What is a Volumetric DDoS Attack?
Volumetric distributed denial of service (DDoS) attacks are distinct from the other two types of DDoS attacks—protocol DDoS attacks and application layer DDoS attacks—because they’re based on brute force techniques that flood the target with data packets to consume bandwidth and resources. The other two attack types generally use considerably less bandwidth and are also more focused on specific aspects of their targets such a particular protocol or a service.
Hackers usually launch volumetric DDoS attacks using IoT botnets. These attacks are often used in concert with other DDoS attack types as a cover for other hacking techniques such as penetration attempts, which make web application security monitoring as difficult as possible. These attacks can also be used to disable the security infrastructure of the victim by overwhelming it and making way for other attacks to slide through.
Detecting Volumetric DDoS Attacks
A volumetric DDoS attack is usually easy to detect because it’s obvious when your incoming traffic jumps to gigabit or even terabit levels above the normal traffic. But when the attackers notice mitigation tactics coming into play, they’ll often repeatedly modify their attack to make defense more difficult. Flow telemetry analysis using protocols such as NetFlow, JFlow, sFlow, or IPFIX is the main method used for web application security monitoring to identify the sources and nature of volumetric DDoS Attacks traffic.
Examples of Volumetric DDoS Attacks
There are many versions of volumetric DDoS attacks and many are launched using IoT botnets, groups of bots or drones built from suborned IoT devices such as IP cameras and consumer routers. Common volumetric DDoS attacks include SYN flood attacks, ICMP flood attack, and UDP flood attack.
Real-World Volumetric DDoS Attacks
The first known DDoS attack was a volumetric attack. In late 1996, New York City internet service provider Panix was hit with a SYN flood attack that took out its servers and it took roughly 36 hours to finally regain control of the Panix domains.
In 2012, the international hacktivist collective called Anonymous launched an ambitious DDoS attack against the websites of Universal Music Group, the United States Department of Justice, the United States Copyright Office, the Federal Bureau of Investigation, the MPAA, Warner Music Group and the RIAA. The reason for the attack was the shutdown of Megaupload, a file sharing service, and the arrest of four workers. The attack involved a botnet of 5,635 computers running a hacking tool called the Low Orbit Ion Cannon.
A more recent, and one of the largest recorded examples of a DDoS attack was the 2.3 Tbps DDoS attack that hit AWS in 2020. This reflection amplification attack used CLDAP to flood AWS with unwanted traffic and it took the AWS Shield team a few days to successfully mitigate it.
How A10 Can Help
A10 Networks Thunder® Threat Protection System (TPS®) provides network-wide protection against all types of DDoS attacks with high availability to ensure application performance. Designed for deployments at enterprise- and service provider-scale, A10’s DDoS protection solutions provide 10 to 100 times lower cost per subscriber compared to traditional network vendors and are available in both hardware and software form factors.
DDoS Attack Articles and Assets of Interest
- Defending Enterprise Network Security: a DDoS Attack Primer
- Threat Intelligence Report: DDoS Attacks Intensify in Q2 2020
- Five Most Famous DDoS Attacks and Then Some
- What You Need to Know About DDoS Weapons Used in DDoS Attacks
- Will Lassalle on 5G Security, DDoS Attacks and Gaming
- How to Defend HTTP/HTTPS Applications from DDoS Attacks (Webinar)
- Hybrid DDoS Cloud (Video)
The State of DDoS Weapons Report
In this report, we share a unique insight into DDoS attacks by providing details into relevant tools and weapons utilized, their global distribution and the vulnerabilities of exploited servers, to help you improve your organization’s security posture.
DDoS attacks continue to grow in frequency, intensity and sophistication. However, the delivery method of using infected botnets and vulnerable servers to perform crushing attacks at massive scale has not changed.Read the Report