🪖Understanding Cyber-Attacks | How Common Network Flood Attacks Work 💣

Cyber-attacks targeting networks are becoming increasingly sophisticated, and businesses must understand how these attacks function to defend their infrastructure effectively. This article focuses on several common cyber-attacks, particularly Distributed Denial of Service (DDoS) attacks that overwhelm a target with excessive traffic, causing disruption or outages.

DNS Amplification is the most common type and is covered in this article below:

This article focuses on the other types of attacks.

---

1. UDP Fragment Flood

How It Works:

Attackers send fragmented UDP packets to the target network. Since these fragments are incomplete, the target system struggles to reassemble them, consuming resources.

Impact:

• Overwhelms routers and firewalls.

• Can disrupt legitimate network traffic.

Mitigation:

• Configure firewalls to drop malformed or fragmented packets.

• Use DDoS mitigation tools to identify and block abnormal UDP traffic.

---

2. SYN Flood

How It Works:

Attackers exploit the TCP handshake process by sending a massive number of SYN (synchronise) requests to the target. The server allocates resources for each request but never receives an ACK (acknowledge) response, leaving the connections half-open and exhausting resources.

Impact:

• Prevents legitimate users from connecting to the server.

Mitigation:

• Use SYN cookies to authenticate connection requests.

• Implement rate-limiting on SYN requests.

---

3. DNS Flood

How It Works:

A large volume of DNS queries is sent to a target DNS server. Unlike amplification attacks, the goal is not to use reflection but to overwhelm the server with requests, exhausting its resources.

Impact:

• Disrupts DNS resolution, making websites inaccessible.

Mitigation:

• Use DNS rate limiting.

• Deploy redundant DNS servers in different locations.

---

4. UDP Flood

How It Works:

A high volume of UDP packets is sent to random ports on the target server. The server spends resources checking for applications listening on these ports and sending ICMP "Destination Unreachable" replies.

Impact:

• Consumes bandwidth and CPU resources.

Mitigation:

• Block unnecessary UDP traffic.

• Use DDoS mitigation services to identify and drop illegitimate UDP packets.

---

5. NTP Amplification

How It Works:

Attackers exploit the Network Time Protocol (NTP) to send small requests with a spoofed source IP address (the victim’s address). NTP servers respond with a large amount of data, amplifying the attack.

Impact:

• Multiplies the attack traffic, overwhelming the target.

Mitigation:

• Disable unused NTP functions, such as the monlist command.

• Ensure NTP servers are patched and configured securely.

---

6. Mirai (UDP) Flood

How It Works:

The Mirai botnet, consisting of compromised IoT devices, floods the target with UDP packets. These packets often target gaming services, VoIP, and other UDP-dependent services.

Impact:

• Overwhelms bandwidth and disrupts services.

Mitigation:

• Secure IoT devices with strong passwords and firmware updates.

• Use network monitoring to detect unusual traffic spikes.

---

7. GRE Flood

How It Works:

Attackers send a large volume of GRE (Generic Routing Encapsulation) packets to overwhelm the target. GRE is often used in VPNs and network tunnelling, making these attacks particularly disruptive to businesses relying on such infrastructure.

Impact:

• Disrupts network tunnels and VPNs.

Mitigation:

• Filter GRE traffic at the network edge.

• Use GRE-aware DDoS protection solutions.

---

8. Mirai (TCP) Flood

How It Works:

The Mirai botnet sends large volumes of TCP traffic, including SYN, ACK, or random flag combinations, to overwhelm the target’s resources.

Impact:

• Exhausts CPU and memory on the target server.

Mitigation:

• Deploy rate-limiting and connection tracking mechanisms.

• Monitor for unusual traffic patterns.

---

9. ACK Flood

How It Works:

Floods the target with TCP ACK packets, forcing the server to process these acknowledgments and consuming resources.

Impact:

• Can bypass traditional SYN flood protections since the packets appear legitimate.

Mitigation:

• Implement deep packet inspection (DPI) to identify illegitimate ACK packets.

• Use adaptive rate-limiting on TCP connections.

---

10. TCP Flood

How It Works:

Attackers send a high volume of generic TCP packets without completing the handshake or maintaining a valid session. This overwhelms the server’s capacity to handle legitimate traffic.

Impact:

• Affects servers dependent on TCP traffic, such as web servers.

Mitigation:

• Use TCP rate limiting and connection timeouts.

• Deploy DDoS protection that identifies abnormal TCP behaviour.

---

11. Memcached Flood

How It Works:

Attackers exploit misconfigured Memcached servers, sending spoofed requests to generate amplified responses to the target.

Impact:

• Amplifies traffic up to 51,000 times, overwhelming the target network.

Mitigation:

• Secure Memcached servers by restricting access to trusted IPs.

• Disable UDP support if not needed.

---

12. SSDP Flood

How It Works:

Exploits the Simple Service Discovery Protocol (SSDP) used by Universal Plug and Play (UPnP) devices. Attackers send spoofed requests to open devices, which respond with amplified traffic to the target.

Impact:

• Overwhelms the target’s bandwidth and infrastructure.

Mitigation:

• Disable UPnP on devices if not needed.

• Use firewalls to restrict SSDP traffic.

---

13. TCP Flags Flood

How It Works:

Attackers send TCP packets with unusual flag combinations (e.g., SYN/FIN, NULL). The target server struggles to interpret these packets, consuming CPU and memory resources.

Impact:

• Confuses packet inspection systems and disrupts legitimate traffic.

Mitigation:

• Configure firewalls to drop abnormal TCP flag combinations.

• Use intrusion detection systems (IDS) to identify and mitigate such attacks.

---

Wrap

Understanding the mechanisms of these attacks is crucial for building effective defences. While no single solution can prevent all attacks, a combination of strategies—including proper network configuration, security best practices, and specialised DDoS protection—can significantly reduce the risk and impact of such threats.

For businesses, partnering with a reliable DDoS mitigation provider and staying updated on emerging attack vectors is essential for maintaining robust network security.

---