Types of DDoS Attacks

Every DDoS attack exploits the same fundamental truth: making someone process something costs more than making them receive it.

The different attack types are just different ways of finding this asymmetry. Volumetric attacks find it in bandwidth. Protocol attacks find it in connection state. Application attacks find it in CPU cycles. Understanding where the asymmetry lives tells you how to defend against it.

Volumetric Attacks: Drowning the Pipe

Volumetric attacks are the simplest conceptually: send more data than the target's Internet connection can handle. If you have a 10 Gbps connection and I send you 100 Gbps, you're offline. It doesn't matter how powerful your servers are—the traffic never reaches them.

UDP floods are the workhorse of volumetric attacks. UDP requires no handshake, no connection establishment—attackers just spray packets at the target. The target's network equipment has to at least look at each packet before deciding to drop it, and that looking costs resources.

ICMP floods (ping floods) work similarly. The target receives ping requests and tries to respond, consuming bandwidth in both directions.

Volumetric attacks are measured in gigabits per second (Gbps) or terabits per second (Tbps). Modern attacks routinely exceed 1 Tbps. The only defense is having more bandwidth than the attacker—which is why volumetric mitigation requires upstream filtering by ISPs or specialized DDoS protection services with massive network capacity.

Protocol Attacks: Exhausting State

Protocol attacks don't need overwhelming bandwidth. They exploit the fact that network protocols require systems to remember things—to maintain state—and memory is finite.

SYN floods are the classic example. When you connect to a server via TCP, your computer sends a SYN packet, the server responds with SYN-ACK and allocates memory to track this half-open connection, then waits for your ACK to complete the handshake.

The attack: send millions of SYN packets with fake source IP addresses. The server allocates memory for each one, sends SYN-ACKs to addresses that don't exist (or don't care), and waits. The connections never complete. The server's connection table fills up. Legitimate users can't connect because there's no room for them.

Fragmented packet attacks exploit reassembly buffers. IP allows large packets to be split into fragments that get reassembled at the destination. Attackers send first fragments but never the rest. The target holds partial packets in memory waiting for fragments that never arrive, eventually exhausting buffer space.

Protocol attacks are measured in packets per second (pps). A stateful firewall might handle 10 Gbps of throughput but only 1 million pps of state tracking. Protocol attacks target that second number.

Application Layer Attacks: Legitimate-Looking Destruction

Application layer attacks are the most insidious because they look like real traffic. Every request is valid. The attack works because processing a request costs the server far more than sending it costs the attacker.

HTTP floods send legitimate web requests—but for the most expensive pages. Search queries that scan the entire database. Report generations that crunch numbers for minutes. Image processing that maxes out CPU. Each request is indistinguishable from a real user, but thousands per second from a botnet overwhelm the application.

Slowloris is beautifully evil. Web servers have a limited number of connection slots. Slowloris opens connections and keeps them alive indefinitely by sending HTTP headers very, very slowly—one byte every few seconds, just enough to prevent timeout. A single laptop running Slowloris can take down a web server by being exquisitely, maliciously patient.

Slow POST works similarly: start uploading a file, but transmit at a glacial pace. The server holds the connection open, waiting for data that trickles in byte by byte.

HTTPS floods target the SSL/TLS handshake, which is computationally expensive. Establishing encryption requires cryptographic operations that cost significant CPU. Floods of handshake requests exhaust server processing capacity even if no actual data ever flows.

Application attacks are measured in requests per second (rps). A 1 Gbps application attack might be more devastating than a 100 Gbps volumetric attack if it hits the right endpoints.

Amplification: The Force Multiplier

Amplification attacks are clever: they use legitimate services to multiply attack traffic.

The pattern: find a service where a small request generates a large response. Send that request with the victim's IP address spoofed as the source. The service sends its large response to the victim, not the attacker.

DNS amplification queries DNS servers for records with large responses (DNSSEC-signed domains work well). A 60-byte query might generate a 4,000-byte response—a 70x amplification.

NTP amplification abuses the monlist command on misconfigured NTP servers, which returns a list of recent clients. Responses can be 200x larger than requests.

Memcached amplification achieved amplification factors over 50,000:1 before widespread mitigation. A botnet with 10 Gbps of upload capacity could generate 500 Tbps of attack traffic.

Amplification is why botnets punch far above their weight. The attacker's bandwidth is just the seed; the amplification service provides the actual attack volume.

Reflection: Hiding the Source

Reflection attacks bounce traffic off legitimate services to obscure the attack origin. The victim sees traffic from DNS servers, NTP servers, game servers—not from the attacker's botnet.

Any UDP service can be a reflector because UDP doesn't verify source addresses. The attack looks like misbehaving legitimate services, not a coordinated assault. Logs show innocent IPs. Blocking the "attackers" means blocking legitimate infrastructure.

Reflection and amplification often combine: attackers reflect traffic off services that also amplify it, getting both source obfuscation and traffic multiplication.

Multi-Vector: All of the Above

Sophisticated attacks don't pick one technique—they use several simultaneously.

A multi-vector attack might combine a volumetric UDP flood to saturate bandwidth, a SYN flood to exhaust firewall state tables, and an HTTP flood to overwhelm application servers. Each vector requires different mitigation. Stopping the volumetric component doesn't help with the application layer attack.

This is increasingly common because single-vector attacks are increasingly easy to mitigate. Defenders have gotten good at any one thing; multi-vector attacks force them to be good at everything at once.

The Long Tail

Carpet bombing spreads attack traffic across many IP addresses instead of concentrating on one, trying to stay under per-IP detection thresholds while still overwhelming aggregate network capacity.

Pulse wave attacks come in bursts—attack for five minutes, stop, attack again. This complicates response by making attacks appear to resolve before mitigation is fully deployed.

Low and slow attacks stay under traffic thresholds entirely, using carefully crafted requests that consume disproportionate resources. They're hard to detect because nothing looks anomalous—except the server is struggling.

Ransom DDoS adds extortion: attackers demonstrate capability with a brief attack, then demand payment to not launch a sustained one. Paying encourages more attacks; not paying risks extended downtime.

IoT botnets like Mirai compromised hundreds of thousands of insecure cameras, DVRs, and routers—devices with default passwords that no one changes, no security updates, and no monitoring. This created attack capacity measured in terabits per second, from devices their owners don't even know are compromised.

The Asymmetry Principle

Every attack type exploits asymmetry somewhere in the stack:

• Volumetric: bandwidth is finite, attack bandwidth is borrowed from botnets or amplified from reflectors
• Protocol: state memory is finite, SYN packets are cheap to send
• Application: processing costs CPU, requests cost nothing
• Amplification: small queries generate large responses

Defense inverts the asymmetry: make attacks cost more than defense. Rate limiting makes repeated requests expensive. Anycast distributes load across geography. Scrubbing centers absorb volumetric attacks with superior bandwidth. SYN cookies eliminate state exhaustion. Application firewalls recognize attack patterns.

Understanding where the asymmetry lives in each attack type reveals where to place defenses—and why no single defense works against everything.