Volumetric attacks, which are believed to comprise more than 50 percent of attacks launched, are focused on filling up a victim’s network bandwidth. Among the most common volumetric attacks are User Datagram Protocol (UDP)flood attacks, where an attacker sends a large number of UDP packets to random ports on a remote host. UDP floods accounted for approximately 75 percent of DDoS attacks in the last quarter of 2015, according to the Versign DDoS Trends Report. A common form of UDP flood attack relies on reflection and amplification. UDP is a connectionless protocol (that is, it doesn’t require that the two ends of a conversation establish a connection before exchanging data). An attacker can therefore forge UDP packets with fake source addresses, and use those packets to generate reply traffic. By setting the source of the UDP packets to be the IP address of the intended victim, and then sending those packets to various servers for UDP-based applications, the attacker will cause the servers to send reply traffic to the forged source IP address–the victim. This reply traffic is the “reflection” part of the attack. It’s a lot like calling every pizza place in your county, and ordering a lot of pizzas to be delivered to someone you really don’t like. The “amplification” part comes in when you understand that many UDP services generate replies that are much larger than the initial request size. For instance, the Domain Name Service (DNS) has a bandwidth amplification factor of 28 to 54 (the reply to a DNS request can be between 28 and 54 times larger than the request). The Network Time Protocol (NTP) has a bandwidth amplification factor of 556. By combining reflection (the server sends reply traffic to a spoofed source address) with amplification (the reply traffic is a lot larger than the initial request), attackers can do a lot of damage to a victim with very little effort on their part. A number of UDP-based applications and services can be used to generate amplification and reflection attacks, including DNS, NTP, Simple Service Discovery Protocol (SSDP), and Simple Network Management Protocol (SNMP).
Protocol attacks (sometimes also called state-exhaustion attacks) target a weakness in how a protocol operates. A well-known protocol attack is the SYN flood, which targets the three-way handshake mechanism in TCP. When a server receives a SYN packet, this is a signal to the server that another machine wants to open a TCP connection. The server will allocate some of its resources to this half-open connection, and send a SYN ACK packet back to the initiating machine. Under normal circumstances, the initiator will then send an ACK packet to the server, the three-way handshake is complete, and the machines will then exchange data. In a SYN flood attack, an attacker sends a rapid succession of TCP SYN requests–typically from spoofed source IP addresses–to open a connection to a network server. The server sends SYN ACK packets back to the source addresses, which never reply with an ACK. The server keeps the half-open TCP connections around, using up resources, until the server is no longer able to accept any new connections.
Application attacks target weaknesses in how an application works. One well-known application attack is Slowloris, which targets web servers. In a Slowloris attack, the attacker sends HTTP requests to a web server without ever completing the requests. Periodically (and slowly–hence the name), the attacker will send additional headers, thus keeping the request “alive” but not finished. Similar to a SYN flood, this forces the web server to maintain open connections for these partially completed HTTP requests, eventually preventing it from accepting any new connections.