Common Network Attacks

DDoS Taxonomy

DDoS attacks are typically classified by the OSI layer they target. As a senior engineer, it's crucial to identify which layer is under stress to apply the correct mitigation.

• Volumetric Attacks: These focus on saturating the network bandwidth. Examples include UDP Floods and ICMP Floods. Mitigation often requires upstream scrubbing services (like Cloudflare or Akamai).
• Protocol Attacks: These target server resources like connection tables in firewalls or load balancers. The SYN Flood is the classic example.
• Application Layer Attacks: These target specific functions of an application, such as HTTP GET/POST Floods or Slowloris. They are harder to detect because they look like legitimate traffic.

The SYN Flood Mechanism

By exploiting the TCP three-way handshake, an attacker sends many SYN packets but never completes the handshake with an ACK. This leaves the server with many 'half-open' connections, eventually exhausting the SYN backlog.

Amplification Attacks (DNS & NTP)

Amplification occurs when an attacker sends a small request with a spoofed source IP (the victim's IP) to a service that responds with a much larger payload. DNS ANY queries and NTP monlist commands are notorious for this, providing amplification factors of up to 50x or 500x respectively.

Slowloris: The 'Low and Slow' Attack

Slowloris keeps HTTP connections open by sending partial headers and never finishing them. This is devastating to thread-per-connection web servers like older versions of Apache. Modern event-driven servers (Nginx, Node.js) are more resilient but still require configuration tuning.

Man-in-the-Middle (MitM)

In a MitM attack, the attacker intercepts communication between two nodes. ARP Poisoning is common on local networks, while BGP Hijacking can divert traffic on a global scale. TLS 1.3 and HSTS are the primary defenses against interception and protocol stripping.