Sign in Subscribe
DDoS

Common Types of DDoS Attacks & Protections

Abu Saleh Muhammad Zakaria

23 min read
Common Types of DDoS Attacks & Protections

Overview:

This article will help you to understand common types of DDoS (Distributed Denial of Service) attacks and their counter measures. Some basic information's for educational purpose. The followings are explained in brief :

  1. What is DDoS Attacks ?
  2. Types of DDoS Attacks
  3. Organizations suffered from DDoS attacks in recent years
  4. How Firewalls Help and their limitations.
  5. How to Protect Organization from DDoS Attacks ?

If you are interested, please read below.

What is DDoS ?

A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming it with a flood of traffic or data from multiple sources. In a DDoS attack, the attacker typically uses a network of compromised devices, often referred to as a "botnet," to flood the target with a massive volume of requests or traffic, making the target unavailable to legitimate users.

How DDoS works ?

A hacker must first gain control of a series of devices that are connected to the Internet In order to launch a successful DDoS attack. Without them, there cannot be a Distributed-DoS (DDoS) attack. In order to control these machines, the malicious actor must infect them with malware that allows him or her to access the devices remotely. In order for a DDoS attack to be successful, hundreds, if not thousands, of devices must be controllable by the malicious actor. Infected machines under the control of the malicious actor are individually referred to as "bots" also known as zombies sometimes, while a group of these machines is called a botnet. Once infected, the hacker can command the botnet to simultaneously send requests to a target machine, systematically causing it to overload. When the IP address of a victim is targeted by the botnet, each bot will respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity, resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

Different DDoS attack vectors target varying components of a network connection. In order to understand how different DDoS attacks work, it is necessary to know how a network connection is made. A network connection on the Internet is composed of many different components or “layers”. which we call as "OSI model", shown below, is a conceptual framework used to describe network connectivity in 7 distinct layers.

No alt text provided for this image

Sometimes an attack is referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client side, and can be expensive for the target server to respond to as the server often must load multiple files and run database queries in order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to flag as malicious.

Types of DDoS Attacks?

DDoS attacks can be executed in a variety of ways, but the most common method involves flooding the targeted server with requests for information or data, causing it to become overloaded and crash. Attackers may use a variety of techniques to compromise computers and build a botnet, including malware infections, phishing attacks, and other social engineering tactics. Some of the types of DDoS attacks includes the following 39 types:

  1. Volumetric attacks: These attacks flood the target network with a massive amount of traffic, overwhelming its capacity to function properly. This can be achieved using botnets or amplification techniques, such as DNS amplification, which magnifies the amount of traffic being sent to the target.
  2. TCP SYN Floods: These attacks exploit the TCP/IP protocol to flood the target with a large number of TCP SYN packets, which are used to initiate a connection. By overwhelming the target with these packets, the network becomes unable to establish new connections, resulting in denial of service.
  3. UDP Floods: These attacks exploit the User Datagram Protocol (UDP) to flood the target with a large volume of UDP packets, which are typically used for low-latency connections, such as video streaming or online gaming. These attacks can be particularly effective against networks that rely heavily on UDP traffic.
  4. Application-layer attacks: These attacks exploit vulnerabilities in specific applications or services running on the target server, such as HTTP, DNS, or SMTP. By targeting the application layer, attackers can overwhelm the server's processing capacity and cause it to crash.
  5. Slowloris attacks: These attacks exploit a vulnerability in the way that web servers handle HTTP connections. By opening a large number of connections to the server and sending incomplete requests, the attacker can tie up the server's resources and prevent it from serving legitimate requests.
  6. Ping of Death attacks: These attacks exploit a vulnerability in the way that some systems handle large IP packets. By sending a packet that is larger than the maximum size allowed by the system, the attacker can cause the target to crash or become unresponsive.
  7. Zero Day (0day) DDoS: Zero Day (0day) DDoS refers to a type of DDoS attack that exploits vulnerabilities in software or systems that are unknown to the developers or vendors. These vulnerabilities are called "zero-day" vulnerabilities because there is no patch or fix available to address the vulnerability at the time of the attack. It can be devastating because they can bypass security measures and allow attackers to take advantage of unknown vulnerabilities before a patch or update is released. Attackers can use various methods, such as malware or botnets, to launch Zero Day DDoS attacks and overwhelm targeted systems with a high volume of malicious traffic.
  8. IP Null Attack : An IP Null Attack is a type of network-based Denial of Service (DoS) attack that involves sending IP packets with a null (empty) payload to a target system or network. The attack floods the target with a high volume of packets with no content, which can overwhelm the system's resources and cause it to become unavailable. IP Null Attacks are relatively simple to execute, and they do not require sophisticated tools or techniques. They can be launched by anyone with access to the internet and can be difficult to detect and block. Additionally, since the packets have no content, they may not trigger intrusion detection systems or other security measures.
  9. CharGEN Flood : CharGEN Flood is a type of Distributed Denial of Service (DDoS) attack that exploits a vulnerability in the Character Generator (CharGEN) protocol. The CharGEN protocol is a simple protocol used to generate random characters and is commonly used in testing and debugging network applications. In a CharGEN Flood attack, the attacker sends a high volume of CharGEN requests to a targeted server or network, overwhelming its resources and causing it to crash or become unavailable. The attack is carried out by exploiting the amplification factor of the protocol, where a small request can result in a large response, consuming more bandwidth and resources than the original request. CharGEN Flood attacks can be difficult to detect and mitigate because they use a legitimate protocol, and the traffic can appear similar to normal network traffic. Additionally, many systems and network devices have the CharGEN protocol enabled by default, making them vulnerable to these attacks.
  10. SNMP Flood : SNMP Flood is a type of Denial of Service (DoS) attack that targets devices using the Simple Network Management Protocol (SNMP). SNMP is a protocol used to manage and monitor network devices, such as routers, switches, and servers. In an SNMP Flood attack, the attacker sends a high volume of SNMP requests to a targeted device, overwhelming its resources and causing it to crash or become unavailable. The attack is carried out by exploiting the SNMP protocol's inherent vulnerabilities, such as weak authentication or authorization mechanisms. SNMP Flood attacks can be difficult to detect and mitigate because they use a legitimate protocol, and the traffic can appear similar to normal network traffic. Additionally
  11. NTP Flood : NTP Flood is a type of Distributed Denial of Service (DDoS) attack that exploits the Network Time Protocol (NTP). The NTP is a protocol used to synchronize the clocks of computers and network devices. In an NTP Flood attack, the attacker sends a high volume of NTP requests to a targeted server or network, overwhelming its resources and causing it to crash or become unavailable. The attack is carried out by exploiting the amplification factor of the protocol, where a small request can result in a large response, consuming more bandwidth and resources than the original request.
  12. SSDP Flood: SSDP Flood is a type of Distributed Denial of Service (DDoS) attack that exploits the Simple Service Discovery Protocol (SSDP). The SSDP is a protocol used by network devices to discover and communicate with each other. In an SSDP Flood attack, the attacker sends a high volume of SSDP requests to a targeted network, overwhelming its resources and causing it to crash or become unavailable. The attack is carried out by exploiting the amplification factor of the protocol, where a small request can result in a large response, consuming more bandwidth and resources than the original request.
  13. Amplified DDoS Attacks : Amplified DDoS attacks are a type of Distributed Denial of Service (DDoS) attack that exploit the amplification factor of certain network protocols to generate a high volume of traffic to overwhelm a targeted server or network. In an amplified DDoS attack, the attacker sends a small request to a vulnerable server or network device using a protocol that generates a larger response than the original request, such as DNS, NTP, SSDP, or SNMP. The attacker then spoofs the source IP address of the request to make it appear as if the request is coming from the targeted server or network, causing the amplified response to be sent to the targeted server or network instead. Because the amplified response is much larger than the original request, the attacker can generate a massive volume of traffic with relatively little effort, overwhelming the targeted server or network and causing it to become unavailable.
  14. Fragmented HTTP Flood : Fragmented HTTP Flood is a type of Distributed Denial of Service (DDoS) attack that targets web servers by sending a large number of fragmented HTTP requests. In this attack, the attacker sends a large number of HTTP requests, each containing a fragment of the actual request. When the web server receives these fragmented requests, it attempts to reassemble them into a complete request, consuming significant processing resources. The goal of the attack is to overwhelm the web server's ability to handle the volume of requests and consume its available resources, leading to slow response times or complete unavailability of the website.
  15. HTTP Flood : HTTP Flood is a type of Distributed Denial of Service (DDoS) attack that targets web servers by sending a high volume of HTTP requests from multiple sources. In this attack, the attacker floods the web server with a large number of HTTP requests, overwhelming the server's resources and causing it to become unavailable to legitimate users. The goal of the attack is to consume the server's available bandwidth and processing power, leading to slow response times or complete unavailability of the website. HTTP Flood attacks can be difficult to detect and mitigate because the traffic appears similar to legitimate web traffic. Defending against HTTP Flood attacks requires implementing security measures, including using firewalls and intrusion detection systems that can detect and block suspicious traffic, and implementing rate limiting policies.
  16. Single Session HTTP Flood : Single Session HTTP Flood is a type of Distributed Denial of Service (DDoS) attack that targets web servers by sending a high volume of HTTP requests from a single source. In this attack, the attacker sends a large number of HTTP requests using a single session or connection to the web server, overwhelming the server's resources and causing it to become unavailable to legitimate users. The goal of the attack is to consume the server's available bandwidth and processing power, leading to slow response times or complete unavailability of the website. Defending against Single Session HTTP Flood attacks requires implementing security measures, including using firewalls and intrusion detection systems that can detect and block suspicious traffic, and implementing rate limiting policies.
  17. Single Request HTTP Flood: Single Request HTTP Flood is a type of Denial of Service (DoS) attack that targets web servers by sending a high volume of HTTP requests from a single source, each containing a large amount of data. In this attack, the attacker sends a single HTTP request that contains a large amount of data, overwhelming the server's resources and causing it to become unavailable to legitimate users. The goal of the attack is to consume the server's available bandwidth and processing power, leading to slow response times or complete unavailability of the website. Defending against Single Request HTTP Flood attacks requires implementing security measures, including using firewalls and intrusion detection systems that can detect and block suspicious traffic, and implementing rate limiting policies.
  18. Recursive HTTP GET Flood: Recursive HTTP GET Flood is a type of Denial of Service (DoS) attack that targets web servers by sending a high volume of HTTP GET requests with an increasing depth level. In this attack, the attacker sends a large number of GET requests to a single web page, each request with an increasing depth level, causing the server to become overwhelmed with the number of requests and unable to respond to legitimate users. The goal of the attack is to consume the server's available bandwidth and processing power, leading to slow response times or complete unavailability of the website. Defending against Recursive HTTP GET Flood attacks requires implementing security measures, including using firewalls and intrusion detection systems that can detect and block suspicious traffic, and implementing rate limiting policies.
  19. Random Recursive GET Flood : Random Recursive GET Flood is a type of Denial of Service (DoS) attack that targets web servers by sending a high volume of HTTP GET requests with random parameters and paths, with an increasing depth level. In this attack, the attacker sends a large number of GET requests with random parameters and paths to a single web page, each request with an increasing depth level, causing the server to become overwhelmed with the number of requests and unable to respond to legitimate users. The goal of the attack is to consume the server's available bandwidth and processing power, leading to slow response times or complete unavailability of the website. Defending against Random Recursive GET Flood attacks requires implementing security measures, including using firewalls and intrusion detection systems that can detect and block suspicious traffic, and implementing rate limiting policies.
  20. Multi-Vector Attacks: Multi-vector attacks are a type of DoS attack that use multiple techniques and attack vectors to target a single system or network. These attacks are designed to increase the effectiveness of the attack and make it more difficult to defend against by using a combination of different attack methods such as DDoS, malware, phishing, and social engineering. The goal of multi-vector attacks is to exploit weaknesses in multiple areas of a target's security infrastructure and gain unauthorized access to sensitive information, disrupt critical services, or cause damage to the target's reputation. Defending against multi-vector attacks requires a multi-layered security approach that combines technical defenses with employee education and training to prevent social engineering attacks.
  21. SYN Flood : SYN Flood is a type of DDoS attack that targets the Transmission Control Protocol (TCP) by overwhelming the target system with a flood of TCP SYN requests. This causes the system to become unresponsive to legitimate traffic, disrupting its ability to provide services.
  22. SYN-ACK Flood :SYN-ACK Flood is a type of DDoS attack that targets the TCP protocol by flooding the target system with a high volume of SYN-ACK packets. This attack exploits the three-way handshake process in TCP to consume the target system's resources and cause it to become unresponsive to legitimate traffic.
  23. ACK & PUSH ACK Flood :ACK and PUSH-ACK Floods are types of DDoS attacks that target the TCP protocol. These attacks flood the target system with a high volume of ACK or PUSH-ACK packets, respectively, causing the system to become unresponsive to legitimate traffic. These attacks exploit vulnerabilities in the TCP protocol to consume the target system's resources and cause service disruption
  24. ACK Fragmentation Flood: ACK Fragmentation Flood is a type of DDoS attack that targets the TCP protocol by sending fragmented ACK packets to the target system. This attack exploits a vulnerability in the TCP protocol to consume the target system's resources and cause it to become unresponsive to legitimate traffic. The fragmented ACK packets are difficult for the target system to reassemble, leading to resource exhaustion and service disruption.
  25. RST/FIN Flood : RST/FIN Flood is a type of DDoS attack that targets the TCP protocol by flooding the target system with a high volume of RST or FIN packets, respectively. This attack exploits vulnerabilities in the TCP protocol to consume the target system's resources and cause it to become unresponsive to legitimate traffic. The flood of RST or FIN packets disrupts the communication between the target system and legitimate clients, causing service disruption.
  26. Synonymous IP Attack : Synonymous IP Attack is a type of DDoS attack that targets the DNS servers by flooding them with a high volume of requests for a non-existent domain. This attack exploits a vulnerability in the DNS protocol by sending the requests from multiple IP addresses, making it difficult for the DNS server to distinguish between legitimate and malicious traffic. The attack consumes the DNS server's resources and causes it to become unresponsive to legitimate traffic.
  27. Spoofed Session Flood : Spoofed Session Flood is a type of DDoS attack that targets the application layer of a system by flooding it with a high volume of spoofed session requests. This attack exploits vulnerabilities in the application's session management process by creating a large number of fake sessions, consuming the target system's resources and causing it to become unresponsive to legitimate traffic.
  28. Multiple SYN-ACK Spoofed Session Flood: Multiple SYN-ACK Spoofed Session Flood is a type of DDoS attack that combines multiple techniques to target the application layer of a system. This attack floods the target system with a high volume of SYN-ACK packets, along with spoofed session requests, exploiting vulnerabilities in the TCP and application layer protocols. The attack consumes the target system's resources and causes it to become unresponsive to legitimate traffic, disrupting its ability to provide services.
  29. Multiple ACK Spoofed Session Flood: Multiple ACK Spoofed Session Flood is a type of DDoS attack that targets the application layer of a system by flooding it with a high volume of spoofed ACK packets, along with session requests. This attack exploits vulnerabilities in the application's session management process by creating a large number of fake sessions and consuming the target system's resources. The attack causes the target system to become unresponsive to legitimate traffic, disrupting its ability to provide services.
  30. Session Attack: Session Attack is a type of DDoS attack that targets the application layer of a system by consuming its resources, disrupting its ability to provide services. This attack exploits vulnerabilities in the application's session management process by creating a large number of fake sessions, consuming the target system's resources and causing it to become unresponsive to legitimate traffic. The attack can also exploit other weaknesses in the application's session handling process, such as session ID prediction or session fixation.
  31. Misused Application Attack : Misused Application Attack is a type of DDoS attack that targets the application layer of a system by exploiting vulnerabilities in its software or configuration. This attack targets the application itself, rather than the network or infrastructure, by using techniques such as SQL injection, cross-site scripting (XSS), or other forms of malicious input. The attack can cause the application to consume excessive resources, resulting in service disruption or downtime.
  32. UDP Flood : UDP Flood is a type of DDoS attack that targets the transport layer of a system by flooding it with a high volume of UDP packets. This attack exploits vulnerabilities in the User Datagram Protocol (UDP) by overwhelming the target system's resources with a large number of requests, causing it to become unresponsive to legitimate traffic. The attack is often used to flood the target system with amplification attacks, such as DNS or NTP amplification.
  33. UDP Fragmentation Flood : UDP Fragmentation Flood is a type of DDoS attack that targets the transport layer of a system by flooding it with a high volume of fragmented UDP packets. This attack exploits vulnerabilities in the UDP protocol by sending a large number of fragmented packets, which consume the target system's resources and cause it to become unresponsive to legitimate traffic. The attack is designed to bypass network filtering and security mechanisms by fragmenting the packets into smaller sizes, making it difficult to identify and block the attack.
  34. DNS Flood : DNS Flood is a type of DDoS attack that targets the domain name system (DNS) infrastructure by overwhelming it with a high volume of DNS queries. This attack exploits vulnerabilities in the DNS servers, causing them to become unresponsive to legitimate traffic. The attack can be launched using various techniques, such as amplification attacks, which use vulnerable DNS servers to generate a massive volume of queries, or direct attacks, which target the DNS servers directly.
  35. VoIP Flood : VoIP Flood is a type of DDoS attack that targets Voice over Internet Protocol (VoIP) networks by flooding them with a high volume of SIP (Session Initiation Protocol) requests. This attack exploits vulnerabilities in the SIP protocol by overwhelming the target system's resources with a large number of requests, causing it to become unresponsive to legitimate traffic. The attack is designed to disrupt the VoIP communication, causing delays or dropped calls.
  36. Media Data Flood : Media Data Flood Attack is a type of DDoS attack that targets multimedia streaming servers by flooding them with a high volume of media data packets. This attack exploits vulnerabilities in the server's processing capabilities by overwhelming it with a large number of requests, causing it to become unresponsive to legitimate traffic. The attack is designed to disrupt the media streaming service, causing delays, buffering or dropped connections.
  37. Direct UDP Flood : Direct UDP Flood is a type of DDoS attack that targets the transport layer of a system by flooding it with a high volume of UDP packets directly. This attack exploits vulnerabilities in the UDP protocol by sending a large number of packets, which consume the target system's resources and cause it to become unresponsive to legitimate traffic. The attack is designed to bypass network filtering and security mechanisms, making it difficult to identify and block the attack.
  38. ICMP Flood : ICMP Flood is a type of DDoS attack that targets the network layer of a system by overwhelming it with a high volume of ICMP (Internet Control Message Protocol) packets. This attack exploits vulnerabilities in the ICMP protocol by sending a large number of packets, which consume the target system's resources and cause it to become unresponsive to legitimate traffic. The attack is designed to disrupt the network communication, causing network latency, packet loss, or complete network failure.
  39. ICMP Fragmentation Flood : ICMP Fragmentation Flood is a type of DDoS attack that targets the network layer of a system by flooding it with a high volume of fragmented ICMP (Internet Control Message Protocol) packets. This attack exploits vulnerabilities in the ICMP protocol by sending a large number of fragmented packets, which consume the target system's resources and cause it to become unresponsive to legitimate traffic. The attack is designed to disrupt the network communication, causing network latency, packet loss, or complete network failure

DDoS attacks can bring significant losses to organizations in various ways, including:

  1. Downtime: DDoS attacks can cause significant downtime, making the organization's services unavailable to its customers or users. This can lead to lost revenue, damage to reputation, and customer churn.
  2. Service degradation: Even if the organization manages to keep its services up during the DDoS attack, the sheer volume of traffic can cause service degradation and slow response times, leading to frustrated customers and lost revenue.
  3. Increased costs: Organizations may need to invest in additional infrastructure, bandwidth, or security measures to mitigate the effects of a DDoS attack. This can lead to increased operational costs and reduced profitability.
  4. Data breach: In some cases, attackers may use a DDoS attack as a distraction to carry out a data breach or other security breach on the targeted organization.

Overall, DDoS attacks can cause significant disruption and financial losses to organizations, making it important for businesses to have a robust security strategy to prevent and mitigate such attacks.

Organizations suffered from DDoS attacks in recent years :

DDoS attacks can be devastating for businesses, as they can cause significant downtime and lost revenue. There have been many organizations that have suffered from DDoS attacks in recent years, causing significant financial losses and reputational damage. Here are some examples:

  1. Dyn DNS (2016): In October 2016, a massive DDoS attack targeted the DNS provider Dyn, causing widespread disruption to major websites, including Twitter, Netflix, and Spotify. The attack was carried out using a botnet of compromised IoT devices, and it is estimated to have caused tens of millions of dollars in damages.
  2. GitHub (2018): In February 2018, GitHub, a popular code-sharing platform, was targeted by a DDoS attack that peaked at 1.35 terabits per second (Tbps), making it the largest DDoS attack ever recorded at the time. The attack lasted for several days and was carried out using a technique known as memcached amplification.
  3. KrebsOnSecurity (2016): In September 2016, the cybersecurity blog KrebsOnSecurity was targeted by a massive DDoS attack that peaked at 620 gigabits per second (Gbps), making it one of the largest attacks on record at the time. The attack was carried out using a botnet of compromised IoT devices, and it is estimated to have cost the website's owner, Brian Krebs, over $100,000 in mitigation fees.
  4. Sony PlayStation Network (2014): In December 2014, the Sony PlayStation Network was targeted by a DDoS attack that caused the network to go offline for several days, affecting millions of users around the world. The attack was carried out by a group calling itself the "Lizard Squad," and it is estimated to have cost Sony millions of dollars in damages and lost revenue.
  5. Estonia (2007): In April 2007, the government of Estonia was targeted by a massive DDoS attack that disrupted the country's banking, media, and government websites for several weeks. The attack was believed to have been carried out by Russian hackers, and it is estimated to have caused millions of dollars in damages.

These are just a few examples of the many organizations that have suffered from DDoS attacks in recent years. The threat of DDoS attacks continues to grow, and organizations must take proactive measures to protect themselves from this type of cyber attack.

How Firewalls Help and their limitations :

DDoS attacks can be complex and difficult to defend against, as they can come from multiple sources and use a variety of techniques. To mitigate the risk of DDoS attacks, organizations should implement a layered defense strategy that includes network monitoring, traffic filtering, and the use of DDoS mitigation services.

Firewalls can be an effective tool in protecting against DDoS attacks, but they are not a complete solution on their own. A firewall is a network security device that monitors and filters traffic between a network and the Internet. Firewalls can help to prevent DDoS attacks in several ways:

  1. Filtering traffic: Firewalls can be configured to filter traffic based on a range of criteria, such as IP addresses, protocols, and ports. By filtering out traffic from known malicious sources or blocking traffic on suspicious ports, firewalls can help to prevent DDoS attacks from reaching their target.
  2. Rate limiting: Firewalls can be configured to limit the rate of incoming traffic from certain sources, preventing the network from becoming overwhelmed by a sudden surge in traffic. This can help to prevent some types of DDoS attacks, such as TCP SYN floods.
  3. Load balancing: Some firewalls are capable of load balancing traffic across multiple servers, distributing the traffic evenly to prevent any one server from becoming overloaded. This can help to prevent DDoS attacks that target a single server or application.
  4. Intrusion prevention: Many firewalls include intrusion prevention features that can detect and block traffic patterns associated with DDoS attacks, such as malformed packets or traffic from known botnets.

As per my experience and research, some of the firewall organizations can choose are listed below :

  1. Fortinet FortiDDoSCheck Point DDoS Protector

Cisco ASA Palo Alto Networks Next-Generation FirewallJuniper Networks SRX Series Services GatewaysSonicWall Network Security ApplianceBarracuda CloudGen FirewallWatchGuard Technologies Firebox FirewallSophos XG FirewallHuawei USG Firewall

Common Mitigations Techniques :

The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic. For example, if a product release has a company’s website swamped with eager customers, cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known bad actors, efforts to alleviate an attack are probably necessary. The difficulty lies it telling apart the real customer and the attack traffic.

In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks. A multi-vector DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways, potentially distracting mitigation efforts on any one trajectory. An attack that targets multiple layers of the protocol stack at the same time, such as a DNS amplification targeting layers 3/4, coupled with a HTTP flood, targeting layer 7, is an example of multi-vector DDoS.

Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories. Generally speaking, the more complex the attack, the more likely the traffic will be difficult to separate from normal traffic - the goal of the attacker is to blend in as much as possible, making mitigation as inefficient as possible. Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. In order to overcome a complex attempt at disruption, a layered solution will give the greatest benefit.

Black Hole Routing

In networking, black holes refer to places in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient. One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network. If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense.

Rate Limiting

Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. Nevertheless, rate limiting is a useful component in an effective DDoS mitigation strategy.

Web Application Firewall

A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and a origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic. By filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack.

Anycast Network Diffusion

This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network. Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable, diffusing any disruptive capability.

The reliability of an Anycast Network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network.

How to Protect Organization from DDoS Attacks using 3rd Party Services ?

Firewalls have limitations in terms of the amount of traffic they can process and their ability to distinguish between legitimate and malicious traffic. To provide more comprehensive protection against DDoS attacks, organizations may need to implement additional security measures, such as content delivery networks (CDNs), DDoS mitigation services, or specialized hardware appliances designed to handle large volumes of traffic. Compared to traditional firewalls, Cloudflare offers several advantages in terms of DDoS protection, Cloudflare provides a suite of cloud-based services that are specifically designed to protect websites and online applications from DDoS attacks, such as :

  1. Scalability: Cloudflare's infrastructure is built to handle large volumes of traffic, making it more effective at mitigating large-scale DDoS attacks than traditional firewalls. This is especially important for organizations that rely heavily on their online presence and cannot afford to have their websites or applications taken offline by DDoS attacks.
  2. Proactive threat detection: Cloudflare uses machine learning algorithms and other advanced techniques to detect and block DDoS attacks in real-time, before they can cause significant damage. This means that organizations can respond quickly to attacks and minimize the impact on their operations.
  3. Intelligent traffic routing: Cloudflare's network routes traffic through multiple data centers around the world, automatically redirecting traffic to the closest server based on geographic location. This helps to reduce latency and improve website performance, even during DDoS attacks.
  4. Content delivery network (CDN): Cloudflare operates a global CDN that caches static content, reducing the load on origin servers and improving website performance. This can help to prevent DDoS attacks from overwhelming origin servers and causing downtime.
  5. Cost-effectiveness: Cloudflare's services are typically less expensive than purchasing and maintaining traditional hardware-based security solutions, making it an attractive option for organizations with limited IT budgets.

Overall, Cloudflare's cloud-based approach to DDoS protection offers several advantages over traditional firewalls, including scalability, proactive threat detection, intelligent traffic routing, CDN, and cost-effectiveness. While firewalls can help to mitigate certain types of DDoS attacks, they are generally not sufficient on their own to provide comprehensive protection against all types of DDoS attacks. Here are a few reasons why:

  1. Limited capacity: Firewalls have finite capacity and can only process a limited amount of traffic at a time. This means that they may become overwhelmed in the face of a large-scale DDoS attack that generates a high volume of traffic.
  2. Inability to distinguish between legitimate and malicious traffic: Firewalls typically rely on rules-based filtering to identify and block traffic from known malicious sources. However, this approach may not be effective against newer or more sophisticated DDoS attacks that are designed to evade detection.
  3. Limited visibility: Firewalls typically operate at the network layer and may not have visibility into application-layer traffic, where many DDoS attacks occur. This means that they may not be able to detect or mitigate attacks that target specific applications or services.
  4. False positives: Firewalls may also generate false positives, blocking legitimate traffic and causing disruptions to normal operations.

Conclusion :

To provide more comprehensive protection against DDoS attacks, organizations may need to implement additional security measures such as DDoS mitigation services, content delivery networks (CDNs), specialized hardware appliances, or cloud-based DDoS protection services like Cloudflare or Akamai Technologies. These solutions are specifically designed to handle large-scale DDoS attacks and can provide more robust protection than firewalls alone.