Mitigate Protocol Attacks
Protocol DDoS attacks exploit specific weaknesses in network protocols to disrupt services. Common examples include:
SYN Flood: Attackers send a flood of SYN requests to a target server but do not complete the handshake, leaving connections half-open and consuming server resources.
ICMP Flood: Attackers overwhelm a target with ICMP Echo Request (ping) packets, drastically slowing down or halting the network.
Ping of Death: Attackers send malicious pings with packets that exceed the maximum allowable size, causing the target system to freeze or crash.
Fraggle Attack: Similar to a Smurf attack but uses UDP (User Datagram Protocol) instead of ICMP, sending UDP echo packets to broadcast addresses.
NTP Amplification: Exploits Network Time Protocol (NTP) servers by sending small requests that result in large responses to the target, amplifying the attack traffic.
DNS Amplification: Uses DNS servers to amplify the attack by sending DNS queries that result in large responses to the target.
Each of these attacks aims to exhaust the target’s server resources or bandwidth, rendering the service unstable or unavailable.
Types of L3/L4 DDoS Attacks
Now let's examine several of the most commonly used types of L3/L4 DDoS
attacks. It's worth noting that these basic attacks are often not used in
isolation but complement each other. Therefore, in practice, a combination of
these attacks is usually deployed.
IP Fragmented Flood Attack: This attack abuses the IP fragmentation
mechanism in which packets are broken into smaller pieces by the sender to
accommodate network transmission limits and then are reassembled by the
recipient. An attacker sends large amounts of fragmented packets, hoping to
exhaust the target's ability to process and reassemble them.
DNS Amplification Attack: Although DNS itself is included in the application
layer (L7) of the OSI model, DNS amplification is actually an L3 DDoS attack.
Attackers exploit DNS servers to send a large number of queries to the target
system. These queries return a large amount of data, overwhelming the
network layer equipment.
ICMP Flood Attack: Also known as a ping flood, this type of DDoS attack
uses large volumes of bogus ICMP echo requests (pings), to which the target
has to respond with echo replies, in an attempt to overwhelm both the
incoming and outgoing channels of the network.
TCP Flood Attack: An attack that aims to flood the target with TCP
connection requests, overwhelming the target's ability to handle legitimate
connections. The attacker's goal is to exhaust the target system's resources,
resulting in service disruptions.
SYN Flood Attack: Attack that exploits the TCP handshake process: an
attacker rapidly initiates a succession of connection attempts to a server by
sending the SYN (synchronise) requests from spoofed sources. These
connections are never finalized with ACK (acknowledge) requests, leaving the
target with half-open connections, consuming its resources and eventually
leading to service unavailability. Related attack types include SYN-ACK flood
and ACK flood.
UDP Flood Attack: An attacker sends a massive number of UDP packets to
random ports on the target server. Upon receiving these packets, the target
system must check for applications listening at each port. After realizing that
there are none, it then has to respond with an ICMP Destination Unreachable
packet. This process consumes the target's resources and leads to network
congestion.
0
