www.imperva.

com
/learn/ddos/ddos-attacks/

DDoS Attacks

Distributed denial of service attack (DDoS) definition

A distributed denial of service (DDoS) attack is a malicious attempt to make an online service unavailable
to users, usually by temporarily interrupting or suspending the services of its hosting server.

A DDoS attack is launched from numerous compromised devices, often distributed globally in what is
referred to as a botnet. It is distinct from other denial of service (DoS) attacks, in that it uses a single
Internet-connected device (one network connection) to flood a target with malicious traffic. This nuance is
the main reason for the existence of these two, somewhat different, definitions.

This is part of an extensive series of guides about hacking

“And that concludes our DDoS party: Escapist Magazine, Eve Online, Minecraft, League of
Legends + 8 phone requests.” Tweeted by LulzSec – June 14, 2011, 11:07PM

Broadly speaking, DoS and DDoS attacks can be divided into three types:

Volume Based Attacks

Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the
bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).

Protocol Attacks 

Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of
attack consumes actual server resources, or those of intermediate communication equipment, such as
firewalls and load balancers, and is measured in packets per second (Pps).

1/6
Application Layer Attacks 
Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD
vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these
attacks is to crash the web server, and the magnitude is measured in Requests per second (Rps).

Common DDoS attacks types

Some of the most commonly used DDoS attack types include:

UDP Flood

A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP)
packets. The goal of the attack is to flood random ports on a remote host. This causes the host to
repeatedly check for the application listening at that port, and (when no application is found) reply with an
ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead to
inaccessibility.

ICMP (Ping) Flood

Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP
Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies.
This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will
often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.

SYN Flood

A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way
handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a
SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a
SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s
SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system
continues to wait for acknowledgement for each of the requests, binding resources until no new
connections can be made, and ultimately resulting in denial of service.

Ping of Death

A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a
computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the
Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an
Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments),
and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death
scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet
which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the
packet, causing denial of service for legitimate packets.

Slowloris

2/6
Slowloris is a highly-targeted attack, enabling one web server to take down another server, without
affecting other services or ports on the target network. Slowloris does this by holding as many
connections to the target web server open for as long as possible. It accomplishes this by creating
connections to the target server, but sending only a partial request. Slowloris constantly sends more
HTTP headers, but never completes a request. The targeted server keeps each of these false
connections open. This eventually overflows the maximum concurrent connection pool, and leads to
denial of additional connections from legitimate clients.

NTP Amplification

In NTP amplification attacks, the perpetrator exploits publically-accessible Network Time Protocol (NTP)
servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification assault
because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more.
This means that any attacker that obtains a list of open NTP servers (e.g., by a using tool like Metasploit
or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume
DDoS attack.

HTTP Flood

In an HTTP flood DDoS attack, the attacker exploits seemingly-legitimate HTTP GET or POST requests
to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection
techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The
attack is most effective when it forces the server or application to allocate the maximum resources
possible in response to every single request.

Imperva mitigates a massive HTTP flood: 690,000,000 DDoS requests from 180,000
botnets IPs.

Zero-day DDoS Attacks

The “Zero-day” definition encompasses all unknown or new attacks, exploiting vulnerabilities for which no
patch has yet been released. The term is well-known amongst the members of the hacker community,
where the practice of trading zero-day vulnerabilities has become a popular activity.

3/6
Motivation behind DDoS attacks
DDoS attacks are quickly becoming the most prevalent type of cyber threat, growing rapidly in the past
year in both number and volume according to recent market research. The trend is towards shorter attack
duration, but bigger packet-per-second attack volume.

Attackers are primarily motivated by:

Ideology – So called “hacktivists” use DDoS attacks as a means of targeting websites they
disagree with ideologically.
Business feuds – Businesses can use DDoS attacks to strategically take down competitor
websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
Boredom – Cyber vandals, a.k.a., “script-kiddies” use prewritten scripts to launch DDoS attacks.
The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline
rush.
Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks as a means of extorting
money from their targets.
Cyber warfare – Government authorized DDoS attacks can be used to both cripple opposition
websites and an enemy country’s infrastructure.

LOIC (Low Orbit Ion Cannon): an “entry-level” DoS attack tool used for cyber vandalism

Imperva solutions mitigate DDoS damage

Imperva seamlessly and comprehensively protects websites against all three types of DDoS attacks,
addressing each with a unique toolset and defense strategy:

Volume Based Attacks

Imperva counters these attacks by absorbing them with a global network of scrubbing centers that scale,
on demand, to counter multi-gigabyte DDoS attacks.

4/6
Protocol Attacks
Imperva mitigates this type of attack by blocking “bad” traffic before it even reaches the site, leveraging
visitor identification technology that differentiates between legitimate website visitors (humans, search
engines etc.) and automated or malicious clients.

Application Layer Attacks

Imperva mitigates Application Layer attacks by monitoring visitor behavior, blocking known bad bots, and
challenging suspicious or unrecognized entities with JS test, Cookie challenge, and even CAPTCHAs.

Imperva mitigates a 250GBps DDoS attack—one of Internet’s largest.

In all these scenarios, Imperva applies its DDoS protection solutions outside of your network, meaning
that only filtered traffic reaches your hosts. Moreover, Imperva maintains an extensive DDoS threat
knowledge base, which includes new and emerging attack methods. This constantly-updated information
is aggregated across our entire network – identifying new threats as they emerge, detecting known
malicious users, and applying remedies in real-time across all Imperva-protected websites.

See how Imperva DDoS Protection can help you with DDoS attacks.

Request demo
Learn more

See Our Additional Guides on Key Network Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can
also be useful as you explore the world of network security.

DDoS Protection

How to Stop DDoS Attacks: Choosing the Right Solution

DDoS Mitigation: How To Choose The Right Mitigation Service
How to Prevent DDoS Attacks

OIDC

Authored by Frontegg

Authentication Clash: OIDC vs SAML

User Management Encounter: OIDC vs OAuth2

5/6
Network Firewall

Authored by Cato

Firewall Security: Understanding Your Options

What is a UTM Firewall and What Is Beyond It?

Copyright © 2023 Imperva. All rights reserved

6/6