Distributed Denial of Service (DDoS) attacks are unusual among cyberattacks in that they don’t require a vulnerability or the target to make an error in order to be successful. DDoS attacks are designed to take advantage of the fact that every system has a finite amount of resources.
This limit on the resources that a system has at its disposal creates bottlenecks. Certain stages in the process of receiving, processing, and storing data impose tighter limits on a system’s operations than others. Exceeding these limits causes the availability and performance of the system to be degraded for legitimate users.
DDoS attacks are designed specifically to push a system past its limits; however, DDoS attacks are not all performed in the same way or target the same bottlenecks. The Open Systems Interconnection (OSI) model defines the various layers of a computer’s communication systems. An understanding of the various OSI layers helps to understand the various types of DDoS attacks.
DDoS Attacks Target a Variety of Bottlenecks
The OSI model breaks the network stack into seven layers. These layers include everything from bits flowing over the physical hardware (Layer 1) to how an application processes a request and sends a response (Layer 7). Each layer of the OSI model achieves a certain purpose. Many of them have physical components, network protocols, or software that help them to achieve these goals. DDoS attacks can be performed at multiple different layers of the OSI model.
Three examples of common types of DDoS attacks include ones that target bottlenecks in a system’s network bandwidth, TCP connection limits, and applications’ ability to process and respond to requests.
- Network Bandwidth
Every organization and every system within an organization has a finite amount of network bandwidth available to it. Network bandwidth can be constrained by several different factors, including:
- Physical limits: The capacity of the cables used to carry traffic to and from a system
- Contractual/Service limits: The maximum bandwidth provided by an organization’s Internet Service Provider (ISP) or cloud service provider (CSP)
- Infrastructural limits: The maximum throughput of the organization’s firewall, routers, and other hardware that the traffic must pass through
The simplest types of DDoS attacks target the bottlenecks in an organization’s network. By sending more data to a network or system than the network can handle, they limit the amount of legitimate traffic that can pass through. This decreases the availability and usability of the service for actual users.
- TCP Connections
The Transmission Control Protocol (TCP) is a network protocol designed to provide reliable communications. It is commonly used by applications such as web traffic (HTTP), which need to ensure that all of the data sent by one party has been received by the other.
TCP achieves its guarantees by using a number of different tools. One of the defining features of TCP is its connection setup handshake. Before any data can be sent over a TCP connection, the communicating parties undergo a 3-way handshake in which the client sends a SYN packet, the server then responds with a SYN/ACK, and the client confirms that the connection has been successfully established via ACK.
After receiving an initial SYN packet and responding with a SYN/ACK, most implementations of TCP have a server wait for some time for the final ACK before giving up on the connection. This enables it to support clients that have slow network connections.
However, DDoS attackers can also take advantage of this functionality. Every computer has a set number of open or half-open TCP connections that it can sustain at a time. If an attacker can use up all of these connections with fake requests (by sending a SYN with no intention of sending the ACK or making a connection), then the target has no connections available for legitimate users.
- Application-Layer Attacks
Not all DDoS attacks occur at the network level. Like the physical systems that they run on, applications have limits on the number of requests that they can process, whether legitimate or malicious.
These limits can arise from a variety of factors, including CPU limits, access to memory, or limits within the application’s code itself. However, regardless of the details of why the limits exist, they can be exploited by a DDoS attacker sending malicious or useless requests to use up the application’s resources.
Achieving Comprehensive DDoS Protection
DDoS attacks come in many different shapes and sizes. These attacks can be focused on exploiting their target at multiple different layers of the OSI model. Attacks against different OSI layers can look very different from one another. Attempts to exhaust network bandwidth involve numerous or massive packets sent to the destination. Trying to use up a target’s available TCP connections results in a large number of half-open TCP connections. Attacks against the application layer involve realistic requests that are difficult to differentiate from legitimate traffic.
Protecting against such a wide range of DDoS attacks requires a DDoS protection solution capable of detecting and blocking even the stealthiest types of attacks. Choosing a market-leading solution, capable of detecting DDoS based on behavioral analysis rather than solely the hallmarks of network-level attacks, is essential to ensuring the availability and usability of an organization’s online services for legitimate customers.