Distributed denial of service (DDoS) attacks are now one of the biggest cybersecurity threats for any business – big or small. In fact, many cybercriminals are now targeting smaller businesses with DDoS attacks, because they know that these websites tend to be more vulnerable than those of bigger enterprises and multinational companies.
The thing is, there is no one-size-fits-all security method that can perfectly protect a website/system from a DDoS attack. Even the largest websites with huge bandwidth and the best infrastructure can be brought down with a DDoS attack.
Why? A key reason is that a DDoS attack comes at any time while affecting any part of the website, making it very difficult to detect. Also concerning is the fact that the numbers of DDoS attacks are rapidly increasing in recent years and the fact that they can lead to a massive financial loss and long term, even permanent damages in reputation.
It’s important to note that we can’t completely prevent DDoS attacks from happening, and so the right approach is to have a mitigation/response plan according to your site’s infrastructure and needs. Here, we will discuss the different types of DDoS attacks, different mitigation techniques we can use, and the comparison for these different mitigation techniques.
Without further ado, let us begin.
Different Types of DDoS Attacks
Before we can discuss the different types of DDoS attacks, we have to first understand the concept of both DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.
A DoS attack refers to any cybersecurity attack with the objective of shutting down a network or system so it is inaccessible to its users, hence the name denial of service. When the attack is done by a single computer, it is a DoS attack, but when it is distributed among different devices, it is called a DDoS attack.
To attempt a DDoS attack, typically the attacker first infects computers with malware and turns these computers into a zombie device. The collection of these zombie devices is called a botnet, which can involve hundreds or even thousands of zombie computers at one time.
A DDoS attack utilizes the botnet to deny the service of the target network with various methods, including but not limited to:
- Exploiting a known vulnerability in the target web application or network
- Saturate the system’s resource (bandwidth, disk space, memory, etc.) for example by spamming a port to overwhelm the network/system
- Using a spoof (fake origin address) to fool the target network, for example by causing the target server to repeatedly send a ping response to this fake IP address.
While there are various techniques and methods the attacker can use in a DDoS attack, in general, we can divide DDoS attacks into four basic types:
1. Volumetric DDoS
The most traditional, or basic form of DDoS attack where the botnet sends a high volume of requests and/or traffic to saturate the network’s bandwidth. There are various different subtypes of volumetric DDoS attacks from SYN floods, TCP/UDP floods, and others.
2. Vulnerability-Exploiting DDoS
A vulnerability-based DDoS attack exploits a known vulnerability in the target system, for example, a vulnerability in web application. Since most of the vulnerability-based attacks tend to exploit protocol vulnerabilities, they are also often called protocol-based DDoS. For example, the attacker may send a malformed packet that can’t be processed properly, crashing the target network. While vulnerability-based DDoS can be very hard to detect and prevent, they also rely on finding known vulnerabilities, so they are relatively rare.
3. Amplified-Flooding DDoS
This type is currently very popular among cyber attackers due to its effectiveness. In an Amplified-flooding DDoS, the basic principle of this attack is to send a request to a network (that is not the target network) while using the target address as the response address. The network will then send an amplified reply to the target system. NTP floods, charGEN floods, SNMP floods, and others are some examples of this attack type.
4. Resource-Consumption DDoS
This is often considered the most dangerous type of DDoS that is very difficult to defend against. However, it requires the attacker to perform preliminary research to really understand the target network, so it is also difficult to execute and very rare. This type of DDoS attack is performed by creating (or using) a custom software that can directly interact with the target system to cause a slowdown or completely crash the system.
Since the nature and behaviors of these different types of DDoS attacks are very different from each other, it is very difficult to prevent all of them. This is why a proper DDoS mitigation plan is required, and below, we will discuss different mitigation techniques we can use.
3 Stages of DDoS Mitigation
While there are various DDoS mitigation techniques we can use, all of them are typically based on three key stages
You can’t mitigate any DDoS attacks if you can’t detect the signs of incoming DDoS attacks. The thing is, it can be difficult to differentiate between a high volume of legitimate traffic and an actual attack. There are instances where spikes in traffic volume are normal, for example during a limited sale or launch of a new product. How well the mitigation technique can differentiate between legitimate traffic and actual attack is very important.
Furthermore, depending on the type of DDoS attack, different detection methods might be required.
In this stage, the DDoS protection solution will respond to the detected incoming attack with various different techniques (which we will discuss below). However, commonly this will involve managing (limiting the activity) of the malicious bot traffic attempting DDoS attack and absorbing the rest of the legitimate traffic.
There are various methods we can use to respond to incoming DDoS attacks:
- Routing: Breaking the remaining attack traffic into manageable sizes to prevent denial of service. This is a very important aspect of any DDoS mitigation technique: DDoS traffic will continuously come even after you’ve responded to the initial attack, so routing this remaining traffic is very important.
- Sinkholing: This response method relies on a database of malicious IP addresses and diverts traffic from these blacklisted IP addresses. IP-based detection and response are now largely ineffective since today’s hackers and malicious bots can rotate through a massive amount of IP addresses. However, this method still has its uses in certain cases.
- Blackholing: Also called null-routing, and as the name suggests, this method directs all incoming traffic to a fake (non-existent) IP address. However, in cases of false positives, you’d also redirect your legitimate traffic to this IP address.
- Scrubbing: Another method for responding to malicious DDoS traffic involves the use of a ‘scrubbing center’ where the DDoS mitigation solution will analyze this traffic, block the malicious traffic while letting the ‘clean’ traffic pass back to the network. The main issue with this approach is that it will sacrifice page speed, which will affect your site’s user experience (UX). We will discuss more about scrubbing again further below.
The DDoS mitigation solution will find patterns in the traffic and use this information to prevent future attacks. For example, the solution might detect repeat attacks from certain IP blocks, geographic location, certain browsers/OS, and so on.
For sophisticated application-layer DDoS attacks, bot mitigation solution with AI and machine learning technology is required to automatically analyze and use the insights gathered from the attack to identify future attack vectors, allowing the mitigation solution to better defend your system in future attacks.
Different DDoS Mitigation Techniques
Although there are various DDoS mitigation techniques available, we can generally categorize them into just three main DDoS mitigation techniques: Clean-pipe (or scrubbing), CDN dilution, and TCP/UDP Anti-DDoS Proxy.
1. Clean Pipe
Clean pipe, or scrubbing technique is the most common DDoS mitigation technique out of the three. As we’ve briefly discussed above, all incoming traffic must pass through a cleaning pipe called ‘scrubbing center’ where the incoming traffic is analysed, malicious traffic is identified and blocked, and then legitimate traffic allowed to the network.
The clean pipe method was invented because black-holing and complete blacklisting are no longer effective due to high false positives. However, implementing clean pipe can be extremely difficult due to several complexities:
- You need a BGP (Border Gateway Protocol) router
- ASN and internet-routable prefixes
- Network hardware with the capability to terminate a GRE
The clean pipe method, albeit its popularity, however, is not a perfect technique, and there are several key limitations with the method:
- Lead time: this method will take time to analyze incoming traffic and reroute the traffic to a center, and the time required from the re-route until the mitigation finally kick-in can be quite significant. During this lead time, the system is unprotected and is exposed to the attacker.
- Slower page speed: similar to the above, since it will take time to analyze the incoming traffic, it can translate into a slower page speed which might hinder your user experience (UX).
- Limitations: the clean pipe method is not very effective in handling vulnerability-based DDoS attacks and application-flood attacks.
Also, with the clean pipe method, your IP prefix is not hidden. Attackers can identify your ISP provider and might be able to use the information to find loopholes and weaknesses in your infrastructure.
In general, the clean pipe method is more focused on defending against the volume of the traffic instead of identifying the signature and behavior of the attack. So, clean pipe and similar techniques tend to be more vulnerable against layer-7 attacks (slow DDoS, vulnerability-based attacks, etc. )
Clean pipe, however, is very versatile and supports almost all IP stack applications, but it lacks in-depth, comprehensive protection for a specific application. In short, it’s a jack-of-all-trades, masters of none.
2. CDN Dilution
CDN stands for Content Delivery Network, and as the name suggests, is a method of using a distributed network to deliver web pages and content to a user. The basic idea is by utilizing an additional, distributed server that is located closer to the user, the user can access the content at a faster rate.
CDN is useful in DDoS mitigation due to two things: the website is ‘placed’ in more than one server, so it’s more difficult to take down with a DDoS attempt. Also, CDN technology would translate into a bigger bandwidth.
CDN dilution technique is basically using the CDN as a reverse proxy for the web application: all requests are filtered by the edge CDN servers before it is sent back to the origin. This technique is great because it is context-aware, so it’s effective in defending web applications. However, the key limitation is that it is only applicable to web applications and we can’t use it in other IP stack applications.
3. Anti-DDoS Proxy
Anti-DDoS proxy works similarly to CDN dilution on UDP or TCP service. All requests are sent to the proxy, and then the proxy will filter out malicious attacks based on certain signatures or behaviors. Unlike CDN dilution, however, TCP/UDP anti-DDoS proxies are configured on a per-application basis instead of per-domain basis.
It is an always-on solution without any lead time and is also effective in mitigating low and slow vulnerability-based attacks. However, a major downside with this technique is that it will change the source IP so you can’t get the real visitor’s IP.
|Clean Pipe||DDoS Protection Proxy||CDN Dilution|
|Applicable for||Any application||TCP/UDP applications||Web application only|
|Requirement||BGP router and 24 prefix support||Internet bandwidth||Internet bandwidth|
|Load balancing||Not support||Support||Support|
|False positives||Relatively high||Medium||Low|
|L3/L4 DDoS protection||Not always on||Yes||Yes|
|L7 DDoS protection||Medium||Medium||High|
|Key Disadvantage||Relatively high false positives||The origin server cannot see the real IP, since it will be replaced by proxy-source NAT IP||Only applicable to web apps|
Above, we have discussed the different types of DDoS attacks and also three main DDoS mitigation techniques we can implement. It’s important to remember that you shouldn’t limit yourself on just one solution, but you can combine different ones to create a more comprehensive DDoS mitigation strategy.
It’s best to first assess your system and figure out your needs, so you can decide on the right DDoS mitigation technique for you. If you want versatility, however, clean pipe solutions like DataDome is the best approach, since you can use it with all applications including multi-cloud and multi-CDN systems.
Mike is passionate about all emerging technologies in the IT space and loves to write about all of them. He is a lifetime marketing and internet expert with over 10 years of experience in web technologies, SEO, online marketing, and cybersecurity.