Types of Distributed Denial of Service (DDoS) Attacks
The goal of Distributed Denial of Service (DDoS) attacks is to disrupt the normal traffic of a target network/server by overloading the target with a large volume of malicious traffic. In this blog, we provide descriptions of a wide variety of DDoS attacks categorized into two broad groups of reflection-based and exploitation-based attacks.
Distributed Denial of Service (DDoS) attack is one of the most dominant network attacks that exhaust available resources and bandwidth of a target system with malicious traffic. A DDoS attack is often executed by bots that are infected devices controlled by botnet owners. These botmasters can command the compromised nodes to carry out malicious activities. The goal is to interrupt the legitimate services performed on the victim machine. There are several taxonomies for the classification of DDoS attacks; however, one of the popular ones categorizes the DDoS attacks into two groups of reflection-based and exploitation-based attacks that can be carried out using TCP/UDP-based protocols through the application layer protocols. In reflection-based attacks, the attacker sends a large number of packets spoofed with the target's IP address to third-party identities like reflector servers or amplifiers to overwhelm the victim with response packets. In this case, the identity of the attacker is concealed by utilizing intermediary devices. Each reflector sends back response packets to the victim so that the victim's computational and network resources are overloaded and it cannot serve the legitimate users. The most popular reflection-based attacks are as follows:
Microsoft SQL (MSSQL)
The attacker abuses the Microsoft SQL Server Resolution Protocol (MC-SQLR), which listens on UDP port 1434. Microsoft SQL Server responds to the spoofed IP of the victim with an amplification factor of 25.
Simple Service Discovery Protocol (SSDP)
SSDP is a protocol based on IP used to discover network services, including universal plug-and-play (UPnP) network devices. After spoofing a victim's source IP, an attacker sends a SOAP request spoofed with the victim's IP to open the UPnP device on the Internet. Consequently, the device sends an amplified response to the victim.
Character Generator (CharGen)
CharGen is an old protocol designed for debugging, testing, and measurement purposes. An attacker can send small spoofed packets to internet-enabled devices running CharGEN by default, such as printers and copiers. The response packets are then sent as UDP floods on port 19 to exhaust the target's resources.
Network Type Protocol (NTP)
NTP is a protocol used to synchronize the clocks of all computer systems within a network. To exploit NTP servers, an attacker sends monlist requests to an NTP server which in turn responds with the last 600 source IP addresses connected to the server. So the initial request traffic is multiplied and flooded to the victim machine as a large response.
Trivial File Transfer Protocol (TFTP)
TFTP is a simple protocol that allows file transmissions, generally on top of UDP. The attacker uses a flaw using Read Request (RRQ) to request downloading a file on a TFTP server. The request would trigger a large response along with retransmissions and error codes which results in an amplified response to the target.
Domain Name System (DNS)
DNS is a hierarchical naming protocol that translates the domain names into Internet Protocol (IP) addresses needed for uniquely identifying computer devices and services over the Internet. In a DNS amplification attack, an attacker directs a DNS name lookup query to open DNS servers having the source IP spoofed to be the victim's address. Subsequently, all DNS server responses will be sent to the targeted victim. This attack is usually conducted over UDP and utilizes the fact that the size of the response generated by DNS can be much larger than the DNS request query.
Lightweight Directory Access Protocol (LDAP)
LDAP is a protocol designed to interact with Microsoft's active directory and is mainly used to authenticate clients or to store information about users, groups, and applications. An attacker sends requests spoofed with the victim's IP to LDAP servers, and they send amplified replies to the victim. This exploit can generate an amplification factor near 55 to 70 over UDP and TCP, respectively.
Network-based Input/Output System (NetBIOS)
NetBIOS enables the communication between different applications running on computer systems over a local area network (LAN). An attacker can forge the source IP and forward a broadcast query to find other computers' names in the network. As a result, all the computer systems overflow the victim with the responses. The amplification factor of the NetBIOS attack is 2-4.
Simple Network Management Protocol (SNMP)
SNMP is a protocol to collect and organize information about network devices on IP networks. First, an attacker identifies a range of vulnerable devices using port scanning and then send spoofed SNMP request, like GetBulkRequest to the SNMP vulnerable server. The server responds with the amplification factor between 3 to 7.
Portmap
Portmap, aka rpcbind or portmapper, is a service designed to map Open Network Computing Remote Procedure Call (ONC RPC) service numbers to network port numbers. Although portmapper can run on both TCP/UDP port 111, the attacker often utilizes UDP port to send IP spoofed requests to the server. As a result, the small-sized requests forwarded to the portmapper could be amplified with the factor of 7 to 28.
Exploitation-based attacks are the attacks that abuse a weakness or vulnerability in a protocol, like the necessity to receive ACK code in TCP protocol in Synchronization (SYN) Flood attack. Similar to reflective attacks, the goal is to interrupt the legitimate services performed on the victim machine. TCP-based exploitation attacks include SYN flood, whereas UDP-based attacks include UDP flood and UDP-Lag.
Synchronization (SYN) Flood
SYN flood is the most common type of DDoS attack in which the TCP three-way handshake protocol is exploited to consume server resources. An attacker sends spoofed SYN requests to the target server. The server then replies with acknowledgment (ACK) messages and keeps the connection open, waiting for a response from a client that never exists. These open connections throttle the resources and result in server crash/malfunction.
UDP Flood
UDP packets are generated in bulk in the UDP flood attack and are sent to random ports on the target host. The server checks all applications associated with these port numbers. In case of finding none, the server replies with an Internet Control Message Protocol (ICMP) destination unreachable packet. As a result, the network bandwidth is overwhelmed and will not be available to legitimate users.
UDP-Lag
The UDP-lag attack aims to interrupt the connection between the client and the server. A new surge of online gaming hackers is on the rise employing UDP-lag attacks to disrupt the activities of other players. This type of attack can be carried out using either a hardware switch or a software program that hogs the bandwidth of other users.
There is a high degree of resemblance between the abovementioned types of DDoS attacks, and therefore, it is deemed to be a difficult classification task with complex decision boundaries. Deep learning models are composed of multiple processing layers to learn representations of data with various abstraction levels. Thus they can be employed to detect and classify complex problems like DDoS attack classification.
