Inside DDoS Forensics
Volumetric Attacks, such as the aforementioned DNS or NTP reflections or UDP (User Datagram Protocol) or SYN/ACK (Synchronize/Acknowledge) floods, consume all available bandwidth targeting the largest Internet carriers. “They're created to take them down,” says Ondrej Krehel, digital forensics lead and CEO of New York-based cybersecurity firm LIFARS. “It's a brute force.”
Layer 7 Attacks target consumer web server resources or application protocols. “The attacker is not stealing the pipe but stealing the request,” Krehel explains, likening it to when a banking system locks out you after a number of attempts using incorrect passwords.
Protocol Attacks consume server resources via SYN floods, UDP or ICMP (Internet Control Messaging Protocol) fragments, a server-crashing “ping of death,” or the so-called “teardrop” attack that sends seemingly overlapping data packets. In this scenario, initial communication is made, but not completed. It's the equivalent of repeatedly calling the front desk, put on hold and then hanging up. Meanwhile, the server gets filled up with incomplete requests, and the CPU gets bogged down or runs out of memory.
“All three types of attacks can happen at the same or any time from seconds to minutes, or combined,” points out Krehel, whose firm comes up with customized mitigation strategies depending upon what's going on.