What Is a DDoS Attack?

The four key types of attacks are:

• Application-layer attacks
• Protocol attacks
• DNS amplification/reflection attacks 
• Volumetric attacks

Application-layer DDoS attacks

Application-layer DDoS attacks (Layer 7 DDoS attacks) target specific vulnerabilities in web applications to prevent the application from performing as intended. These DDoS attacks often target the communication protocols involved in exchanging data between two applications over the internet. While difficult to prevent and mitigate, they are among the easiest DDoS attacks to launch.

• HTTP floods. HTTP floods exploit the HTTP internet protocol that is used to load web pages or send content over the internet. HTTP floods cause a server, website, or web app to slow down or crash by overwhelming it with a large number of HTTP GET or POST requests.
• Low and slow attacks. A low and slow attack is a type of denial-of-service (DoS) attack designed to evade detection by sending traffic and HTTP requests that appear to be legitimate at a very slow rate. Low and slow attacks require little bandwidth and may be launched from a single computer or with a botnet. Traffic in a low and slow attack is difficult to detect because it appears to be legitimate Layer 7 traffic and is not sent at a rate that triggers security alerts.
• Slowloris. A Slowloris DDoS attack is designed to overwhelm a web server by opening and maintaining many simultaneous HTTP connections to a target server. Slowloris uses up server resources with requests that seem slower than usual but otherwise appear to be standard traffic. Attackers take advantage of a feature unique to the HTTP protocol: the ability for clients to split GET or POST requests into several packets. A Slowloris attack compromises a targeted web server by opening multiple connections and keeping them open as long as possible. This is accomplished by sending partial HTTP requests that are never completed.

Protocol DDoS attacks

Protocol attacks target weaknesses and vulnerabilities in internet communications protocols in Layer 3 and Layer 4 of the OSI model. These attacks attempt to consume and exhaust compute capacity of various network infrastructure resources like servers or firewalls by sending malicious connection requests that exploit Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP) protocols.

• SYN flood. One of the main ways people connect to internet applications is through the TCP. This connection requires a three-way handshake from a TCP service — like a web server — and involves sending a SYN (synchronization) packet from where the user connects to the server, which then returns a SYN-ACK (synchronization acknowledgement) packet, which is ultimately answered with a final ACK (acknowledgement) communication back to complete the TCP handshake. During a SYN flood attack, a malicious client sends a large volume of SYN packets (part one of the usual handshake) but never sends the acknowledgement to complete the handshake. This leaves the server waiting for a response to these half-open TCP connections. Eventually, the server runs out of capacity to accept new connections for services that track connection states. 
  
  If we were to use the rideshare analogy here, think of it as a situation where thousands or even hundreds of thousands of bogus requests are made to a rideshare company. The cabs wait for passengers to get in and start the journey, but that never happens, ultimately exhausting all available cabs and rendering the service unavailable to legitimate rides.

• Smurf DDoS attack. The name of this DDoS attack is based on the concept that numerous tiny attackers can overwhelm a much larger opponent by sheer volume, just like the fictional colony of small blue humanoids that are its namesake. In a Smurf DDoS attack, large numbers of ICMP packets with an intended target’s spoofed source IP are broadcast to a computer network using an IP broadcast address. By default, most devices on a network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the victim’s computer may be slowed down to a crawl from being flooded with traffic.

DNS amplification/reflection DDoS attacks

Domain Name System or DNS amplification/reflection attacks are a specific type of volumetric DDoS attack vector where hackers spoof the IP address of their target to send large amounts of requests to open DNS servers. In response, these DNS servers respond back to the malicious requests by the spoofed IP address, thereby creating an attack on the intended target through a flood of DNS replies. Very quickly, the large volume of traffic created from the DNS replies overwhelms the victim organization’s services, making them unavailable and preventing legitimate traffic from reaching its intended destination.

To explain this type of attack using the rideshare analogy, imagine if hundreds or thousands of rideshare requests were placed to send cabs to a victim’s address. These rideshare cabs now clog up the streets leading up to the victim’s house, preventing legitimate visitors from reaching the individual’s address. This analogy can also be extended to explain volumetric DDoS attacks in the next section. 

Volumetric DDoS attacks

Volume-based DDoS attacks are directed at OSI Layers 3 and 4, overwhelming a target with a flood of traffic from multiple sources and eventually consuming all of the target’s available bandwidth, causing it to slow down or crash. Volumetric attacks are often used to divert attention away from other types of DDoS attacks or more dangerous cyberattacks.

• UDP floods. UDP floods are frequently chosen for larger-bandwidth DDoS attacks. Attackers attempt to overwhelm ports on the targeted host with IP packets containing the stateless UDP protocol. The victim host then looks for applications that are associated with the UDP packets, and when not found, sends a “Destination Unreachable” back to the sender. The IP addresses are often spoofed to anonymize the attacker, and once the targeted host becomes inundated with attack traffic, the system becomes unresponsive and unavailable to legitimate users.
• ICMP floods. Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany Transmission Control Protocol (TCP) packets that enable application programs and computing devices to exchange messages over a network, when connecting to a server. An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.

Organizations can protect against and limit disruption from DDoS attacks with a strong DDoS strategy, superior DDoS mitigation services, and advanced superior cybersecurity controls.

Cloud-based solutions offer high-capacity, high-performance, and always-on anti-DDoS protection that can prevent malicious traffic from reaching a website or interfering with web API communications, limiting the impact of the attack while allowing normal traffic to get through for business as usual.

DDoS mitigation services

In a constantly evolving attack landscape, DDoS protection through a mitigation provider that takes a defense-in-depth approach can keep organizations and end users safe. A DDoS mitigation service will detect and block DDoS attacks as quickly as possible, ideally in zero or a few seconds from the time that the attack traffic reaches the mitigation provider’s scrubbing centers. Because attack vectors keep changing and attack sizes keep getting bigger, to achieve the best DDoS protection, a provider must continually invest in defense capacity. To keep up with large, complex attacks, the right technologies are needed to detect malicious traffic and begin robust defensive countermeasures to mitigate attacks quickly.

DDoS mitigation providers filter out attack traffic to prevent it from reaching the intended targeted asset. Attack traffic is blocked by a CDN-based web protection service, a DDoS scrubbing service, or a cloud-based DNS service.

• CDN-based DDoS defenses. A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attacks targeting that URL can then be dropped at the network edge. This means that Layer 3 and Layer 4 DDoS attacks are instantly mitigated, as this type of traffic is not destined for web ports 80 and 443. As a cloud-based proxy, the network sits in front of a customer’s IT infrastructure and delivers traffic from end users to the websites and applications. Because these solutions operate in-line, web-facing assets are protected at all times without human interaction from network-layer DDoS attacks.
• DDoS cloud scrubbing. DDoS scrubbing can keep your online service or business up and running, even during an attack. A cloud-based scrubbing service can quickly mitigate attacks that target non-web assets, like network infrastructure, at scale. Unlike CDN-based mitigation, a DDoS scrubbing service can protect across all ports, protocols, and applications in the data center, including web- and IP-based services. Organizations direct their network traffic to the mitigation provider’s scrubbing infrastructure in one of two ways: via a Border Gateway Protocol (BGP) route advertisement change or DNS redirection (A record or CNAME). Traffic is monitored and inspected for malicious activity, and mitigation is applied when DDoS attacks are identified. Typically, this service can be available in both on-demand and always-on configurations, depending on an organization’s preferred security posture — although more organizations than ever before are moving to an always-on deployment model for the fastest defensive response.
• Web application firewalls. For application-layer–specific defenses, organizations should deploy a web application firewall (WAF) to combat advanced attacks, including certain types of DDoS attacks like http requests, HTTP GET, and HTTP POST floods, which aim to disrupt Layer 7 application processes of the OSI model.
• On-premises (on-prem) DDoS protection. On-prem or on-network DDoS protection involves physical and/or virtualized appliances that reside in a company’s data center and integrate with their edge routers to stop malicious DDoS attacks at the edge of their network. This is particularly helpful when cybercriminals utilize “low and slow” or “small and fast” attacks designed to avoid detection. Additionally, on-prem DDoS protection helps companies avoid operational costs related to rerouting traffic to a cloud scrubbing center when they are not targeted with volumetric attacks. On-prem DDoS protection also serves companies that require ultra-low latency with their network traffic. Examples of such use cases include companies that provide voice and video conferencing platforms, multimedia services, and gaming platforms, or other services that have near-real-time latency requirements. 
• Hybrid DDoS protection. A hybrid DDoS protection solution combines the capabilities and benefits of both on-premises as well as cloud DDoS protection. A hybrid DDoS solution protects a customer’s network infrastructure from the vast majority of small attacks with on-prem or on-network appliances but utilizes the scale and the capacity of a cloud scrubbing center as a backup for large volumetric attacks.
• Cloud Signaling. Cloud signaling is an industry term indicating that on-prem appliances automatically transfer attack footprint, signature, and other relevant information to the cloud scrubbing centers when such a redirection becomes necessary to optimally protect a customer’s network assets and infrastructure from a DDoS attack.

Benefits of a DDoS mitigation service

During mitigation, your DDoS protection provider will deploy a sequence of countermeasures aimed at stopping and diminishing the impact of a distributed denial-of-service attack. As modern attacks become more advanced, cloud-based DDoS mitigation protection helps to provide defense-in-depth security at scale, keeping back-end infrastructure and internet-facing services available and performing in an optimal manner.

Through DDoS attack protection services, organizations can:

• Reduce the attack surface and business risk associated with DDoS attacks
• Prevent business-impacting downtime
• Guard against web pages going offline
• Increase speed to respond to a DDoS event and optimize incident response resources
• Shorten the time to understand and investigate a service disruption
• Prevent loss of employee productivity
• More quickly deploy countermeasures to defend against a DDoS attack
• Prevent damage to brand reputation and bottom line
• Maintain application uptime and performance across digital estates
• Minimize costs associated with web security
• Defend against extortion, ransomware, and other new evolving threats

Akamai provides in-depth DDoS defense and mitigation services through a transparent mesh of dedicated edge, distributed DNS, and cloud scrubbing defenses. These purpose-built cloud services are designed to strengthen DDoS and network security postures while reducing attack surfaces, improving the quality of mitigation and reducing false positives while increasing resiliency against the largest and most complex attacks. Moreover, the solutions can be fine-tuned to the specific requirements of your web applications and internet-based services.

• Edge defense with App & API Protector. Akamai App & API Protector brings together web application firewall, bot mitigation, API security, and Layer 7 DDoS protection into a single solution. It quickly identifies vulnerabilities and mitigates threats across your entire web and API estates — even for the most complex distributed architectures. Recognized as the leading attack detection solution on the market, App & API Protector is easy to implement and use. It delivers automatic updates for security protections and provides holistic visibility into traffic and attacks.
• DNS defense with Edge DNS. Akamai’s authoritative DNS service, Edge DNS, also filters traffic at the edge. Unlike other DNS solutions, Akamai specifically architected Edge DNS for availability and resiliency against DDoS attacks. Edge DNS delivers superior performance, with architectural redundancies at multiple levels, including nameservers, points of presence, networks, and even segmented IP anycast clouds.
• Comprehensive DDoS protection with Prolexic. Akamai Prolexic comes in three options — on-prem, cloud, and hybrid — and offers comprehensive DDoS protection to a customer’s data centers and hybrid infrastructures, across all ports and protocols. Prolexic cloud DDoS protection — whether as a stand-alone solution or as a hybrid backup to Prolexic On-Prem — is powered by more than 36 cloud scrubbing centers in 32 global metropolitan centers, offering more than 20 Tbps of dedicated DDoS defense. This capacity is designed to keep internet-facing assets available — a cornerstone of any information security program. As a fully managed service, Prolexic can build both positive and negative security models. The service combines automated defenses with expert mitigation from Akamai’s global team of 225+ frontline SOCC responders. Prolexic also offers an industry-leading zero-second mitigation SLA via proactive defensive controls to keep data center infrastructure and internet-based services protected and highly available.

• What Is DoS Protection?
• What Is an ICMP Flood Attack?
• What Is a Memcached DDoS Attack?
• What Are SYN Flood DDoS Attacks?
• What Is a Slowloris DDoS Attack?
• What Is a UDP Flood DDoS Attack?
• What Is an Application-Layer DDoS Attack?
• What Is a DNS Amplification Attack?
• What Is a SSDP DDoS Attack?
• What Is a CLDAP Reflection DDoS attack?