5 types of Volumetric DDoS attacks

Volumetric Distributed Denial of Service (DDoS) attacks are designed to overwhelm a target’s network or server with massive amounts of traffic.

These attacks flood the bandwidth or processing capacity of the target, making legitimate access impossible. The intended goal is to consume lots and lots of bandwidth.

The attack typically uses botnets, comprising compromised devices, to generate an enormous volume of data packets, such as UDP or ICMP floods, targeting specific network resources.

Volumetric DDoS attacks exploit the limited resources of the target to create service unavailability, affecting both users and organizations.

We discuss, in brief, the 5 different types of volumetric DDoS attacks below.

UDP Flood

A User Datagram Protocol (UDP) flood is a type of volumetric DDoS attack that overwhelms a target by sending a high volume of UDP packets to random ports. Since UDP is a connectionless protocol, it does not verify the sender’s identity or confirm packet delivery, making it vulnerable to exploitation.

Attackers send massive amounts of UDP traffic, forcing the target system to repeatedly check for application-specific data at the targeted ports, consuming bandwidth and processing power. For example, a UDP flood attack can disrupt online gaming platforms that rely heavily on UDP traffic for real-time interactions.

ICMP Flood

An Internet Control Message Protocol (ICMP) flood, also known as a ping flood, involves sending an overwhelming number of ICMP Echo Request (ping) packets to a target. The target system becomes overwhelmed as it tries to process and respond to each packet, leading to service degradation or complete unavailability.

Attackers often spoof the source IP address to mask their identity, making it difficult to trace the origin of the attack. For instance, ICMP flood attacks have been used to target government websites, causing disruptions to public services and communications.

DNS Amplification Attack

A DNS amplification attack leverages misconfigured Domain Name System (DNS) servers to amplify the volume of attack traffic directed at a target. Attackers send small DNS queries to open DNS resolvers, with the target’s IP address spoofed as the source. The resolvers respond with significantly larger DNS replies, flooding the victim with traffic and consuming bandwidth.

An example of this attack occurred in 2013 when a DNS amplification attack targeting Spamhaus, an anti-spam organization, reached a peak of 300 Gbps, disrupting global internet traffic.

NTP Amplification Attack

A Network Time Protocol (NTP) amplification attack exploits vulnerable NTP servers to flood a target with traffic. Attackers send spoofed NTP requests using the victim’s IP address, causing the server to send a disproportionately large response to the victim.

This technique significantly amplifies the attack’s power, making it a preferred method for volumetric DDoS attacks. An example is the 2014 NTP amplification attack that targeted gaming platforms and content delivery networks, generating traffic peaks of over 400 Gbps.

SYN Flood

A SYN flood attack abuses the handshake mechanism of the Transmission Control Protocol (TCP) to overwhelm a target system. Attackers send a large number of SYN (synchronize) requests to the target but never complete the handshake by sending an ACK (acknowledge) response. This leaves the target system with half-open connections, consuming resources and preventing legitimate connections.

An example of a SYN flood attack occurred in 2020 when attackers targeted a financial institution’s online services, causing significant disruptions to their operations.