Different types of DDoS attacks target different components of a network connection. In order to understand how different DDoS attacks work, it is necessary to know how network connections are established. Network connections on the Internet are made up of many different components or "layers". Like building a house from scratch, each floor in the model serves a different purpose. While nearly all DDoS attacks involve flooding a targeted device or network with traffic, attacks can be broken down into three categories. An attacker can use one or more different attack vectors, or cycle through attack vectors in response to countermeasures taken by the target.
Sometimes referred to as Layer 7 DDoS attacks, the goal of these attacks is to exhaust the target's resources to create a denial of service.
The attack targets the layer on the server that generates web pages and responds to HTTP requests. It is computationally cheap to perform a single HTTP request on the client side, but it can be expensive for the target server to respond to it, since the server often loads multiple files and runs database queries to create the web page. Layer 7 attacks are difficult to defend against because it is difficult to distinguish malicious traffic from legitimate traffic.
HTTP flood: This attack is similar to repeatedly pressing the refresh button in a web browser on multiple different computers at the same time - a flood of HTTP requests floods the server, causing a denial of service. Attacks of this type range from simple to complex, with simpler implementations accessing a URL using the same range of attacking IP addresses, referrers, and user agents. Sophisticated versions may use a large number of attack IP addresses and target random URLs with random referrers and user agents.
Protocol attacks, also known as state exhaustion attacks, cause service disruption by excessively consuming server resources and/or resources of network devices such as firewalls and load balancers. Protocol attacks exploit weaknesses in layer 3 and layer 4 of the protocol stack to make the target inaccessible.
A SYN Flood is similar to a worker in the supply room receiving a request from the store front desk. The worker receives a request, goes to pick up the package, and waits for confirmation before taking the package up front. Workers then receive more unacknowledged package requests until they can no longer carry more packages, become overwhelmed, and requests start to go unanswered. This attack utilizes the TCP handshake (the communication sequence in which two computers initiate a network connection) to send a large number of TCP "initial connection request" SYN packets to the target with a spoofed source IP address. The target machine responds to each connection request, then waits for the final step of the handshake, which never happens, exhausting the target's resources in the process.
These types of attacks attempt to cause congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to the target by using some form of amplification or another means of generating large amounts of traffic, such as requests from botnets.
DNS augmentation is like someone calling a restaurant and saying "I want one of everything please call me back and repeat my entire order", the call back number actually belongs to the victim. With very little effort, a long response is generated and sent to the victim. By making a request to an open DNS server using a spoofed IP address (the victim's IP address), the target IP address then receives a response from the server.