DDoS attack categorization
| Attack category | Attack variants | Description | DDoS condition | Side effects |
| Floods | UDP, ICMP, TCP, application floods, amplification floods through reflection attacks, fragment flood that starts a new reassembly for each fragment | There are several ways to deny service with a packet flood, depending on what resource is scarce/vulnerable in the target network: (1) Bandwidth exhaustion hits buffer space at routers or at target (many large packets), (2) CPU exhaustion hits packet processing at routers or at target (many small packets or packets that require special processing, e.g., with authentication), (3) application or OS memory exhaustion (packets that require creation of new records). Amplification floods through reflection attacks create same attack conditions but just deploy indirection in attack mechanism. Defining feature of floods is that the DoS effect only lasts while the flood is active, although some systems may keep allocated memory forever or crash when memory/CPU get depleted. Packets can have special features to avoid firewalls, such as TCP ACK flag set. TCP packets that hit a non-existing connection record will invoke TCP RST sent to the address and will frequently elicit ICMP host unreachable for spoofed addresses to be sent back to the target. | Bandwidth exhaustion CPU exhaustion at router or end-point Memory exhaustion at end-point |
Some old OSs will have a problem dealing with spoofed packets. Some TCP packets may mess up an existing connection if they happen to guess source IP, ports and sequence numbers correctly but this is difficult. |
| Unexpected header values | Random IGMP and ICMP packets, TCP packets with random flags on, IP packets with random values in TOS field or random options, application headers with random flags | Some operating systems or applications will crash when they receive unexpected values in IP/transport/application headers. Attacker doesn't have to know the nature of vulnerability but can just blindly send random packets. One right packet is usually enough to crash so this is not DDoS attack. | End-point vulnerability | If there are many packets an attack could be classified as flood but it is primarilly targeting a vulnerability. |
| Invalid fragments | Teardrop, boink, bonk | Create overlapping fragments or fragments that result in too large a packet being assembled. Attacks can be performed with a few packets so these are not DDoS attacks. | End-point vulnerability | |
| Large packets | Ping of death, flooding specific applications with large payload | Large packet usually leads to a buffer overflow somewhere in the OS or at the application. One packet is enough so these are not DDoS attacks. | End-point vulnerability | |
| Congestion control exploits | TCP ECE and CWR floods, pulsing attacks, IGMP membership attacks, ICMP source quench floods | These attacks target protocols that will reduce a sending rate or supress messages if some conditions are met, e.g., there is a congestion or there is another entity sending same type of messages. Such suppression/reduction is usually performed to avoid congestion but can be exploited to deny service to the sender by convincing it that it should back off. Like regular floods, congestion control exploits will only create DoS effect while active. | End-point deploys come congestion control | |
| Impersonation attacks | Winfreez, DNS and ARP cache poisoning attacks, smack attack | Attacker spoofs other host's identity and either inserts its IP/MAC address into target's table making packets go to his machine, inserts bogus addresses into target's table or kills existing connections through ICMP unreachable messages. The underlying condition for this attack is "jumping to conclusions" feature in protocols that will extract knowledge from messages that are not directly sent in reply to some query, e.g., information from unsolicited DNS and ARP replies is believed, ICMP unreachable messages affect existing connections. There is another way for an attacker to fake table data at will, if he first gains access to the host through other means; we are not concerned with this type of attacks. | End-point reduced connectivity | |
| Invalid input | Numerous attacks that send invalid payload to an application or a protocol that either crashes or goes into infinite loop. Buffer overflows fall into this category if they lead to DoS. | Attacker sends either long or malformed (unexpected) application or protocol payload that leads application to crash or freeze. | End-point vulnerability |