the UDP protocol and the fact that UDP is a connectionless communication model. In this model, one side can send a large amount of data to the other side without restrictions. There is no confirmation of receiving. The cyber-criminals send small UDP requests with spoofed IP addresses of the victim to public servers. The servers return the data amplified and hit the victim with huge traffic.

SNMP Reflection Attack

It uses the simple network management protocol (SNMP). The hackers send SNMP queries with a changed IP address (the one of the victim). The target struggles to answer all of the requests as a result of which it can get stuck and go down.

Fork Bomb

The goal of this attack is to take all of the resources of the victim. One example is an infinity loop app that starts itself over and over again. This takes up system memory and loads the CPU until the whole system crashes. The traditional fork bomb targets Linux devices, but a more advanced version can target Windows devices too.

Advanced Persistent DoS (APDoS)

As the name suggests, this one is advanced. It involves an HTTP Flood, SQLI and XSS attacks. We are talking about millions of request at a time. The attack often has multiple targets and a predefined goal. It attacks multiple layers- 3 to 7. The attack can be very large, with prolonged duration. The attackers can change the tactic on the go. It is highly dangerous and very challenging to stop.

So, what can we do to protect ourselves from this huge amount of DDoS attacks? Don’t despair, there is an easy way to protect yourself – Neterra DDoS Protection. This protection can withstand very large attacks up to 1 Tbps. It also secures Layers 3 to 7.

images.27001 images.9001 20000