Volume-based attacks

Volume based attacks are by far the most common type of DDoS attacks.

According to Arbor Networks, 65% of DDoS attacks are volumetric in nature.

Volume-based attacks are characterized by an excessive amount of traffic (sometimes in excess of 100 Gbps). They do not mandate large amounts of traffic to be generated by one location or one source.

The following is an example of such an attack:

• NTP Amplification: The NTP amplification attack is a volume based DDoS attack in which an attacker exploits the publicly accessible Network Time Protocol (NTP) server functionality. This command, called monlist, sends the requester a list of the last six hundred hosts that were connected to the queried server. So, for a small query, response data is very high. Let us consider the fact that the ratio of query:response is 1:50. This means that attackers can generate 50 Gpbs of traffic using a NIC of 1 Gbps, and the same thing will be replicated across multiple sources. This can cause multiple terabits of traffic in a network.

In the following diagram, you can see that attackers generate a query to public NTP servers with the spoofed IP of a victim. In response to an NTP query, the server sends a huge amount of data to the victim's IP, which chokes the network for the victim and make resources unavailable:

• Mitigation: Source IP verification should be activated to prevent spoofed packets from leaving the network.

Other similar examples of volume based attacks are:

• User Datagram Protocol (UDP) Floods
• ICMP floods
• Domain Name Servers (DNS) Amplification
• Character Generator (Chargen)