FAQs
What is a Syn Flood? (AT-1)
During a SYN flood, a victim server receives spoofed SYN requests at a high packet rate that contain fake source IP addresses. The SYN flood overwhelms the victim server by depleting its system resources (connection table memory) normally used to store and process these incoming packets, resulting in performance degradation or a complete server shutdown. A well-crafted SYN flood often fools deep-packet inspection filtering techniques.
Are SYN-Cookie defenses effective against Syn flood DDoS?
No, a SYN-Cookie defense s generally not a best practice for defending against DDoS floods. It can be used to defend against large-scale SYN floods but this requires all servers to support this capability and requires a vast amount of resources to defend. Normal clients generate a SYN packet (64 bytes) to request a new session from a host server. As the TCP three-way communication handshake is created, the host will track and allocate each of the client’s sessions until the session is closed. This quickly creates a burden that makes SYN-Cookie defenses difficult and costly to scale large enough to be effective.
What is a SYN-ACK Flood? (AT-2)
A SYN-ACK flood occurs when host servers generate SYN-ACK packets in response to incoming SYN requests from clients. During a SYN-ACK flood, the victim server receives spoofed SYN-ACK packets at a high packet rate. This flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to compute this irregularity, resulting in performance degradation or a complete server shutdown.
What is an ACK and PUSH ACK Flood and how does it exhaust server resources? (AT3)
During normal traffic flow, a TCP-SYN session is established between a host and a client, ACK or PUSH ACK packets are used to communicate information back and forth between the two until the session is closed. However during an ACK DDoS flood, a victim receives spoofed ACK packets at a high packet rate that fail to belong to any session within the server’s connection list. The ACK flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to match these incoming packets, resulting in performance degradation or a complete server shutdown.
How are Fragmented ACK attacks different from normal ACK floods? (AT4)
A variation of the ACK and PUSH ACK Flood, this attack uses 1500 byte size packets to consume large amounts of bandwidth, while generating a relatively moderate packet rate. Because routers do not reassemble fragmented packets at the IP level, these packets usually pass through routers, ACL, firewalls, and IDS/IPS unimpeded. The packet content is usually randomized, irrelevant data. The attacker’s goal is to consume all bandwidth of the victim’s network. A Fragmented ACK attack will affect performance of all servers in the victim’s network.
What is an RST or FIN Flood? (AT5)
In order to close a TCP session between a client and a host, the servers exchange RST or FIN packets to close the session using a three-way or four-way TCP communication handshake. During a RST or FIN flood, a victim server receives spoofed RST or FIN packets at a high rate that do not belong to any session within the server’s connection tables. The RST or FIN flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to match these incoming packets, resulting in performance degradation or a
Can a firewall protect against a Synonymous IP DDoS? Attack?(AT6)
No, in most common cases a firewall cannot. Even a well-configured firewalls that is correctly discarding these attack packets will not be able to protect against link saturation. Link saturation is the common goal of this type of DDoS attack.
How does a Synonymous IP DDoS attack work? (AT6)
A victim receives spoofed packets of any protocol at a high rate that have the victim's IP address specified as both the Source IP and the Destination IP. However, if a TCP Synonymous IP attack packet reaches a server, it will cause the server to send either a SYN-ACK or an ICMP "port closed" response to itself (assuming the attack uses SYN packets), depending on whether or not there is a service listening on that port. At that point, the session does not continue being created because no ACK is sent in reply to the SYN-ACK. Other TCP packets will not result in a response. UDP packets will either generate an ICMP "port closed" response (again, to itself), or no response if there is a service listening on that port. ICMP packets may generate a relevant ICMP response to itself (for example, a ping will trigger a response).
In cases where responses are generated, the resources required to create the response are wasted, possibly resulting in performance degradation or a complete server shutdown. Although the packet's Source and Destination IP are identical in a Synonymous IP attack, the payload is mostly irrelevant because the server responses, in cases where a response is generated, are primarily based on the Destination Port.
How do Fake Session DDoS attacks work? (AT7)
Fake session DDoS attackers generate a forged SYN packet, multiple ACK packets and then one or more FIN/RST packets. When sent together, these packets appear like a valid TCP session from one direction. This attack fakes a complete TCP communication and is designed to fool new defense tools that only monitor incoming traffic to the network.
There are two variations of this attack: the first variation generates multiple forged SYNs, then multiple ACKs, followed by one or more FIN/RST packets, and the second variation skips the initial SYN, and starts by generating multiple ACKs, followed by one or more FIN/RST packets. The low TCP-SYN rate makes the attack harder to detect than a typical SYN Flood while achieving the same result: the depletion of the victim’s system resources.
How do Session Based DDoS Attacks work to exhaust resources and take down servers? (AT8)
During a session DDoS attack, a valid TCP-SYN session is generated between a bot and a victim. Once the session is established, the attacker manipulates the session in any number of ways to maximally deplete the victim's resources. This includes setting excessively small windows to make the session take longer, setting excessively high timeouts but not sending any data to hold the session open longer, or simply creating a lot of empty sessions preventing normal traffic from using those resources.
These attacks exhaust the victim’s server by depleting its system resources (memory, CPU, etc.) used to track session behavior, resulting in performance degradation or a complete server shutdown. Session Attacks are non-spoofed: the source IP is the actual public IP of the attacker bot, and the source IP range is equal to the number of bots used in the attack.
Is a Misused Application Attack considered a DDoS? (AT9)
Yes, certain DDoS attacks rely on a misuse application and not a botnet to exhast the system resources of a victim’s server. During a misused aplicaitobn DDoS attack, the attacker redirects valid clients belonging to a high traffic application, such as peer-to-peer services, to a victim server. The target victim is then overwhelmed with traffic from a group of misdirected computers trying to form a legitimate connection with its server. Once the traffic is misdirected towards the victim server, the attacker computer becomes untraceable by dropping from the network. The overwhelming connection requests received by the victim’s server depletes its system resources, resulting in performance degradation or a complete server shutdown.
What is an application DDoS, aka Layer 7 attack?
Layer 7 attacks are the most sophisticated type of DDoS are are where most conventional DDoS defenses, or volumetric focused defenses, or flow based DDoS protection solutions are extremely vulnerable. Application attacks target the top level of the OSI model. These attacks mimic legitimate traffic very well and unlike traditional floods, generally produce very little inbound traffic.
Low levels of attack traffic means these attacks are very difficult for most solutions to detect or stop. In simple terms these attacks exhaust server resources by by taking advantage of layer 7 processes that tie up server resources by using them in parallel and non-stop in order to degrade its ability to function.
To use the classic bartender analogy: if a flood is 150 people simultaneously asking a bartender for a draft beer, then an application attack is akin to a single person asking a bartender for 150 consecutive chocolate martinis.
One very common application layers attack is a HTTP Fragmentation attack. (AT10)
In this attack, the attacker (non-spoofed) establishes a valid HTTP connection with a web server. The attacker proceeds to fragment legitimate HTTP packets into tiny fragments, sending each fragment as slow as the server time out allows, holding up the HTTP connection for a long time without raising any alarms. For Apache and many other web servers designed with improper time-out mechanisms, this HTTP session time can be extended to a very long time period. By opening multiple extended sessions per bot, the attacker can silently stop a web service with just a handful of bots.
Excessive VERB? (AT11)
An attacker generates a large number of valid HTTP requests to a victim web server. The HTTP request is generally a GET request of a common web page or image, often a large one. Each bot can generate a large number of valid requests so the attacker can use a relatively small number of bot to achieve a successful attack.
VERB Attacks are non-spoofed: the source IP is the actual public IP of the attacker bot and the source IP range is equal to the number of bots used in the attack. The most common form of VERB attack uses GET requests but the attacker can also use POST or other HTTP actions to cause the same impact on the victim. An Excessive VERB Attack typically does not generate significant bandwidth increase on the network but can render the victim unresponsive by consuming server resources.
Excessive VERB Single Session? (AT12)
A variation of the Excessive VERB Attack. This attack uses the feature of HTTP 1.1 to allow multiple requests within a single HTTP session. Thus, the attacker can limit the session rate of an HTTP attack and bypass session rate limitation defenses of many security systems. Excessive VERB Single Session Attack and Excessive VERB Attack have the same effect on a victim web server.
Multiple VERB Single Request? (AT13)
This Attack is also a variation of the Excessive VERB Attack strategy. The attacking bot creates multiple HTTP requests, not by issuing them one after another during a single HTTP session, but by forming a single packet embedded with multiple requests. It is a refinement of the Excessive VERB attack, where the attacker can maintain high loads on the victim server with a low attack packet rate. This low rate makes the attacker nearly invisible to netflow anomaly detection techniques. Also, if the attacker selects the HTTP VERB carefully these attacks will bypass some deep packet inspection techniques.
Recursive GET? (AT14)
Another refinement to the VERB attack is a Recursive GET attack. The attacker collects several pages or images and generates GET requests that “walk” through these pages or images. This method can be combined with any of the VERB attack methods to make this attack very difficult to detect because the requests appear to be legitimate.
Random Recursive GET? (T15)
This attack is a modified version of a Recursive GET but designed for forum sites or news sites where pages are indexed numerically, usually in a sequential manner. The attacking GET statements will insert a random number within a valid range of page reference numbers making each GET statement different than a previous one.
Faulty Application? (AT16)
DDoS attackers take advantage of websites with poor designs or improper integration with databases. Using SQL-like injections, an attacker can generate requests that will lock up database queries. These attacks are highly specific and effective because they consume server resources (memory, CPU, etc.).
ICMP Flood? (AT23)
A victim server receives spoofed ICMP packets at a very high packet rate and with a very large source IP range. The victim server is overwhelmed by the large number of incoming ICMP packets. The attack consumes network resources and available bandwidth, exhausting the network until it shuts down. A full communication handshake is not used in the ICMP software stack to exchange data, making ICMP-based attacks difficult to detect. ICMP floods can overwhelm a network with packets containing randomized or fixed Source IP addresses. ICMP floods can target a specific server by using the victim’s information as the Destination port and IP within the packets.
ICMP Fragmentation? (AT24)
A victim server receives spoofed, large fragmented ICMP packets (1500 byte) at a high incoming packet rate and these packets cannot be reassembled. The large packet size expands the bandwidth of an ICMP attack. In addition, it causes the victim CPU to waste resources when it attempts to reassemble useless packets. This attack will often cause victim servers to overload and reboot.
Ping Flood? (AT25)
An application specific adaptation of ICMP Flood. During a Ping Flood, a victim server receives spoofed ping (IMCP echo requests) at a very high packet rate and from a very large source IP range. The victim server is overwhelmed by the large number of incoming Ping packets. The attack consumes network resources and available bandwidth, exhausting the network until it shuts down. The spoofed Source IP can be random or set as the address of the victim.