Recognizing the Most Common DDoS Attack Vectors in an IT System

In 2018, we can expect that these attacks are only going to become more frequent and intense. Operations security (OPSEC) specialists in the know are putting this type of breach at or near the top of their priority lists.


Distributed denial-of-service (DDoS) attacks aren’t anything new; they’ve been around for decades. The public at large, however, has only become aware of them since the internet became mainstream in the mid-'90s.

Since then, DDoS incidents have gone ballistic, with attacks reaching a size and scale never before seen. 

[For the record: A DDoS hit is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system, which essentially shuts down a system or website.]

It's possible that U.S. enterprises are way too cocky about whether they can handle a serious DDoS attack on their IT systems. A report released Nov. 7 by global content delivery network and cloud security provider CDNetworks has found that a whopping 88 percent of U.S. businesses claim confidence in their current DDoS mitigation structures, despite the fact that 69 percent of them suffered a DDoS attack in the last 12 months. Time will tell as to whether these companies can hold out.

Attacks Are Going to Become More Frequent, Intense

In 2018, we can expect that these attacks are only going to become more frequent and intense. Operations security (OPSEC) specialists in the know are quite aware of this and are putting this type of breach at or near the top of their priority lists.

The Mirai botnet, for example, which harnessed internet of things (IoT) devices, was responsible for seven of the 12 mega-DDoS attacks in the fourth quarter of 2016. And they’re only expected to grow larger; Deloitte predicts there will likely be hundreds of millions of gigabit-capable connections worldwide by 2020.

Not only does Deloitte see DDoS attacks scaling up to over 1T bps, but it expects to see attacks of this size occur at a rate of at least once per month.

Why are DDoS attacks so intimidating? The following data points, provided to eWEEK by Moshe Elias, an executive at Allot Communications, outline the most common DDoS attack vectors and their implications to help service providers anticipate them. 

TOS Flood

In a Type of Service (TOS) Flood, attackers falsify the TOS field of the IP packet, which is used for Explicit Congestion Notification (ECN) and Differentiated Services (DiffServ) flags. There are two known types of TOS attack scenarios:

  • The attacker spoofs the ECN flag, reducing the throughput of individual connections and causing a server to appear out of service or nonresponsive.
  • The attacker uses the DiffServ flags to increase the priority of attack traffic over legitimate traffic, intensifying the impact of the DDoS attack.

Victims of this attack will see their services slow down or become nonresponsive altogether due to reduced connection throughput.

SYN Flood

A SYN Flood is often generated by botnets and is designed to consume the resources of the victim’s server. By targeting the firewall or other perimeter defenses, the attacker can overwhelm their capacity limits to bring them down by disconnections, dropping of legitimate traffic packets or reboot.

SYN Floods exploit the Transmission Control Protocol (TCP) to wreak havoc, flooding multiple ports on the target system with SYN messages requesting to initiate connections. The attacker, of course, has no intention of responding, and the open connection will eventually time out and close—but not before the target system is overwhelmed with incomplete connections.

NTP Amplification

In Network Time Protocol (NTP) amplification, attackers use a spoofed IP address to send small NTP requests to many servers on the internet, resulting in a very high volume of responses that are reflected back to the victim. Since these response packets resemble real NTP traffic, it makes this type of attack difficult to detect. Victims experience unpredictable connectivity interruptions or even complete network shutdowns. 

UDP Fragmentation

User Datagram Protocol (UDP) Fragmentation attacks use large packets (over 1,500 bytes) to consume network bandwidth since they require fragmentation. Since the fragmented packets are forged, they can’t be reassembled and end up consuming significant resources on devices like firewalls, leaving the victim unprotected for long hours. When combined with other types of flood attacks, this may result in a drop of the victim’s legitimate traffic.

UDP Flood

In a UDP Flood, attackers send small, spoofed packets at a high rate to random ports on the victim’s system using a large range of source IPs. This consumes network bandwidth, affecting performance and user quality of experience, as the large number of incoming packets overwhelms the destination server. UDP attacks are difficult to detect and block because they don’t often match a consistent pattern, and are therefore effective in exhausting network resources until they go offline.

Ping Flood

In a Ping Flood, attackers send spoofed Internet Control Message Protocol (ICMP) echo requests, also known as “pings,” at a high rate from random source IP ranges (or by using the victim’s own IP address). Most devices on a network will, by default, respond to the ping. If numerous endpoints on the network receive and respond to these pings, the victim IP addresses will be flooded with traffic, rendering their devices/computers/servers unusable.

DNS Flood and Amplified DNS Flood

A Domain Name System (DNS) Flood sends spoofed requests at a very high packet rate and from a very wide range of source IP addresses. Since the requests appear to be valid, the victim’s DNS servers respond to all of them, consuming large amounts of bandwidth and other network resources. Eventually, it exhausts the DNS infrastructure until it goes down, taking the victim’s internet access and hosted sites offline.

Amplified DNS Flood attacks are DNS attacks on steroids. The attacker sends small requests with a spoofed IP address to open DNS resolvers on the internet, which reply with responses that are far larger than the request. The amplified responses flood the victim’s DNS servers, effectively taking them offline. This attack is most effectively detected by technologies based on anomalies in network behavior, rather than just packet inspection.

SSDP Reflected Amplification Attack

Simple Service Discovery Protocol (SSDP) is a network protocol that enables universal plug and play (UPnP) devices to send and receive information through UDP port 1900. SSDP is an attractive and vulnerable target for launching DDoS attacks because it’s open and unsecured. Attackers create bots out of infected machines to send UPnP “discovery” packets with spoofed IP addresses from the victim’s network. Vulnerable devices such as home routers, firewalls, printers and other devices create an effective reflected amplification of the DDoS attack.

LDAP Amplification and CLDAP Reflection Attacks

Lightweight Directory Access Protocol (LDAP) Amplification attacks exploit a vulnerability in Microsoft Active Directory, which millions of organizations use to verify username and password information for applications. The attacker sends small requests from a spoofed IP address to a vulnerable, publicly available LDAP server with an open TCP port 389 to produce amplified replies, which are reflected back to the victim. Attackers select queries that will yield the largest amount of replies, resulting in an effective amplification of the DDoS attack and causing the victim to experience protracted service interruption due to extreme network congestion.

Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection is another powerful hit-and-run attack that often results in service outages. Such attacks are used as a diversion for backdoor attacks that seek to obtain or compromise personally identifiable information in the LDAP database. By sending a CLDAP request to an LDAP server with a spoofed sender IP address, the server provides a bulked-up response to the target IP. The victim’s machine can’t process massive amounts of CLDAP data at the same time.

Fighting Back Against DDoS

As we’ve seen in the past year, massive DDoS attacks can cause immediate service interruption. They typically come without warning, as cyber-criminals leverage the element of surprise to avoid detection and inflict maximum damage. And as cyber-criminals continually hone their methods and change tactics, DDoS attacks in excess of 100G bps will become the norm, not the exception.

To fend against today’s DDoS threats, operators must implement effective solutions that can detect attacks and act fast enough to thwart them so there is little to no impact on the targets, especially when dealing with the hit-and-run variety. At the same time, service providers are in a unique position to fight DDoS from behind enemy lines with solutions that detect both inbound and outbound DDoS traffic originating from within their networks and negatively affecting the quality of experience of subscribers and their reputation.

Most importantly, defenses must be scalable to match the increasing volume and intensity of today’s and tomorrow’s attacks.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor of Features & Analysis at eWEEK, responsible in large part for the publication's coverage areas. In his 12 years and more than 3,900 stories at eWEEK, he...