DDoS Attack Fundamentals
DDoS (Distributed Denial of Service) attacks aim to make a target service unavailable or even disappear from the internet. They are among the most powerful and difficult attacks to defend against.
DDoS attacks can be broadly categorized into three types:
- Brute Force Attacks: Overwhelm the target with massive traffic from across the internet, saturating the network entry point and overwhelming hardware defenses. Classic examples are ICMP Flood and UDP Flood, which are less common today.
- Low-and-Slow Attacks: Use subtle, hard-to-detect methods that can cripple a server with minimal packets. These attacks exploit protocol or software vulnerabilities, such as Slowloris or Hash Collision attacks, and require specific conditions.
- Hybrid Attacks: Combine the above, using protocol/system flaws alongside high traffic volume. Examples include SYN Flood and DNS Query Flood, which are currently mainstream attack methods.
Below, we detail several representative attack methods and defense strategies.
SYN Flood
SYN Flood is a classic DDoS technique dating back to 1999. It exploits a weakness in the TCP three-way handshake to incapacitate a server with relatively low cost and high anonymity.
The standard TCP handshake process:
- Client sends a SYN packet to the server.
- Server responds with a SYN-ACK packet.
- Client sends an ACK packet to complete the connection.
If the server does not receive the final ACK (Step 3), it remains in a SYN_RECV state, retransmits SYN-ACK packets, and reserves system resources for the pending connection. When the SYN_RECV queue fills up, the server stops accepting new connections.
SYN Flood works by sending a flood of SYN packets with spoofed, non-existent source IP addresses. The server waits for non-existent replies, exhausting its connection resources and denying service to legitimate users.
DNS Query Flood
DNS is a core internet service and a prime DDoS target. Attacking DNS can cripple business or regional network services indirectly.
While raw UDP floods are easier to filter, DNS Query Floods over UDP are more sophisticated. Attackers use botnets to send massive volumes of DNS queries to a target. To bypass ACLs, they randomize source IPs, ports, query IDs, and domain names. Random domains also reduce DNS cache hits, maximizing CPU consumption on the server.
HTTP Flood
While SYN and DNS floods have become more manageable, HTTP Floods (Layer 7 attacks) remain a major challenge due to three factors: ease of launch, difficulty of filtering, and broad impact.
Unlike other attacks requiring root-controlled bots, HTTP Floods often leverage publicly available HTTP/SOCKS proxies. Attackers scan for these proxies and use them to send legitimate-looking HTTP requests to the target.
Mimicking real user traffic makes these attacks hard to distinguish from normal activity without affecting user experience. The attack also creates a cascade effect, straining not just the web frontend but also backend logic, databases, and logging servers.
HTTP Flood is often called CC (Challenge Collapsar) attack, named after a well-known security company's DDoS mitigation device. Such attacks remain a challenge for all hardware defense systems.
Slow Connection Attacks
In contrast to high-volume floods, slow connection attacks are characterized by low bandwidth. A classic example is Slowloris.
The HTTP protocol requires a request to end with rnrn. Slowloris opens a connection, sends an incomplete HTTP header, and then periodically sends small amounts of data to keep the connection alive without ever completing the request. By doing this with many connections, it exhausts the server's connection pool, denying service to legitimate users.
Variants include using POST with a large Content-Length but sending the body very slowly.
Advanced DDoS Techniques
Hybrid Attacks
Sophisticated attackers combine multiple methods tailored to the target environment.
- Enhanced SYN Flood: Mix SYN-ACK packets into the flood, making each spoofed SYN appear to have a corresponding client ACK. This increases the load on mitigation devices performing reverse probes and SYN cookie processing.
- DNS Query Flood Tricks: When attacking authoritative DNS, use spoofed source IPs from real global ISP DNS addresses (not random ones), putting mitigation devices in a bind over IP blacklisting. Use a mix of random and fixed domain names to bypass whitelists. Attack both UDP and TCP ports.
- Optimized HTTP Flood: Use HTTP headers to bypass frontend caches and hit the web server directly. Target endpoints commonly accessed by mobile apps (e.g., Web APIs) to make bot detection harder.
- Enhanced Slow Attacks: Use stateless techniques where clients sniff TCP sequence/ack numbers to maintain connections without the OS kernel tracking TCP state, allowing a single machine to hold many connections.
Attack timing is also critical, such as during maintenance windows, staff commuting hours, or during a target's high-traffic events.
Attacks Leveraging P2P Networks
P2P networks contain vast amounts of users and bandwidth, which can be harnessed for powerful attacks.
A basic method involves posting fake popular resources (e.g., video torrents) to search engines, luring users to download and thus directing their traffic to the target. A more advanced technique deceives the resource management server itself: by reverse-engineering the protocol, attackers can forge popular resource information and distribute it via the central tracker, rapidly propagating the attack across the entire P2P network. Once launched, such an attack can be hard to stop even by the attacker, requiring official server updates and client restarts.
Conclusion
DDoS attack methods are diverse, evolving from simple floods to sophisticated application-layer slow attacks, hybrid techniques, and P2P network exploitation. Defenders must understand these principles deeply and adopt multi-layered, dynamic protection strategies. The arms race between attack and defense continues; maintaining technical vigilance and systematic defense is key to resilience in a changing threat landscape.