Attack Types

Introduction

Different types of DDoS attacks target various network layers and services. This page explains the most common attack types, their real-world uses and how attackers might exploit them.

DDoS attacks exploit different protocols to overwhelm a server, causing disruption. Below, we break down the most common attack types, the real use of the protcols they abuse, their default ports, the OSI layer they affect, and why attacks commonly use them.

Layer 3

Protcols on layer 3 do not use ports.

ICMP

  • Explanation: ICMP (Internet Control Message Protocol) is used for network dianostics (ping and traceroute)

  • Attack Method: Attackers flood the victim with ICMP requires (ping requests) overwhelming bandwidth.

  • Why Attackers Use It: ICMP is lightweight and has a huge amplification factor meaning it will quicky take up a lot of bandwidth.

GRE

  • Explanation: GRE (Generic Routing Encapsulation) is used for tunneling network traffic between locations. (eg. remote DDoS protection)

  • Attack Method: Attackers flood a server with GRE traffic.

  • Why Attackers Use It: By default, many firewalls do not inspect or filter GRE traffic, making it harder to notice.

Layer 4 - TCP

The following TCP protocols are generic, hence no default port is specified. These could use any port.

It is likely for these attacks to be used on an open TCP port to maximalize it's effectiveness.

SYN

  • Explanation: TCP establishes reliable connections via a three-way handshake (SYN, SYN-ACK, ACK).

  • Attack Method: Attackers send a message amount of SYN requests but never complete the handshake, exhausing server resources.

  • Why Attackers Use It: SYN packets are small, expected and easy to generate, making this attack efficient.

ACK

  • Explanation: ACK packets acknowledge received data in an outgoing connection.

  • Attack Method: Attackers flood with ACK packets, forcing the server to process responses, and exhausting CPU resources.

  • Why Attackers Use It: Many firewalls are not optimized to handle high-volume ACK floods, without additional setup.

TCP Amplification

  • Explanation: Some TCP services respond with larger packets than they receive.

  • Attack Method: Attackers send small TCP request and force large responses, amplifying bandwidth usage.

  • Why Attackers Use It: Multiplying attack power with minimal effort.

TCP Reflection

  • Explanation: TCP reflection uses spoofed source IPs to make a server respond to the victim instead.

  • Attack Method: Attackers send crafted requests to multiple servers, which then reflect responses to the victim.

  • Why Attackers Use It: Attackers amplify their impact by using third-party servers.

TCP Fragmentation

  • Explanation: TCP fragmentation allows large packets to be broken down for transport.

  • Attack Method: Attackers send fragmented TCP packets, consuming CPU resources during reassembly.

  • Why Attackers Use It: Overloads the server's packet reassembly process.

Layer 4 - UDP

Default port does not mean that this protocol can't be used on any other port, these are simply the default ones.

DNS Amplification

  • Explanation: DNS (Domain Name System) translates domain to IP addresses.

  • Default Port: 53

  • Attack Method: Attackers send small spoofed DNS queries to open resolvers, which return large response to the victim

  • Why Attackers Use It: Huge amplification ratio (Small request, large response that gets send to the victim).

NTP Amplification

  • Explanation: NTP (Network Time Protocol) synchronizes clocks between servers

  • Default Port: 123

  • Attack Method: Attackers abuse monlist, a NTP command that returns a large list of past connections.

  • Why Attackers Use It: Attackers can amplify their traffic by 200x or more.

SNMP Amplification

  • Explanation: SNMP (Simple Network Management Protocol) is used for monitoring network devices.

  • Default Port: 161

  • Attack Method: Attackers send spoofed SNMP requests, causing large responses to be sent to the victim.

  • Why Attackers Use It: Commonly exposed on poorly secured networks.

RakNet

  • Explanation: RakNet is an UDP-based networking framework used in Minecraft: Bedrock Edition and many other games.

  • Default Port: Depends on the game, 19132 for Minecraft: Bedrock Edition

  • Attack Method: Attackers flood RakNet requests, overloading the game server.

  • Why Attackers Use It: Many servers don't have built-in DDoS protection for RakNet traffic.

UDP Amplification

  • Explanation: UDP (User Datagram Protocol) is a connectionless protocol used for real-time applications.

  • Default Port: Varies on the amplification service.

  • Attack Method: Attackers send spoofed UDP requests to servers that respond with much larger replies.

  • Why Attackers Use It: Massive amplification with minimal traffic.

UDP Fragmentation

  • Explanation: Similar to TCP fragmentation, UDP packets can split and reassembled.

  • Default Port: Any UDP port.

  • Attack Method: Attackers send fragmented UDP packets, forcing the server to waste CPU power reassembling them.

  • Why Attackers Use It: Overwhelms CPU resources instead of bandwidth.

Layer 7

HTTP & HTTPS

  • Explanation: HTTP(S) is used for website communication.

  • Default Port: 80 (HTTP), 443 (HTTPS)

  • Attack Method: Attackers send floods of fake HTTP requests, overwhelming the server's processing power.

  • Why Attackers Use It: Harder to notice/block without knowledge on how to, because it looks like real users.

PreviousDDoS protected serversNextConfig

Last updated