Types of DDoS Attacks

Over the past two decades, many businesses and governments have grown increasingly concerned about the spread of different types of DDoS attacks. First reported in 1996, distributed denial-of-service (DDoS) attacks are a range of devastating and ever-evolving cyber threats that disrupt electronic networks by flooding them with traffic they can’t handle.

DDoS attacks can be used by hacktivists to demonstrate their protest against Internet censorship and other controversial initiatives. It also opens up various avenues for hackers to pursue nefarious goals. The latest twist in the DDoS epidemic is “Ransom DDoS,” which is a platform that enables hackers to extort money for organizations in return for stopping a large-scale incursion.

DDoS is a complex phenomenon that can make it difficult to defeat because of its heterogeneous nature and many tactics.

There are three fundamental categories of DDoS attacks that make up the core of this ecosystem:

Volumetric DDoS Attack

Volumetric attacks constitute the most common type of DDoS attack. Although they produce a large amount of traffic, sometimes exceeding 100 Gbps, the hackers don’t have to generate much of it. This makes volumetric attacks one of the easiest kinds of DDoS attacks, as you can use a small amount of attack traffic via a spoofed IP address to generate gigabits.

Mirror-based volumetric attacks are used to target services. They send legitimate requests using spoofed IP addresses to a DNS and NTP server. When DNS servers or NTP servers respond, they reply to legitimate requests. This is often the spoofed IP address. In such an instance, the attack targets the spoofed URL address, which is then bombarded in the amplified data stream.

Protocol-Based DDoS Attack

Protocol attacks are designed to exploit a weakness in Layer 3 and Layer 4 of the OSI layers. TCP Syn Flood is the most well-known protocol attack. This involves sending a series of TCP SYN commands to a target, which can overwhelm it and render it unresponsive. Apart from being an attack on applications, the recent Dyn outage also included TCP Syn flooding port 53 of Dyn’s servers. Ultimately, protocol attacks are aimed at exhausting server resources or firewall resources.

Application-Based DDoS Attack

DDoS attacks against applications are the most difficult to detect and, in some cases, even mitigate. Application layer attacks are the most sophisticated, stealthiest attacks because they can generate traffic at a low rate with only one attacker machine. These attacks are difficult to detect using traditional flow-based monitoring systems.

Hackers who use application layer attacks have deep knowledge about the protocols and applications involved. Attack traffic targeting application layers is often legitimate. It involves activating a back-end process that hogs resources and makes them unavailable, making such attacks more difficult to prevent.

Recently, NS1, a cloud-based DNS service provider, suffered a DDoS attack against their anycast DNS infrastructure. Some of the most well-known websites, such as Yelp, were affected by the attack. NS1 confirmed the attack and said it was a combination of volumetric and application layer attacks that included malformed packet attacks and malicious direct DNS queries. The attackers attacked NS1’s infrastructure and their hosting provider, causing their website to be down.

Aside from these three categories mentioned above, DDoS attacks are classified into dozens of sub-categories that fall under any of the three main categories and show some unique characteristics.


Here are some more examples of modern types of DDoS attacks:

SYN Flood DDoS Attack

This attack exploits TCP’s three-way handshake and is used to establish any connection between clients, hosts, and servers using TCP protocol. A client normally sends a SYN (synchronize) message to the host to request a connection.

A SYN flood attack involves sending a multitude of messages from a spoofed address. The result is that the receiving server can’t process or store as many SYN files and denies service to clients.

LAND DDoS Attack

To carry out a Local Area Network Denial Attack (LAND), a threat actor sends a fabricated SYN mail in which the destination and source IP addresses are the same. When the target server attempts to respond to this message, it creates recurrent replies to itself. This causes an error scenario that can eventually lead to the target host being unable to respond.

SYN-ACK Flood DDoS Attack

This attack vector exploits the TCP communication stage, where the server generates a SYN-ACK packet to acknowledge the client’s request. Crooks flood the RAM and CPU of the target server with a slew of rogue SYNACK packets to execute these DDoS attacks.

ACK & PUSH ACK Flood DDoS Attack

Once the TCP three-way handshake has established a connection, ACK and PUSH ACK packets can be sent back to back until the session is over. A target server that undergoes these DDoS attacks cannot identify where the falsified packets originated and thus wastes its processing resources trying to determine how it should handle them.

Fragmented ACK Flood Attack

This type of DDoS attack is a knockoff of the ACK & PUSH ACK Flood technique. They’re simple DDoS attacks that deluge a target computer network with a limited number of fragmented ACK packets. Each ACK packet has a maximum size of 1500 bytes. It is a common problem for routers and other network equipment to try to reassemble these fragmented packets. Intrusion prevention systems (IPS) can detect fragmented packets and block them from reaching their firewalls.

Spoofed Session Flood (Fake Session Attack)

Cybercriminals can use bogus SYN packets to bypass network protection tools. They also submit multiple ACK packets and at least one RST or FIN packet. This allows criminals to bypass defences that focus on incoming traffic and not return traffic analysis.

UDP Flood Attack

These DDoS attacks exploit multiple User Datagram Protocol (UDP) packets. UDP connections don’t have a handshaking mechanism like TCP, and so the options for IP address verification are limited. The volume of dummy traffic generated by this exploitation exceeds the maximum server capacity to process and respond to requests.

DNS Flood Attack

This is a variant on UDP Flood, and it’s one that specifically targets DNS servers. This malefactor creates fake DNS request packets that look legitimate and appear to be coming from many different IP addresses. DNS Flood is one the most difficult denial of service DDoS raids to detect and recover from.

VoIP Flood Attack

This DDoS attack is one of the most prevalent types of DDoS attacks, and it targets a Voice over Internet Protocol(VoIP) server. A multitude of fraudulent VoIP requests is sent from many IP addresses to drain the resources of the target server and knock it down.

NTP Flood Attack

Network Time Protocol (NTP), a networking protocol that has been around since the beginning and is responsible for clock synchronization between electronic devices, is the key to another DDoS attack vector. The goal is to overload the target network with UDP packets by using publicly accessible NTP Servers.

CHARGEN Flood Attack

Similar to NTP, the Character Generator Protocol, or CHARGEN, is an older version of NTP. It was developed in the 1980s. Despite this, it’s still being used on certain connected devices like printers and photocopiers. It involves sending small packets containing a victim server’s fabricated IP to devices with the CHARGEN protocol enabled. The Internet-facing devices send UDP flood packets to the victim server in response. This floods the server with redundant data.

SSDP Flood Attack

By executing Simple Service Discovery Protocol (SSDP) reflection-based DDoS attacks on networked devices running Universal Plug and Play services (UPnP), malefactors can exploit these devices. Small UDP packets, which contain fake IP addresses, are sent to multiple UPnP-capable devices by the attacker. The server becomes overwhelmed by these requests until it is forced to shut down.

HTTP Flood Attack

In these types of DDoS attacks, an attacker sends ostensibly legitimate GET/POST requests to a server or web app, siphoning off most or all of the resources. This technique involves botnets made up of “zombie computers” that have been previously infected by malware.

Are you prepared for these types of DDoS attacks? Get advanced DDoS protection for your website without switching hosts now.