DDoS Attack

What Is a DDoS Attack?

Distributed Denial-of-Service (DDoS) attack is a malicious tactic aimed at inundating one or more targets with an overwhelming volume of Internet traffic, resulting in the depletion of the target's network resources. As a consequence, the target system becomes unable to connect to networks or deliver its usual services. DDoS attacks are typically classified into three types based on their point of origin: network-layer attacks, transport-layer attacks, and application-layer attacks. Attackers often employ a combination of these methods, which heightens the threat landscape as attack complexity continues to evolve. The repercussions of DDoS attacks can be severe for targeted organizations, leading to substantial economic and brand damage, along with the potential risk of critical service data theft. Consequently, the implementation of DDoS defense systems is widespread across various industries to effectively thwart and mitigate the adverse effects of such attacks on normal service operations.

DDoS Attack Types

Based on the targeted network layers, DDoS attacks can be categorized into three types: network-layer attacks, transport-layer attacks, and application-layer attacks.

Network-Layer Attacks

The network layer is tasked with directing and transmitting data packets among various networks. DDoS assaults at this level target the depletion of network bandwidth resources. Typical attack subtypes encompass ICMP flood attack, ARP flood attack, and IP fragmentation attack.

- ICMP Flood attack

The Internet Control Message Protocol (ICMP) is part of the TCP/IP protocol suite and facilitates the exchange of control messages among IP hosts and routers. Due to its design features, ICMP can be easily exploited for attacks. By inundating the target system or network with numerous ICMP packets, attackers force the target host to expend significant CPU resources to handle and reply to these packets, ultimately draining device resources. Consequently, the affected device becomes incapable of delivering services to legitimate users.

- ARP Flood attack

The Address Resolution Protocol (ARP) is employed to map IP addresses to MAC addresses. When a host broadcasts an ARP request message, all devices on the same network segment can intercept the message. This creates a vulnerability that attackers can exploit by flooding the network with a high volume of ARP requests, with the intent of overwhelming limited network resources through unnecessary broadcast traffic, resulting in network congestion. Since ARP lacks an inherent authentication mechanism, hosts can cache any ARP replies they receive in their ARP table. This susceptibility allows for ARP spoofing, wherein attackers can manipulate the associations between IP and MAC addresses by transmitting false data.

- IP Fragmentation attack

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments) so that the resulting pieces can travel across a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are then reassembled by the receiving host. IP fragmentation is commonly used on networks. It can be used in DDoS attacks, whereby an attacker sends deliberately fragmented data packets to the target system or network, expecting the target system or network to reassemble the data packets. This consumes many resources, leading to resource exhaustion.

Transport-Layer Attacks

The transport layer manages data transfer across networks, offering error-checking features and data flow controls. DDoS assaults at this level aim to overwhelm target servers or network devices. Typical subcategories of such attacks encompass SYN flood attack, ACK flood attack, and UDP flood attack.

- SYN Flood Attack

The SYN flood, a classic DDoS attack, exploits the TCP three-way handshake mechanism. Attackers flood the server with TCP/SYN packets from various source IP addresses or ports, creating numerous half-open connections. When system resources are depleted, the server cannot function normally.

- ACK Flood Attack

In an ACK flood attack, the attacker floods the target with numerous fake ACK packets, some carrying oversized payloads, using a botnet. This causes link congestion. Alternatively, the attacker sends requests with varying source IP addresses and ports at an extremely high packet rate, aiming to overload the forwarding device. This leads to network breakdown or degraded server performance, resulting in the denial of normal services by the target server.

- UDP Flood Attack

UDP flood attacks are commonly employed for high-bandwidth DDoS attacks. Hackers use these attacks to inundate ports on the target host with IP datagrams using the stateless UDP protocol. When the receiving host finds no associated applications for these UDP datagrams, it responds with a Destination Unreachable packet. If the target host is overwhelmed by attack traffic, it becomes unresponsive, preventing authorized users from accessing the system.

Application-Layer Attacks

The application layer offers various network application services like email, web browsing, and file transfer. DDoS attacks at this layer seek to restrict access to applications for legitimate users. Common subcategories of attacks include DNS flood, HTTP flood, and CC attack.

- DNS Flood Attack

The attacker orchestrates numerous zombie devices to generate a large volume of domain name query requests directed at the target, disrupting the DNS resolution process. Consequently, websites, APIs, or web applications lose their ability to handle legitimate traffic effectively. This results in temporary service interruptions or complete unavailability, preventing legitimate users from accessing specific resources.

- HTTP Flood Attack

HTTP GET attack: multiple devices coordinate to send numerous requests for images, files, or assets from a target server. This flood of requests overwhelms the server, causing denial of service to legitimate traffic sources.

HTTP POST attack: attackers exploit the intensive processing involved in handling form data and database commands compared to sending a POST request. They flood the targeted server with numerous POST requests until its capacity is saturated, resulting in denial of service.

- CC Attack

CC attacks primarily target web pages, focusing on the server providing web page access services. Attackers send numerous seemingly valid requests to the victim server through a proxy server. This sustained influx of requests causes the CPU usage to remain at 100% for an extended period, resulting in incomplete connections and eventual system breakdown, thus terminating normal access.

DDoS Attack Landscape

As per the Global DDoS Attack Status and Trend Analysis in 2022, the prevailing characteristics of the current DDoS attack landscape are as follows:

1. Volumetric attack traffic accelerates within seconds, reaching unprecedented ramp-up speeds, posing a significant challenge to the response time of defense systems.

Terabit-strong attacks are characterized by rapid flooding, a distinct hallmark of volumetric attacks. In 2021, peak attack traffic surged to 800 Gbps to 1 Tbps within 20 seconds, but this timeframe was halved to just 10 seconds in 2022.

2. Both network-layer and application-layer attacks persistently employ the "fast flooding" tactic, with the complexity of attacks evolving continuously.

Specifically, 57.40% of network-layer attacks and 40.49% of application-layer attacks lasted for no more than 5 minutes. In 2022, SYN flood, ACK flood, UDP flood, UDP reflection, and TCP reflection attacks emerged as the top 5 network-layer attacks. Over the past three years, there has been a consistent increase in the proportions of ACK flood and UDP flood attacks.

In 2022, as TLS adoption for securing HTTP traffic increased gradually, the proportion of HTTP flood attacks decreased compared to previous years. However, TLS-layer attacks remained active, leading to a further increase in the proportion of TLS abnormal session attacks.

3. The ongoing evolution of network-layer CC attacks presents a growing threat, challenging the automation capabilities of defense systems.

In network-layer CC attacks, threat actors blend the forged source flood attack technique with the session layer attack method. These attacks are frequently aimed at HTTP and HTTPS ports due to their pronounced impact. Moreover, threat actors employ a tactic that combines both high-rate and low-rate data streams, significantly complicating defense strategies.

From 2021 to 2022, network-layer CC attacks diversified into numerous variants, establishing themselves as some of the most challenging attacks to defend against on the internet.

4. The media and Internet, government and public utilities, education, finance, and healthcare sectors represent the top 5 industries targeted by attacks.

In 2022, the education industry, healthcare industry, and government/public utilities sector saw a significant increase in attack proportions, rising by 56.6 times, 8.6 times, and 3.6 times respectively compared to 2021. Furthermore, the emerging field of the Industrial Internet emerged as a new target, experiencing an 18-fold increase in attacks compared to 2021.