Security Glossary: DDoS

Protocol DDoS Attacks

Protocol DDoS Attacks

These attacks target weaknesses in protocols such as TCP/IP (network layer attacks) and HTTP (application layer attacks) or their implementations. Typically, these attacks exploit scenarios in which a server gets a packet or a request from a computer and will expect further communication. The server allocates memory and resources to maintain the session state and the communication channel, which is abused by intentionally slowing down or halting communication and draining such resources.

These protocol-based attacks can be particularly debilitating because they exploit the fundamental mechanisms by which the internet and web applications operate. In network layer attacks, techniques like SYN flood exploit the TCP handshake process. Attackers send a barrage of SYN requests to a server but do not complete the handshake with the ACK response. The server, awaiting the final step of the handshake, keeps these incomplete sessions open, consuming resources and eventually becoming unable to handle legitimate requests.

Application layer attacks, on the other hand, target the specific functions of web applications. For instance, Slowloris is a notorious attack where the attacker initiates a connection to the server but sends HTTP headers in an incomplete and slow manner. The server, expecting the headers to be completed, keeps each of these connections open. This gradually exhausts the server’s resources, leading to a denial of service to legitimate users.

These attacks are insidious because they require fewer resources from the attacker compared to the impact on the target server. A relatively small number of machines or even a single machine can initiate such attacks, making them a favored tactic among attackers due to their efficiency and effectiveness.

Examples of Protocol DDoS Attacks

Protocol DDoS attacks exploit specific weaknesses in network protocols to disrupt services. Common examples include:

  • SYN Flood: Attackers send a flood of SYN requests to a target server but do not complete the handshake, leaving connections half-open and consuming server resources.
  • ICMP Flood: Attackers overwhelm a target with ICMP Echo Request (ping) packets, drastically slowing down or halting the network.
  • Ping of Death: Attackers send malicious pings with packets that exceed the maximum allowable size, causing the target system to freeze or crash.
  • Fraggle Attack: Similar to a Smurf attack but uses UDP (User Datagram Protocol) instead of ICMP, sending UDP echo packets to broadcast addresses.
  • NTP Amplification: Exploits Network Time Protocol (NTP) servers by sending small requests that result in large responses to the target, amplifying the attack traffic.
  • DNS Amplification: Uses DNS servers to amplify the attack by sending DNS queries that result in large responses to the target.

Each of these attacks aims to exhaust the target’s server resources or bandwidth, rendering the service unstable or unavailable.

How to Mitigate Protocol Attacks

Defending against these protocol-based attacks requires a multi-layered approach. Implementing rate limiting, setting timeouts for incomplete sessions, and deploying Web Application Firewalls (WAFs) are effective strategies. Additionally, monitoring network traffic to detect anomalies and deploying intrusion prevention systems can help identify and mitigate these attacks. These defenses are critical in ensuring the reliability and availability of online services in the face of these sophisticated attack methods.

As a result, mitigating protocol DDoS attacks requires a combination of proactive and reactive measures to reduce the risk and impact of these attacks:

  • Comprehensive Monitoring: Continuously monitor network traffic to identify unusual spikes or patterns that may indicate an attack.
  • Robust Infrastructure: Implement a scalable and resilient infrastructure that can absorb increased traffic loads during an attack.
  • Multi-layered Security Strategy: Deploy various security measures, such as rate limiting, web application firewalls, and anti-DDoS technology.
  • Emergency Response Plan: Establish a clear and tested incident response plan that can be quickly enacted in the event of an attack.

These strategies enable businesses to effectively prevent DDoS attacks and maintain uninterrupted services.

Defense Against Protocol DDoS Attacks with CDNetworks

CDNetworks effectively defends against protocol DDoS attacks through its advanced DDoS protection services and globally distributed infrastructure. By combining network layer protection and application layer protection, CDNetworks can detect and mitigate large-scale DDoS attacks in real time. Their global scrubbing centers filter malicious traffic, ensuring that only clean traffic reaches the origin servers. Additionally, CDNetworks utilizes a global-leading network with 2800 PoPs to distribute traffic across multiple servers and locations, absorbing and dispersing the impact of large-scale attacks to prevent any single server or location from being overwhelmed.

To further enhance defense, CDNetworks implements rate limiting and advanced filtering techniques to control the number of requests and block malicious packets associated with protocol DDoS attacks. Their elastic, scalable infrastructure can handle high volumes of traffic, ensuring uninterrupted access for legitimate users during an attack. Continuous traffic monitoring and threat intelligence allow CDNetworks to proactively adjust defense measures. Moreover, customized security policies and 24/7 support from an emergency response team ensure quick and effective responses to attacks.

By leveraging these capabilities, CDNetworks provides comprehensive protection against protocol DDoS attacks, ensuring the availability, performance, and security of their clients’ web applications and services.