The most common DDoS attacks
TCP SYN flood
A known and extensively used method for causing overloading is based upon the three-way handshake (SYN, SYN-ACK, ACK packet sequence) process during a TCP connection setup. The attacker sends a SYN packet and the victim replies with a SYN-ACK packet. The victim then expects an ACK packet, which never comes.
After some time, the “call” ends but until then the resources at the victim are occupied. If the victim receives many simultaneous calls of this kind, from e.g. a botnet, all resources at the victim will be used up, and legitimate attempts to establish a TCP connection will be rejected. This type of DDoS attack goes by the name of TCP SYN flood, and even today is widely used due to its simplicity.
ICMP flood
An ICMP flood attack is a flooding attack where a botnet is typically sending so many ICMP Echo Request (ping) packets to the victim that the victim’s internet connection is overwhelmed and legitimate traffic cannot get through. An ICMP flood attack may also overload the server receiving the ICMP packets, as it uses resources to handle the packets.
UDP flood
A UDP flood attack is a flooding attack where a botnet is typically sending so many UDP packets to the victim that the victim’s internet connection is overwhelmed and legitimate traffic cannot get through. An UDP flood attack may also overload the server receiving the UDP packets, as it uses resources to handle the packets.
Amplification attack
In a reflection amplification attack (also just called an amplification attack) a botnet sends attack traffic via open internet servers (ports) to amplify the attack. For example, open servers supporting the following UDP based protocols are used:
DNS
NTP
SNMP
SSDP
CharGen
A DNS amplification attack works, for example, in such a way that several bot machines are configured to make DNS requests with a false sender IP address directed at open DNS servers. The DNS servers will, as DNS servers always do, return the replies to the sender address. As the sender address of the requests is spoofed to be the address of the server that the attacker wants to overwhelm, the many DNS replies are sent to this server.
In other words, the open DNS servers are used as reflectors (relay machines) for the attack, but also as amplifiers, as a DNS reply typically takes up much more space than a DNS request.