Distributed denial-of-service (DDoS) attacks have been troubling various organizations since the mid-1990s when this destructive phenomenon splashed onto the scene. The logic of this cybercrime vector seems simple at first sight: to deluge a computer network with a slew of traffic it cannot cope with.

At the same time, the DDoS ecosystem is mixt and spans dozens of different techniques. Furthermore, malicious actors’ motivation ranges from money-making schemes to political protests. The going trend is the so-called ransom DDoS, where criminals knock an enterprise network offline and instruct its proprietors to pay for stopping the attack.

Based on the targeted network components and the mechanisms at the core of different DDoS raids, security analysts single out the following three top-level categories:

●       Application layer attacks cash in on disrupting the normal functioning of web applications rather than an entire IT network.

●       Protocol attacks revolve around depleting all the resources of a web server or a firewall.

●       Volumetric attacks are focused on overwhelming a network’s bandwidth with more traffic packets than it can process.


This is a generic hierarchy that only reflects the big picture without going into detail. There are numerous knockoffs that run the gamut of methods to achieve the nefarious goal. Let us delve into these common sub-types of DDoS attacks seen in the wild.

1.    LAND Attack

LAND stands for Local Area Network Denial. To set this attack in motion, criminals send falsified SYN requests in which the source and destination IP addresses are the same. This message confuses the receiving server that keeps responding to itself and undergoes a critical error.

2.    SYN Flood

To execute an SYN flood attack, crooks exploit the TCP three-way handshake, a mechanism used to initiate a connection between a host, a client, and a server over the TCP protocol. Hackers submit numerous SYN (synchronize) messages from a spoofed IP address to the target. These fraudulent connection requests congest the receiving server’s capacity.

3.    SYN-ACK Flood

This one disrupts the TCP interaction, where a web server sends an SYN-ACK packet to acknowledge a request from a client. The malicious packets come in quantities large enough to congest the server’s RAM and CPU power.

4.    ACK & PUSH ACK Flood

As soon as the connection between a client and a host has been established, iterative rogue ACK & PUSH ACK messages come into play. When trying to work how to deal with these packets, the server runs out of resources.

5.    Fragmented ACK Flood

The attacker shells a server with fragmented ACK packets whose maximum allowed size is usually 1,500 bytes. An attempt to reassemble these messages drains the processing capabilities of the network gear such as routers. The problem is that it does not necessarily take a lot of such fractured packets to knock the equipment offline.

6.    Spoofed Session Flood

This attack relies on a combo of several ACK packets, a fake SYN packet, and at least one RST (reset) or FIN (connection ending) packet. Such a technique can dupe protection systems that monitor incoming traffic and often ignore return traffic.

7.    UDP Flood

In contrast to TCP, User Datagram Protocol (UDP) connections do not engage any sort of handshaking. Numerous fabricated UDP packets are sent to the target server until it becomes unresponsive.

8.    VoIP Flood

A spinoff of UDP flood, this DDoS method zeroes in on Voice over Internet Protocol (VoIP) servers. It follows the classic principle of cramming up the server’s capacity with numerous counterfeit VoIP packets that appear to come from different IP addresses.

9.    DNS Flood

The DNS flood is one of the toughest attacks to tackle. Criminals spawn plenty of dummy request packets bombarding a DNS server. To feign legitimacy, these entities pretend to emanate from many different IP addresses.

10. NTP Flood/Amplification

This attack involves the Network Time Protocol (NTP), a networking protocol used for clock syncing. cybercriminals piggyback on easy-to-access NTP servers to flood their victim network with a slew of UDP packets.

11. SSDP Flood/Amplification

The Simple Service Discovery Protocol (SSDP) is a component of the Universal Plug and Play (UPnP) protocol framework. This DDoS attack is aimed at devices that use UPnP services. The adversary sends tiny UDP packets containing the prey server’s IP to many such connected entities. The server cannot handle the multitude of requests generated by these devices and goes offline.

12. CHARGEN Flood

Although the Character Generator Protocol (CHARGEN) may be thought of as obsolete, DDoS operators can prove this opinion wrong. Having been launched in the 1980s, it is still in use on some modern printers and photocopiers. To pull off this attack, criminals submit small packets carrying a target server’s IP address to connected equipment that supports CHARGEN. The devices react by sending multiple UDP packets back to the server, thereby exhausting its capacity.

13. SNMP Flood/Amplification

The Simple Network Management Protocol (SNMP), which amasses info related to connected devices, can be abused to disrupt a network’s operation. Malefactors inundate a router or a switch with a ton of packets that come from a spoofed IP address of a web server. As a result, the numerous devices that are tuned for such requests reply to that IP. The redundant traffic knocks down the server.

14. HTTP Flood

A perpetrator mimics regular POST or GET requests that shell a web application or a server and deteriorate its functioning. This DDoS attack often capitalizes on numerous virus-tainted computers to emulate legitimate traffic.

15. Single Session HTTP Flood

This incursion vector triggers a scenario where a single HTTP session spawns a number of requests by obfuscating them within one HTTP packet. The trick allows an offender to amplify the disruptive potential of the raid.

16. Recursive HTTP GET Flood

This attack is based on requesting a series of web pages from a server and analyzing the responses. Then, the criminal requests each website element recurrently to siphon off the server’s processing capacity.

17. Random Recursive GET Flood

Hackers use this method to hit websites that contain recursive pages. Blogs or online forums fit the mold of typical targets. During the attack, page numbers are randomly picked from a valid range to fake a legitimate user and send numerous GET requests that diminish the website’s performance.

18. Misused Application Attack

To run this one, malicious actors infect and harness client machines that run resource-heavy software such as P2P applications. The felons overload the target server by redirecting hefty amounts of Internet traffic from these computers to it. This attack is difficult to withstand because the requests stem from real clients.

19. ICMP Flood

This technique overwhelms a server with a huge quantity of falsified Internet Control Message Protocol (ICMP) pings. The target network generates a packet in response to every single echo request it has received. Once it reaches its reply limit, it can no longer handle legitimate requests.

20. IP Null Attack

IP Null attack involves numerous packets with IPv4 headers whose value is set to null. As some web servers are incapable of processing such invalid packets, they allocate too many resources trying to cope with this task and eventually deny service to legitimate clients.

21. Smurf Attack

This onslaught stands out from the rest because it relies on a malicious program called Smurf to deluge a vast multitude of devices with ICMP pings that contain the victim’s fabricated IP address. When attempting to sort out all the incoming requests, the server may crash.

22. Fraggle Attack

The Fraggle attack resembles the above-mentioned Smurf attack. The main difference, though, is that instead of leveraging ICMP pings the crooks use fraudulent UDP packets.

23. Slowloris

Slowloris is one of a kind because. It needs an exceptionally low bandwidth to execute. Even a single computer could be enough to pull it off. It comes down to opening numerous simultaneous connections to a target server and keeping them active for a long time. To maintain the continuous impact, the attacker submits fragmented queries and adds HTTP headers. This way, the dodgy requests that remain uncompleted over a certain period exhaust the server’s ability to keep concurrent connections alive and cause it to become unresponsive.

24. Ping of Death Attack

To carry out this one, malefactors bombard a network with anomalous echo request packets that are larger than 64 bytes (the maximum allowed size). The task of reassembling these non-standard items can be too difficult for some systems, which entails a denial of service down the line.

25. Low Orbit Ion Cannon (LOIC)

LOIC was originally intended to help security professionals perform network stress testing. However, cybercriminals added this open-source tool to their arsenal. An attacker mishandles it to throw a huge number of TCP, HTTP, or UDP packets to a victim server and thereby disrupt its operation.

26. High Orbit Ion Cannon (HOIC)

Like the LOIC tool, this one was designed for benign purposes but later fell into the wrong hands. HOIC is much more powerful than LOIC. It generates a slew of HTTP POST and GET requests that wear out the server. It can impact a whopping 256 domains concurrently.

27. ReDoS

ReDoS (regular expression denial-of-service) targets a specific program by loading it with overly complex string search patterns. The algorithmic sophistication of these specially crafted tasks exhausts the system’s regular expression processing capacity, which may cause it to crash.

28. Zero-Day DDoS

This attack cashes in on previously unknown flaws in a web server or a computer network. Vulnerabilities like that allow hackers to stay one step ahead of security professionals who simply cannot tackle the issue proactively.


Although DDoS is an incredibly old vector, it continues to wreak havoc. Moreover, it is dynamically evolving to keep up with the rest of the cybercrime world. Some of these incursions involve malware strains and botnets to inflate the attack surface. A growing number of threat actors are motivated by cyber-extortion. Open-source network stress testing tools such as HOIC and LOIC are increasingly misused in real-world onslaughts.

All in all, DDoS is a multi-pronged phenomenon, and organizations should take the threat seriously. Limited budgets prevent many organizations from getting solid protection. Although a reliable intrusion prevention system combined with a firewall should do the trick in most cases, it is definitely a good idea to have a plan B if things get out of hand.