A Look Back at Seven Famous Documented DDoS Attack Methods

New methods of creating chaos across networks are being discovered all the time. As old methods are mitigated and found obsolete, hackers and security experts work on finding new ways to keep us on our feet. Here we'll take a look back at seven of the most documented attack methods used during the evolution of DDoS.

Apache2 and Slash Attacks

In older versions of Apache, it was possible to overload the web server with a ton of HTTP headers, eventually causing the web server to crash. Particularly in versions prior to 1.2.5, it was also possible to overload the server by adding excessive redundant forward slashes to a URL, know as the “Back” or “Slash” attack. The overhead on the server involved with removing these slashes was exponential to the number of slashes in the URL – the exact formula provided on security advisories was O(n^2). If the attacker were to send enough requests containing redundant slashes, they could effectively crash the web service and severely affect system performance.

ARP Poison (A.K.A ARP Spoofing)

ARP poison attacks would require the attacker to have access to the LAN of the target. The attacker would delude the hosts within the LAN with a false MAC address for hosts with known IP addresses, monitor for arp queries for those IPs, and respond as soon as the ARP requests are received. The end result is traffic for those IP addresses being sent to the attacker instead, who can then redirect data to another network or the LAN's gateway to spawn a DoS attack.

The Land Attack

Primarily affecting ancient versions if Windows and various flavors of Unix, land attacks work by sending a spoofed SYN packet with the same source IP address as the destination. The target machine is fooled into thinking that it's sending itself a message, which can cause some operating systems to crash.

SYN Flood

The SYN flood is one of the most common types of DDoS attacks. It occurs when the three-way handshake, a transaction occurring between two servers in effort to create a TCP/IP connection, never completes. The target's resources eventually become exhausted attempting to respond to all of the connection requests, which are never in turn responded to by the attacker. The target is left with a queue of half-open TCP connections and unable to accept any more.

Ping of Death

The DoS method known as the “ping of death” would entail an attacker sending packets over 65,536 bytes in size to target hosts, likely in bulk or rapid succession, in anticipation that the host would be unable to process such requests and therefore crash itself. This type of attack is very uncommon nowadays due to advances in network hardware.

Process Table

Similar to a SYN flood, a process table attack would involve the rapid creation of uncompleted connections to target certain network services, forcing them to create a new process every time a TCP/IP connection is set up. The overabundance of processes results in severe degradation of host performance. A deviation of the process table attack is sometimes known as the “SSH process table”, which uses a similar method of generating SSH connections without completing the login process.

The Smurf Attack

Also known as a broadcast attack, the smurf attack attempts to exhaust the bandwidth of a network by sending a large amount of ping traffic to an IP broadcast address, with the source being spoofed to show the traffic as originating from the victim. Routing devices configured to deliver broadcast traffic would send the traffic to the hosts on that network, who reply to the request and therefore multiply the traffic by the number of hosts responding

For more information and protection against DDoS attacks please visit DoSArrest.com