What are DDoS attacks and why is it harder to defend from year to year
According to the NETSCOUT Threat Intelligence active threat level analysis system, the largest number of attacks that our partners have ever seen occurred during the pandemic — 4.83 million DDoS attacks in the first half of 2020 (15% more than in 2019). And the frequency of DDoS attacks increased by 25% in the period from March to June.

However, it is worth noting that the number of single-vector attacks in the first half of 2020 decreased by 43% compared to the same period of the previous year. And the number of complex multi-vector (15+ vectors) attacks have increased by 126% over the past year and by 2851% since 2017.

Thus, it becomes more difficult to repel DDoS attacks. The vast majority of DDoS attacks last one hour or less, and almost a quarter of them last less than five minutes. This means that companies need protection that can instantly detect and mitigate attacks before damage is done.

What categories of DDoS attacks there are and what their danger is, we will analyze in this article.

Categories of DDoS attacks and their danger
The complexity and type of DDoS attack depends on which part of the network the attackers plan to attack. Network connections consist of different layers (according to the OSI network model), a DDoS attack can be directed at any of them:

L7 (application layer) provides interaction of user applications with the network. For example, viewing pages using the HTTP protocol.

L6 (Representation layer) provides protocol conversion and data encoding/decoding. This layer works on the basis of data compression and encoding protocols (ASCII, EBCDIC).

L5 (Session layer) provides session communication support, allowing applications to interact with each other for a long time. The main protocols of this level are SMPP and PAP.

L4 (Transport layer) provides reliable data transmission from sender to receiver. The main protocols of this level are UDP and TCP.

L3 (network layer) is responsible for the translation of logical addresses and names, switching and routing. It works over the IP protocol (Internet Protocol).

L2 (channel layer) provides networking at the physical layer. It works through switches and hubs.

L1 (physical layer) defines the method of transferring data, represented in binary form, from one device to another. It works thanks to Ethernet, Bluetooth, Wi-Fi, IRDA protocols.

Cybercriminals can attack any of the seven levels, but they are most often attacked by L3 and L4 (low-level attacks), as well as L5 and L7 (high-level attacks).

DDoS attacks can be of a mixed nature, however, three categories can be distinguished:

application-level attacks;
protocol-level attacks;
volume attacks.
Let's analyze each category with examples of attacks.

Application-level attacks
Application-level attacks are particularly destructive and difficult to detect, as they can simulate legitimate traffic. They are designed to overload the elements of the application server infrastructure and disable them. At this level, cybercriminals use resource-intensive calls and application interconnections, provoking the system to attack itself.

Hacking BGP (Border Gateway Protocol) targets the gateway protocol used to standardize routing data and exchange information, is associated with changing IP routes. This attack is aimed at routing Internet traffic to an unintended destination.

The Slowloris attack (session attack) targets HTTP connection requests in order to support as many simultaneous connections as possible. Cybercriminals open many connections and keep each of them open as long as possible - until the timeout. As a result, the work of servers slows down and requests from real users are ignored.

A slow POST attack is based on sending correctly specified HTTP POST headers to the server, but the body of the header is transmitted at a very low speed, breaking the connection at one point and starting a new connection. Since the message header is correct, the server responds to the request. As a result, the server opens many such connections, wasting resources.

A slow read attack is similar in principle to a slow POST attack, but in the opposite direction. The difference is that in the case of a POST attack, the message body is sent slowly, and in the case of a slow read attack, HTTP requests are intentionally received and read at a very low speed. The server must keep such requests open — this increases the load.

The low and slow attack is based on a small stream of very slow traffic. By this method, cybercriminals gradually overload servers, as a result of which requests from real users to connect are rejected. Such attacks require a small bandwidth and are difficult to prevent, since traffic is generated similar to that of real users.

A POST attack with a large payload is based on the use of an extensible XML markup language. The server receives the data modified by cybercriminals in XML encoding. The actual size of such data is many times larger, so when they get to the server, its memory fills up significantly.

Imitation of page viewing. This type of DDoS attacks mimics the behavior patterns of real users on the application pages, which leads to a sharp increase in the number of visitors and complicates the ability to filter legitimate traffic from botnet traffic.

Protocol-level attacks
Protocol-level attacks consume server or hardware resources. In this case, the task of cybercriminals is to exclude the possibility of processing packets of real users by sending malicious packets to the server.

SYN flood exploits vulnerabilities in the TCP communication establishment system, namely: SYN requests, SYN-ACK and ACK packets. A SYN request is sent to the server, to which the server responds with a SYN-ACK message. The server expects an ACK packet from the user in response, but the cybercriminal's equipment is configured so that the ACK packet never arrives. A large number of such requests can cause a server crash.

The Fragmented Packet Attack (TearDrop) is aimed at the maximum possible throughput of the TCP/IP protocol. Cybercriminals send a lot of fragmented packets to the victim's server, but during transmission there is a packet shift, and during packet assembly there is an overlap. This overlap leads to an error on the server and an emergency shutdown of the system.

Smurf DDoS attack is based on sending requests to a large number of network devices using the victim's IP address. Cybercriminals, using broadcast network mailings, send a fake request with the victim's address to different devices. After receiving such a request, these devices respond by generating increased traffic to the victim's device.

Volume attacks
Volume attacks are aimed at exceeding the bandwidth of the channel. The power of bulk DDoS attacks is measured in the number of bits per unit of time. The most effective protection against such attacks is clearing traffic at the level of, for example, telecom operators. Our service, Internet Umbrella, provides protection against DDoS attacks with a capacity of up to 5 Tb/s for coarse cleaning and up to 300 GB/s for fine cleaning.

HTTP flood overloads the server with a huge number of HTTP requests, for example, to get heavy site elements. Requests are selected in such a way that the response is the maximum in volume. As a result, the return channel from the server to the clients is overloaded with HTTP response traffic.

ICMP flood is based on sending a large number of malicious ICMP packets from different IP addresses, overloading the server with fake requests. Every time the server receives such a request, it must diagnose the state of its network. As a result, the ICMP request stream itself overloads the incoming channel.

UDP flood uses a large number of UDP requests from various addresses, as a result of which the server is overflowing with malicious UDP packets, loading the entire connection line with them.

The DNS amplification attack is based on sending multiple requests with fake IP addresses on behalf of the victim to the DNS server. Such requests require voluminous responses, which are sent to the victim's website.

It becomes more difficult to defend yourself
In the first half of the year, the average duration of attacks decreased by 51% compared to the first half of 2019. Shorter attacks require fewer cybercriminal resources and make it more difficult for cybersecurity specialists to respond to such incidents.

At the same time, the number of multi-vector (15+ vectors) attacks increased by 2851% compared to 2017. Three years ago, such attacks were considered statistical outliers in the total number of incidents.

DDoS attacks have become shorter and more complex. As a result, information security specialists have less time and resources to reflect them. This proves the need to start using advanced and automated DDoS protection technologies right now.

For example, NETSCOUT— our partner and provider of DDoS protection solutions Arbor Networks, provides updated threat analytics about DDoS attacks from around the world. Thanks to the automatic delivery of updates and the adjustment of protection by our SOC center, we can quickly repel new threats from botnets and malware.

Sources:
https://www.netscout.com/blog
https://orangecyberdefense.com
Justinas Mazura, What is a DDoS attack?, https://cybernews.com/