Types of DDOS Attacks

We have outlined a list of the most common types of DDOS attacks that are seen across the internet.  They are broken down by which layer of the OSI model are being targeted.

Layer 7 Attacks


There is a DDOS toolkit called “itsoknoproblembro.”  This tool is used to launch the BroBot attack, which compromises the web servers and uses them as hosts for additional attacks.  It’s considered a blended attack as it uses a variety of signatures across many protocols like SYN, UDP, ICMP, SSL, in conjunction with DNS.

DNS ANY Query:

The DNS server is used as the middle-man in this type of attack, rather than the actual target.  The target is usually the web server.

An address or multiple addresses are forged in order to send a small amount of inbound traffic, which then sends a large volume of traffic at another resource.  This is a reflection and amplification attack.  Typically, publicly accessible and properly configured open DNS servers are used to send a massive amount of response traffic.  The ANY query is similar to requesting that all DNS zone information be sent.  Therefore, organizations with many hosts, usually in the thousands are targeted, so the attacker is able to orchestrate a large amount of traffic from a small request.

DNS Reflection Attack:

This is part of the DrDOS family (Distributed reflection Denial of Service), which includes the DNS ANY attack. However, a reflection attack does not require amplification to cause harm. Reflection will disguise the attackers address and if all compromised machines attack the same target, only a few are needed to cause enough harm. 

Filtering request sources can be used for mitigation, however, DNS AXFR (zone transfers) can be abused to orchestrate a reflected attack.

Dynamic HTTP Flood:

This attack is designed to target mitigation services to try and get around them.  It uses randomized URLs and alters the UserAgent string in order to trick the web server caches.  The HTTP Flood leverages static URLs which can work well for simulating denial of service caused by events with heavy load.

Dynamic HTTPS Flood:

This attack is a Dynamic HTTP Flood with SSL.

Extreme Bot Attack:

This attack is designed to bypass signature based mitigation systems.  Multiple items are varied in the attack, like the user agent, source address, etc…

HTTP Flood:

This is a flood attack, as it launches a massive number of sudden connections, attempting to overload a server and mitigation devices. This causes those devices to degrade and have trouble reacting quickly enough, therefore, causing failure because it’s using valid URLs.

A way to stop this is to use dynamic HTTP Flood with random URLs and user agent strings, which avoids caching on the web server


Even though this attack uses HTTP, it’s actually the opposite of a HTTP POST attack. Normal URLs are used to fetch images or documents, or in the attacker’s preference, information stored in a database. As part of the GET command, the idea is to grab large items that use up CPU and network resources such as images or marketing docs.

Often times these attacks are volume based and scripted to GET invalid or computed URLs to overload server resources.

HTTPS Flood:

This attack is an HTTP flood with SSL involved.

Similarly, you can use a dynamic HTTPS Flood with random URLs and UA strings to stop the web server from caching.

HULK (HTTP Unbearable Load King):

This attack is designed with exhaustion in mind rather than trying to sneak under the radar.  The connection attempts being sent are unique, and then fills the connection slots quickly to take down the server.

PHP Hash Collision:

This specific attack involves PHP, however, hash collision is used in other forms such as Java, ASP.net, Ruby, and Python.

They happen when the web language stores POST data in a hash while it figures out which array data structure the entry belongs to. If it sends multiple inbound requests that hash to the same value (or could be stored in the same array) then the language may occupy all of the CPU to compute the hash tables correctly, even when the hashes are only sent in one HTTP connection.

RUDY (R U Dead Yet?):

Similar to Slowloris, this attack tries to exhaust the resources on a target machine. It detects HTTP POST based forms on a web site and then slowly fills in data on the form to keep an open connection with the web server. This is repeated continuously until all the connection slots are consumed at the target.  When this occurs, all external communication to that server becomes unavailable.


A Slowloris attack takes advantage of the web server by opening repeated connections. It then proceeds to send partial requests on each connection in order to use up the available connection slots in the web server software.  By doing this, it’s preventing any further requests from being processed.

SSL Exhaustion:

All SSL exhaustion attacks attempt to consume SSL connection slots, with a large CPU and memory exhaustion.

SSL Hit and Run:

This form of attack is flood related.  The process of SSL data decryption has a high cost in CPU time. The hit and run method connects and starts the SSL handshake but then disconnects and reconnects repeatedly, often before the handshake has completed.

SSL Regeneration:

Also called the SSL Handshake Attack, this one is flood related. During an SSL session, when data is sent, it needs to be decrypted by the target system.  This could include a web server or an SSL termination device like an ELB, which costs CPU time.  However, no data actually needs to be sent, the attacker can simply request an SSL handshake multiple times.  This makes it very inexpensive for the attacker to send, but costly for the target to process.

THC-SSL Attack:

The SSL encryption process is very computational heavy and is thus abused with this attack.  A couple things are done in this attack.  A bunch of SSL connections are first made to a server and then proceeds to leverage the renegotiation function to compute the hashes again on the connection a ton of times in one single connection.  The whole point of this is that it makes the SSL offload portion, which is typically the web server, become CPU bound and incapable of responding to any new connections.   

Tor’s Hammer:

Similar to RUDY, Tor’s Hammer is a resource exhaustion tool, which is HTTP POST based. However, the Tor network is used to make the source addresses anonymous by encrypting and sending the packets through many different relays between the source and the target.

Tsunami SYN Flood:

This attack is a TCP SYN Flood with packets that have trashy data so it becomes a volumetric attack as opposed to a pure packets per second TCP SYN Flood.

Layer 3 Attacks

GRE Attack:

GRE stands for Generic Routing Encapsulation.  It’s a technique to tunnel one protocol inside another.  More specifically, it’s frequently used to carry private IP subnets across the Internet to another site. Its essentially a precursor to your typical VPN technologies. It can also be used to carry non-IP protocols between two sites, routing protocols used privately in a WAN, or to carry IPv4 across IPv6 networks and vice versa.

Since it’s not part of the TCP or UDP family, access control lists frequently forget that they should probably be blocking IP protocol 47.

If you remember the IoT attacks against the Krebs site, this was the protocol used.


This type of attack uses the DNS server to look up domains at high speed, but it looks up domains that are non-existent so the server returns NXDOMAIN results. The volume of the requests also causes harm by overloading the DNS server cache so it can’t respond to legitimate clients.

This is classified as a layer 3 attack because it uses UDP.  Since there is no handshake involved with UDP, it makes it easier to spoof the sending address.

DNS Query Flood:

The attack traffic looks normal and expected in this type of attack.  It is volumetric and uses a DNS server to look up domain entries.  In order to fill the outgoing bandwidth, it sends requests using external DNS or DNSSEC in order to create larger responses. 

This does not involve much sophistication as the attacker can simply send normal DNS requests at high volume from multiple sources.  This also uses UDP so the sending address is easily faked.

ICMP Flood / Ping Attack:

If you’ve used ICMP, then you know it’s typically used for diagnostic functions.  In an ICMP Flood, attackers will send many packets to try and overload a system. In a normal situation, ICMP echo packets are sent to spur an ICMP reply.  However, in this case, a man-in-the-middle attack occurs because the source address is forged. This form of Echo attack targeting a LAN broadcast address has also been called a Smurf attack.

Even though this Echo could be mitigated by using ACLs on a router or firewall, this process in itself would increase the CPU of that device, causing it to crash (though many devices have ICMP rate limiting controls).

It’s important to note that ICMP has other message types aside from just ECHO that can be used in attacks.

Reflection Attack:

The whole point of this type of attack is to trick the target into providing the answer to its own challenge.  The hacker attacks a challenge-response authentication system that uses the same protocol in both directions.  In other words, that same protocol is used by both sides to authenticate the other side.

Layer 4 Attacks

Fragment TCP Attack:

This attack is at layer 4 but impacts layer 7.

This type of attack is well known and has been occurring for many years.  The attacker segments a large IP packet into a bunch of smaller ones, which allows the packets to bypass router and firewall filters.  When the smaller fragments are overlapped, the attacker can get around intrusion detection systems so the exploit will only take effect when the target machine reassembles the packet. 

The Teardrop Attack is a great example of this.  At higher volumes, sometimes fragments of 1 or 2 bytes may be used to exhaust tables in network devices.  This is either done through forged source addresses or through incomplete fragments.

Fragment UDP Attack:

This attack is at layer 4 but impacts layer 7.  It’s similar to the Fragment TCP Attack, but uses UDP for transport

ACK Flood (Acknowledgement Flood):

The TCP three way handshake is abused with this type of attack.  The attacker will repeatedly send the last part of the handshake in order to overload the CPU resources of the target resource.  This works because the target uses the connection table to do a lookup and validate the ACK, and if it’s not valid, it sends an RST response (ReSeT) to tell all points to drop the connection.   

There are two major problems that this type of attack causes.  CPU resources are taken up as well as the use of outbound bandwidth.

PSH+ACK Flood:

In the TCP header, there are bits of information called PSH and ACK.  These can be set to a value of ‘1’ which tells the target system to discard the TCP buffer contents and return an acknowledgement.

Even though SYN Floods tend to be more popular, these attacks are often used in combination with other attacks containing forged source addresses.

RST Flood:

In a TCP conversation, one party is told through a TCP RST packet to drop the connection.

A RST Flood uses this process maliciously by sending forged source address packets, causing a device to drop legitimate connections.

SYN Flood:

In a SYN Flood attack, the TCP three-way handshake is abused by repeatedly sending the first piece of the handshake.  This is done in an attempt to consume CPU and memory resources at the target.

This occurs because the target assumes it’s receiving a legitimate inbound connection, so it creates an entry in the connection table and sends a SYN/ACK, and then waits for the final ACK to come in.

In summary, there are 3 main issues with the SYN Flood – the entry in the connection table causes consumption of memory, use of outbound bandwidth with the SYN/ACK, and the exhaustion of space in the connection table for these ‘partially-open’ connections, which then blocks all additional connection attempts.

TCP Connection Flood:

This purpose of this attack is to exhaust the connection table of the target device.  The attacker will hold the connections open as long as they can before the final ACK of the TCP handshake is sent, and continue keeping it open while sending very minimal information. 

It’s similar to a SYN Flood, but there are ways to mitigate those attacks by proxying an answer to incoming SYNs.

UDP Flood:

This volumetric attack is simpler to launch than your typical TCP Connection Flood since there is no handshake, or verifying of the source address.  The UDP protocol is connectionless. Amplification also plays a role rather than just the single source.

UDP Garbage Flood:

This is similar to a UDP Flood, however, it sends a maximum size of 1500 byte packets.  The payload also isn’t tied to the UDP port number destination but it contains garbage data just to fill the incoming Internet access link of the target. It’s not the most sophisticated of attacks, however it does it the job.

© Copyright 2008 by DDos Providers