DDoS Attacks: A Closer Look, Part 1

DDoS Attacks: A Closer Look, Part 1

abril 20, 2016 | NSFOCUS

Track:  Technical

Author: Martin Stone, Principal Sales Engineer, NSFOCUS

DDoS Attacks

If you’ve ever seen portrayals of DDoS attacks in TV and movies, they might seem like scary, mysterious attacks, launched by elite hackers, against which there is no protection. Nothing could be farther from the truth.  DDoS is one of the simplest and easiest ways to attack an online system, within reach of almost anyone with a little information and a little money. Fortunately, these attacks are also easy to defend against if you’re prepared and have the right equipment in place. Here are a few of the most popular DDoS attacks that have evolved over time and are still in use today:


Simple floods: Fill the pipe

The oldest and simplest form of DDoS attack is a flood: Simply send enough packets to the victim to saturate their network connection, so that legitimate traffic can’t get through. The packets themselves can be ICMP, UDP, TCP or a mixture.

In a simple flood, if the victim has 10 Gbit/s capacity and the attacker wants to saturate their pipe, the attacker needs to have at least 10 Gbit/s capacity as well in order to succeed. Therefore, a simple flood against a well-connected target would need to use a large collection of compromised systems (a botnet) in order to send enough packets to overwhelm the victim’s capacity. The more capacity the victim has, the more systems the attacker will need to execute the attack, and the more money the attacker will need to pay to the botnet operator. But, there’s a more efficient way.


Reflected/Amplified Floods: Trick others into filling the pipe

Instead of directly sending packets to the victim, an attacker can send forged requests to a large number of computers, using IP address spoofing to make it look like the requests are coming from the victim. When these computers reply to the forged address, the replies will flood the victim. Many protocols can be used for this approach; the only requirement is that they send a large response to a relatively small request.

The ratio of the size of the response to the size of the request is called the amplification factor. DNS, for example, can have an amplification factor of over 100, meaning that for every byte an attacker sends, a vulnerable DNS server could respond with a message over 100 bytes in length. With an amplification factor of 100, an attacker can overwhelm a 10 Gbit/s network using only 100 Mbit/s of their own network bandwidth — a big improvement in efficiency!

In the end, though, a reflected/amplified flood attack is still just a flood. The principle behind these attacks is to exhaust the victim’s resources. The resource that’s being exhausted in flood attacks is network capacity. But, there are other resources that are more limited and could more easily be exhausted.

In part 2 of this post we will discuss some of the more subtle and clever ways in which attackers deny service to legitimate users.


Martin Stone is a principal engineer with NSFOCUS IBD. With over 20 years’ experience in a wide range of technology disciplines from software development to network engineering. Martin has spent his career helping customers in every industry develop and deploy the right technology solutions for their needs.