Describe the types of DDoS attack

What is a DoS attack?

A denial-of-service attack is a type of cyber-attack where the perpetrator tries to make a network resource unavailable to its intended users by stopping the services of a host connected to the Internet for a certain length of time or indefinitely. Denial of service is often accomplished by flooding a targeted computer or resource with unnecessary requests that could cause systems to become overburdened, preventing any or all genuine requests from being fulfilled.

In a distributed denial-of-service (DDoS) attack, the incoming traffic flooding the target comes from various places. This renders stopping the attack by just preventing a single source.

In a distributed denial-of-service (DDoS) attack, the incoming traffic overwhelming the target comes from several sources. This effectively stops the assault by blocking a single source of the attack.

A DoS attack is analogous to a swarm of individuals jamming a store's front entrance, making it difficult for legitimate customers to enter and disrupting commerce.

Attackers attempting to prevent legitimate consumers from using a service are denial-of-service attacks. There are two forms of denial-of-service attacks:

  • Those that crash services
  • Those that flood services

The most dangerous assaults are spread out

Distributed DoS

A distributed denial-of-service (DDoS) attack happens when many computers exceed a targeted system's bandwidth or resources, usually one or more web servers.

A DDoS assault uses many distinct IP addresses or computers, sometimes tens of thousands of compromised hosts. A distributed denial of service attack generally requires 3–5 nodes across many networks; however, fewer nodes may not qualify as a DDoS attack

A group of attack machines can generate more attack traffic than a single attack machine. Turning off multiple attack machines is more challenging than a single assault machine. Each attack machine's activity can be stealthier, making monitoring and shutting down more challenging. Because the incoming traffic that overwhelms the target comes from various sources, ingress screening will not be enough to stop the attack. It's also difficult to distinguish between regular user and attack traffic when distributed across numerous origins.

DoS and DDoS assaults can be classified into three categories −

  • Volume Based Attacks

ICMP floods, UDP floods, and other spoofed-packet floods are also included. The attack aims to saturate the targeted site's bandwidth, and the attack's magnitude is measured in bits per second (Bps).

  • Protocol Attacks

Ping of Death, SYN floods, fragmented packet attacks, Smurf DDoS, and more attacks are included. This assault uses server resources or intermediate communication infrastructures like firewalls and load balancers and is measured in packets per second (Pps).

  • Application Layer Attacks

Low-and-slow attacks, GET/POST floods, vulnerabilities in Apache, Windows, or OpenBSD, and more are all covered. The goal of these attacks, which consist of seemingly real and innocent requests, is to bring down the webserver, and the size is measured in Requests per second (Rps).

Common DDoS attack types

The following are some of the most popular DDoS attack types −

UDP Flood

Any DDoS attack that floods a target with User Datagram Protocol (UDP) packets is known as a UDP flood. The attack aims to flood random ports on a remote computer with traffic. This forces the host to repeatedly look for an application listening on that port and respond with an ICMP 'Destination Unreachable' packet if none is discovered. This process depletes host resources, potentially resulting in inaccessibility.

SYN Flood

An SYN flood DDoS assault takes advantage of a known flaw in the TCP connection process (the "three-way handshake"), in which an SYN request to establish a TCP connection with a host must be met with an SYN-ACK response from that host, followed by an ACK response from the requester. The requester sends several SYN requests in an SYN flood situation but either ignores the host's SYN-ACK response or sends the SYN queries from a faked IP address. In either case, the host system waits for each request to be acknowledged, consuming resources and preventing new connections from being formed, resulting in service denial.

ICMP (Ping) Flood

An ICMP flood is similar to a UDP flood attack in that it bombards the target resource with ICMP Echo Request (ping) packets as quickly as possible without waiting for responses. This type of attack can utilize both outgoing and incoming bandwidth, resulting in significant overall system latency. The victim's servers will constantly respond with ICMP Echo Reply packets.


Slowloris is a highly targeted assault that allows one webserver to take down another web server while leaving other services and ports on the target network unaffected. Slowloris achieves this by maintaining as many connections as possible to the target web server. It achieves this by establishing connections with the target server but only sending a request portion. Slowloris sends additional HTTP headers repeatedly but never completes a request. Each of these bogus connections is kept open by the targeted server. This eventually causes the maximum concurrent connection pool to overflow, resulting in the denial of new legal connections.

Ping of death

In a ping of death ("POD") attack, the attacker sends a computer a series of incorrect or malicious pings. The maximum length of an IP packet is 65,535 bytes (including the header). The Data Link Layer, on the other hand, establishes a maximum frame size limit, which is typically 1500 bytes over an Ethernet network. In this situation, a huge IP packet is divided into many IP packets (known as fragments), and the destination host reassembles the fragments into the entire packet. In a Ping of Death scenario, the recipient receives an IP packet more significant than 65,535 bytes when reassembled due to malicious fragment content alteration. This can cause genuine packets to be denied service due to overflowing memory buffers allocated for the packet.

Amplification of NTP

Attackers who employ publicly accessible Network Time Protocol (NTP) servers to flood a targeted server with UDP traffic are known as NTP amplification attackers. Because the query-to-response ratio in such cases is somewhere, the attack is categorized as an amplification assault if the ratio is between 1:20 and 1:200 or more. This means that an attacker with access to a list of open NTP servers (e.g., via Metasploit or data from the Open NTP Project) can launch a high-bandwidth, high-volume DDoS attack.

HTTP Flood

In an HTTP flood DDoS assault, the attacker utilizes seemingly acceptable HTTP GET or POST requests to attack a web server or application. HTTP floods don't involve faulty packets, spoofing, or reflection techniques, and as a result, compared to other forms of attacks, they use less bandwidth to shut down the targeted site or server. The attack is most effective when the server or application is forced to allocate the highest number of resources possible in response to each request.

Zero-day DDoS Attacks

All unknown or fresh attacks, exploiting vulnerabilities for which no fix has been provided, are classified as "zero-day" assaults. The word has become well-known among members of the hacking community, where zero-day trading vulnerabilities have become a popular pastime.

Updated on: 15-Mar-2022


Kickstart Your Career

Get certified by completing the course

Get Started