Introduction
Distributed Denial of Service (DDoS) attacks continue to evolve in sophistication and scale. In 2024, we've observed attacks exceeding 2 Tbps, with attackers employing increasingly complex multi-vector strategies. Understanding these attack vectors is crucial for building resilient infrastructure.
In this technical deep dive, we analyze the most common attack vectors, provide code examples for detection, and discuss effective mitigation strategies.
Attack Vector Distribution
Based on our analysis of thousands of attacks over the past year, here's the distribution of attack vectors we've observed:
1. Volumetric Attacks
Volumetric attacks aim to overwhelm network bandwidth with massive amounts of traffic. The most common types include UDP floods, ICMP floods, and amplification attacks.
UDP Flood Analysis
Here's a Python example for detecting UDP flood patterns in network traffic:
from collections import defaultdict
import time
class UDPFloodDetector:
def __init__(self, threshold=10000, window=1):
"""
Initialize UDP flood detector.
Args:
threshold: Packets per second threshold
window: Time window in seconds
"""
self.packet_counts = defaultdict(int)
self.threshold = threshold
self.window = window
self.last_reset = time.time()
def analyze_packet(self, src_ip, dst_port):
"""Analyze incoming UDP packet."""
current_time = time.time()
# Reset counts if window has passed
if current_time - self.last_reset > self.window:
self.packet_counts.clear()
self.last_reset = current_time
# Increment count for this source
key = f"{src_ip}:{dst_port}"
self.packet_counts[key] += 1
# Check threshold
if self.packet_counts[key] > self.threshold:
return self.trigger_alert(src_ip, dst_port)
return None
def trigger_alert(self, src_ip, dst_port):
"""Generate alert for potential UDP flood."""
return {
"type": "UDP_FLOOD",
"source_ip": src_ip,
"target_port": dst_port,
"packets_per_second": self.packet_counts[f"{src_ip}:{dst_port}"],
"action": "BLOCK_RECOMMENDED"
}Traffic Pattern During Attack
The following chart shows a typical traffic pattern during a DDoS attack compared to normal baseline traffic:
2. Protocol Attacks
Protocol attacks exploit weaknesses in network protocols. SYN floods are among the most common, exploiting the TCP handshake mechanism.
SYN Flood Detection
Here's a TypeScript implementation for rate limiting with SYN cookie protection:
interface ConnectionState {
synCount: number;
lastSeen: number;
blocked: boolean;
}
class SYNFloodProtection {
private connections: Map<string, ConnectionState> = new Map();
private readonly synThreshold = 100; // SYN packets per second
private readonly blockDuration = 300000; // 5 minutes
analyzeSYN(sourceIP: string): { allowed: boolean; reason?: string } {
const now = Date.now();
let state = this.connections.get(sourceIP);
if (!state) {
state = { synCount: 0, lastSeen: now, blocked: false };
this.connections.set(sourceIP, state);
}
// Check if currently blocked
if (state.blocked) {
if (now - state.lastSeen > this.blockDuration) {
state.blocked = false;
state.synCount = 0;
} else {
return { allowed: false, reason: 'IP temporarily blocked' };
}
}
// Reset counter if more than 1 second has passed
if (now - state.lastSeen > 1000) {
state.synCount = 0;
state.lastSeen = now;
}
state.synCount++;
// Check threshold
if (state.synCount > this.synThreshold) {
state.blocked = true;
return {
allowed: false,
reason: `SYN flood detected: ${state.synCount} SYN/s`
};
}
return { allowed: true };
}
}3. Application Layer Attacks
Application layer (Layer 7) attacks are particularly challenging because they mimic legitimate traffic. HTTP floods, slowloris, and API abuse are common vectors.
HTTP Flood Mitigation
Implementing intelligent rate limiting with request fingerprinting:
import crypto from 'crypto';
interface RequestFingerprint {
ip: string;
userAgent: string;
acceptLanguage: string;
path: string;
}
class HTTPFloodProtection {
private requestCounts: Map<string, number[]> = new Map();
private readonly windowMs = 60000; // 1 minute window
private readonly maxRequests = 100; // per window
private generateFingerprint(req: RequestFingerprint): string {
const data = `${req.ip}|${req.userAgent}|${req.acceptLanguage}`;
return crypto.createHash('sha256').update(data).digest('hex').slice(0, 16);
}
async checkRequest(req: RequestFingerprint): Promise<{
allowed: boolean;
remaining: number;
retryAfter?: number;
}> {
const fingerprint = this.generateFingerprint(req);
const now = Date.now();
let timestamps = this.requestCounts.get(fingerprint) || [];
// Remove expired timestamps
timestamps = timestamps.filter(t => now - t < this.windowMs);
if (timestamps.length >= this.maxRequests) {
const oldestRequest = Math.min(...timestamps);
const retryAfter = Math.ceil((oldestRequest + this.windowMs - now) / 1000);
return {
allowed: false,
remaining: 0,
retryAfter
};
}
timestamps.push(now);
this.requestCounts.set(fingerprint, timestamps);
return {
allowed: true,
remaining: this.maxRequests - timestamps.length
};
}
}Mitigation Strategies
Effective DDoS mitigation requires a multi-layered approach:
- 1.Edge Protection: Use CDN and edge networks to absorb volumetric attacks
- 2.Rate Limiting: Implement intelligent rate limiting at multiple layers
- 3.Behavioral Analysis: Use ML to distinguish legitimate users from attackers
- 4.Auto-scaling: Design infrastructure to scale during attacks
- 5.Incident Response: Have playbooks ready for different attack scenarios
Conclusion
Understanding DDoS attack vectors is the first step in building resilient infrastructure. By implementing the detection and mitigation strategies outlined in this article, organizations can significantly improve their security posture.
For comprehensive DDoS testing and hardening services, contact BlackNeuron to schedule an assessment of your infrastructure.