DDoS, the full name of Distributed Denial of Service, combines multiple devices as an attack platform to launch a denial of service attack on one or more targets, doubling the power of the attack. DDoS attacks can be traced back to 1996. This ancient attack method has evolved over the past two decades and is still in use today. DDoS attacks have always been favored by attackers because of their low cost, significant effects, and far-reaching impact. The current mainstream DDoS attack methods mainly include traditional attacks: ICMP Flood, UDP Flood, SYN Flood, HTTP Flood, etc.; reflection amplification attacks: NTP Flood, SSDP Flood, DNS
Flood, etc.; and targeted hybrid attacks based on the characteristics of the attack target. According to statistics, the most popular DDoS attack methods in 2018 include the newly emerged reflection amplification attack, SYN Flood and HTTP
Flood。
In terms of attack types, reflection amplification accounts for the largest proportion, about 55.8%. Memcached, as an emerging reflection amplification power since March 2018, has been rapidly exploited by the DDoS black industry, and its proportion in the overall market is also quite large. One reason why reflection amplification accounts for so much is the automatic platforming of DDoS black products, that is, a completely automatic process can complete all operations of the attack without manual intervention.
SYN Flood ranks second and has always been the main attack method of DDoS. With the platformization of DDoS black products, the carrier of SYN Flood has also changed, from massive broilers to chartered machines (mainly SYN Flood with forged source IP).
HTTP Flood is the main method of layer 7 attacks. Because a complete TCP connection needs to be established and the source IP cannot be forged, attacks are still mainly launched on the broiler side. However, after investigation, it was found that HTTP Flood has also begun to develop into proxy servers and charter machines.