Because there are literally dozens of different types of DDoS attacks, it’s hard to simply or definitively categorize them. Recognize industry-wide, the three most common categories are volumetric, protocol, and application layer, but all of these overlap. For example, many protocol attacks might also be volumetric.
What’s more important than trying to categorize attacks perfectly is understanding the variety of methods available to attackers to perpetrate DDoS attacks. It is fairly important to understand that attackers are going to target any vulnerable part of your infrastructure. From the network all the way to the application and its support services.
Volumetric Attacks
Volumetric attacks often called floods, they are the most common type of DDoS attack. Usually, they send a large amount of traffic to the network of the targeted victim with the intention of consuming so much bandwidth that users are denied access. As we have already seen, botnets are often used by attackers to increase the volume of traffic that hits the target network or server. This has helped the attackers launch massive DDoS attacks, ranging from hundreds of gigabits per second to terabits per second. Well beyond the capacity most organizations can handle on their own networks.
Protocol Attacks
Instead of targeting higher-level resources such as a web server, protocol attacks (sometimes called “computational” or “network” attacks) deny service by exploiting either weaknesses in. Or the normal behaviour of protocols typically OSI layer 3 and layer 4 protocols such as ICMP (Internet Control Message Protocol), TCP (Transport Control Protocol), UDP (User Datagram Protocol), and others. The goal is to exhaust the computational capabilities of the network or intermediate resources (such as firewalls). This is resulting in a denial of service. Because protocol attacks deal at the packet level, they are typically measured in packets per second.
Application Layer Attacks
Application layer attacks (also known as OSI layer 7 attacks) target web servers, web application platforms, and specific web-based applications rather than the network itself. The attacker’s goal is to crash the server, making a website or application inaccessible to users. These attacks can target known application vulnerabilities, the underlying business logic of an application. Or abuse higher-layer protocols like HTTP/HTTPS (Hypertext Transfer Protocol/Secure) and SNMP (Simple Network Management Protocol). These attacks often use less bandwidth than other types of attacks. And therefore don’t always display a sudden increase in traffic, making them harder to detect. Application layer attacks are measured in requests per second.
Who is Attacking and Why?
DDoS attacks are launch by different types of attackers, each with their own motivations. Here are just a few:
- Hacktivists trying to make a social or political statement by shutting down a site or large portions of the Internet
- A disgruntled employee or unhappy customer attempting to negatively impact a company’s revenue or damage its reputation by shutting down the website
- Unscrupulous competitors trying to sabotage a site by shutting it down
- Malicious actors who combine DDoS attacks with ransomware threats for extortion purposes
- Sophisticated attackers (often nation-states) using DDoS attacks as a distraction for more targeted. And devastating attacks designed to disrupt critical infrastructure, plant malware, or steal proprietary, personal, or customer information
- Professional “hackers for hire” who are entirely self-motivate and can make moderate to substantial amounts of money hacking for a living, despite the risks involve
- “Script kiddies” who lack technical skills, so they use ready-made code and existing scripts to launch attacks