Three types of DDoS attack and how to protect your network

Large organisations with a strong digital presence are requiring more flexible and effective ways to combat a Distributed Denial of Service (DDoS) attack. These threats can have a massive impact on enterprises, rendering online services and networks unavailable to users.

There are three main types of DDoS attacks: a volumetric attack, a protocol attack and an application layer attack. All three can lead to an interruption of digital platforms, servers and networks, making these digital spaces inaccessible to normal users. This can be very costly to large organisations and online platforms, such as e-commerce stores.

Launched from various IP addresses on the Botnet, DDoS attacks are becoming more complex in nature and can be difficult to detect and mitigate. The Botnet is a network of standard private computers, such as desktops or laptops, that has been infected with viruses and malware. A global network of infected devices can be virtually controlled without the computer owners even knowing about it.

The benefit for hackers is that it makes the IP addresses seem legitimate and confuses firewalls, allowing cybercriminals to take control of devices, applications and networks. Hackers are now using insecure Internet of Things (IoT) devices to launch DDoS attacks, but any web-enabled device can be part of the Botnet used for DDoS attacks, particularly volumetric-based ones.

SEACOM Business has partnered with NETSCOUT to bring DDoS protection to corporate customers in South Africa. Our DDoS Protect service is ideal for large enterprises that need to automatically detect and mitigate these cyber threats. Let’s unpack the three main types of DDoS attacks and what organisations can do to protect their networks.

Volumetric DDoS attacks

Volumetric DDoS attacks use up the bandwidth of the target site, preventing other users from gaining access. Measured in bits per second (Bps), this type of DDoS attack is designed to overwhelm a network’s capacity with high traffic volumes.

The attacks cause congestion with a very high bandwidth of up to 100 gigs per second or even more. When a system can’t handle this volume of requests, it becomes unresponsive. Legitimate traffic cannot pass through and normal operations are disabled.

The goal of volumetric attacks can be to disable a firewall or other device that monitors incoming and outgoing network traffic. Getting past a firewall can allow hackers to infiltrate a network, infect it with malware and steal data.

Attackers have learned how to monitor the results of their attacks, randomising how the attack takes place. This can be done, for instance, by sending requests from various IP addresses around the world and random intervals, hence why this type of denial of service attack is “distributed.”

One example of a volume-based DDoS attack is a User Datagram Protocol (UDP) flood. UDP packets are blocks of data transmitted on a network. The attacker floods ports on a remote host with these packets. The host responds to these packets by checking applications associated with these datagrams.

Since the packets are sent from a malicious device, no applications are found, so the host responds with a “Destination Unreachable '' packet. During a UDP flood, the host system gets inundated with IP packets and system resources get used up with the constant bombardment by the attacker.

Organisations need to use DDoS protection software that includes analysis tools and automated detection. Behavioural analysis will make it possible to detect abnormalities. SEACOM Business DDoS Protect is cloud-based and uses machine learning technologies to identify and respond to patterns in traffic volumes, blocking attacks at the edge of the network.

Application layer DDoS attacks

Volumetric attacks are often used in conjunction with application layer attacks. These are more sophisticated and more damaging, so volumetric attacks are used as a decoy, while cybercriminals target specific applications. The aim of an application layer attack is to crash the web server by sending seemingly legitimate requests.

Measured in requests per second (Rps), these attacks target vulnerabilities in applications, for example, online payment systems. They are considered to be the most dangerous type of attack because they are also difficult to detect and mitigate - the attacks on specific applications can easily go unnoticed.

Slowloris is an example of an application layer attack. During this type of attack, a connection is established with the target server. The attacker sends partial requests to the server, keeping these connections open for as long as possible while continuing to send more partial requests. Since requests are never completed, this eventually overwhelms a system and more requests are blocked. Legitimate requests can no longer be made, preventing regular users from accessing the application.

By sending partial packets, instead of corrupted ones, detection of an application layer attack is difficult. These types of attacks often go on for a long period of time, especially when targeting high-volume websites. Similar to volumetric attack mitigation, cybersecurity needs to include behavioural analysis of traffic and usage patterns to identify suspicious activity in applications.

Protocol DDoS attacks

Not all DDoS attacks use high traffic volumes. A protocol DDoS attack is an example of a low-volume attack that happens over time. This overwhelms servers and immediate communication equipment, like firewalls and load-balancers. Measured in packets per second (Pps), protocol attacks use up the processing capacity of a network’s infrastructure.

Attacks overwhelm websites and servers with fake requests, and in doing so they consume available resources. Networks generally operate on a first-in, first-out (FIFO) queue system. A request comes in, the computer processes it and then goes on to the next request in the queue. The length of the queue is limited, which means that when the queue becomes so large, there are not enough resources for the computer to deal with it.

In a normal IP network interaction, a request comes in and this is called a SYN. The system responds to the SYN, and the response is known as an ACK. Next, the requesting IP confirms the response (known as SYN-ACK). This confirmation is like saying “thank you, I got what I needed.”

A SYN flood is an example of a protocol attack. During a flood, hackers send SYN packets from fake IP addresses. The target network responds with an ACK, but never receives an SYN-ACK confirmation. The system has to wait and eventually it times out. This consumes the network resources with fake transactions and the queue of requests gets longer. Eventually, the system becomes overloaded and shuts down.

Mitigating a protocol DDoS attack requires endpoint protection and tools that can identify whether IP addresses correspond to their supposed origin. Preventing protocol attacks also includes having effective firewalls and network security infrastructure that can analyse and segment networks, applications and servers.

SEACOM DDoS Protect

Our DDoS Protect solution offers comprehensive coverage for all types of DDoS Attack. At SEACOM Business, we understand that not all attacks are the same and that some can be a combination of the different types. Cybercriminals are constantly changing their approach and there is a rise in “blended attacks'' that are more damaging and complex.

With DDoS Protect, a range of traditional and new types of attacks are detected and mitigated. Through automated data filtering and traffic monitoring, attacks are identified and blocked instantly. By partnering with NETSCOUT, SEACOM Business offers the most advanced protection against DDoS attacks, with both cloud-based and on-premises protection available. For more information or to get a quote for our DDoS Protect solution, email us at marketing@seacom.com or leave us a message.

SEACOM owns Africa’s most extensive network of information and communications technology (ICT) infrastructure, including subsea cables and secure internet connections. We offer a diverse range of flexible, scalable and high-quality solutions for businesses that meet world-class standards for connectivity.

SEACOM is privately owned and operated, making it agile and adaptable to the needs of the customer. This makes us the preferred ICT and internet connectivity partner for African businesses and peripheral service providers. We can guarantee high-speed, low-latency and secure internet connections to corporates and small enterprises.

For‌ ‌more‌ ‌information‌ ‌on‌ our internet and voice solutions, ‌follow‌ ‌us‌ ‌on‌ ‌‌LinkedIn‌,‌ ‌‌Facebook‌ ‌or‌ ‌‌Twitter.‌ ‌Keep‌ ‌an‌ ‌eye‌ ‌on‌ ‌our‌ ‌‌news‌ ‌section‌‌ ‌for‌ ‌insightful‌ ‌articles‌ and relevant news stories on African ICT, internet connectivity and our leading cloud and security solutions.

Need internet for your home? Our subsidiary, WonderNet, brings fast and cost-effective broadband internet to all Africans with a fibre-to-the-home offering.