NSFOCUS

TEL: +86 10 68438880

EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]

SYN Flood Attack

The striking feature of SYN-Flood attacks is that the attackers send a large number of TCP SYN request packets
with forged source IP addresses. This results in the server side consuming large amounts of resources in order
to maintain a very large list of half-open connections, eventually leading to the server running out of resources
and becoming unable to provide normal services.

Common DDoS Attacks


NSFOCUS
TEL: +86 10 68438880
EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]


ACK Flood Attack

ACK Flood attacks use a large number of ACK packets to attack the victims, with all TCP messages being with ACK
flag bits. When the host receives a packet with ACK flag bits, the existence of the four-tuple connection
expressed by the packet needs to be checked. If the four-tuple connection exists, the host checks whether the
state represented by the packet is legal, and then the packet can be passed to the application layer. If the
packet is found to be illegal during the inspection (e.g. if the packets targeted port does not open on the
machine) then the host's operating system protocol stack will respond with a RST packet, telling the other side
that this port does not exist.
Thus, the server has to take two actions: doing a table look-up and responding to ACK/RST. With too much ACK
Flood traffic, the server NIC will stop responding due to the high interruption frequency and overload. Not only
can ACK Flood cause damages to routers and other network devices, but also have huge impact on the server
applications.


NSFOCUS
TEL: +86 10 68438880
EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]


UDP Flood Attack/UDP DNS Query Flood
UDP Flood is an increasingly frequent traffic-based DOS/DDoS attack; such as using a large number of UDP
packets to attack the DNS servers, Radius authentication servers or streaming video servers, etc.
UDP DNS Query Flood attack is essentially a kind of hybrid UDP Flood attack as such attacks are launched with
the characteristics of DNS application queries, so they are also application-based attacks. Because of the
mission-critical roles of DNS servers, the impact of the servers breaking down is potentially devastating. UDP
DNS Query Flood attacks will send a large number of domain name resolution requests to the attacked servers
and the domain name resolution process causes a big load on the servers. When the domain name resolution
requests per second exceed a certain number, it will either cause requests to time out or stop resolution services
altogether.
ICMP Flood Attack
ICMP Flood attacks (with characteristics similar to that of the ACK Flood) are traffic-based attacks that use heavy
traffic to bring high loads to the servers, which will affect the server's normal services. Currently, many
firewalls filter ICMP packets directly, so ICMP Flood frequency is relatively low.


NSFOCUS
TEL: +86 10 68438880
EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]


Connection Flood Attack

A Connection Flood is a typical and very effective attack that uses small traffic to impact large-bandwidth
network services. Such attacks have become increasingly rampant. These attacks use real IP addresses to
initiate a large number of connections to the servers, but do not release long after the connection. This takes
up server resources, resulting in redundancy of residual server connections (WAIT state), decreasing efficiency
and even exhausting resources. The final result is an inability to respond to the connections initiated by other
clients.
One attack method is to send a large number of connection requests to servers per second, which is similar to
the SYN Flood attacks with fixed source IP addresses, except that they use real source IP addresses. Generally,
these attacks can be prevented by limiting the number of connections per second for each source IP address on
the firewall. However, some tools have now adopted low-rate connection so that they establish a connection
to servers after a few seconds and keep the connection for a long period without releasing after a successful
connection, then regularly send junk data packets to servers. Such an IP address can establish hundreds of
connections to the server, while the number of connections the server can bear is limited, and in this way, denial
of services is achieved.

NSFOCUS
TEL: +86 10 68438880
EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]

HTTP Get Flood

The feature of Http Get Flood attack is that it will establish a normal TCP connection to servers, and constantly
submit a lot of callings (such as queries and lists, etc) which dramatically consume database resources. In
general, the consumption of clients resources and bandwidth due to submitting a GET or POST directives are
almost negligible, but to process such a request the server may have to query thousands of records to identify a
certain record which will cost enormous resources. Very few common database servers can support the
simultaneous implementation of hundreds of inquiries directives. A typical Http Get Flood attack (i.e. CC attack)
is: the attackers submit a large number of Http query directives to host servers through multiple Proxy agents
which consumes server resources within just a few minutes and causes denial of services. Such attacks are
characterized by completely bypassing the normal firewall protection; attacks can be easily launched with Proxy
agents. The drawback for the attacker is that the effects are greatly reduced when confronted with static web
pages and some proxies will expose attackers IP addresses.


NSFOCUS
TEL: +86 10 68438880
EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]

For more information
For more information about NSFOCUS products and services, please contact the NSFOCUS sales
NSFOCUS
TEL: +86 10 68438880
EMAIL: [email protected]
NSFOCUS US
TEL: +1 408 907 6638
EMAIL: [email protected]
NSFOCUS Japan
TEL: +81 3 6206 8156
EMAIL: [email protected]
For more information visit NSFOCUS Website: www.nsfocus.com













NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd.
NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other
contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of
NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way.


About NSFOCUS
NSFOCUS is a proven global leader in active perimeter network security for service providers, data centers, and
corporations. It focuses on providing network security solutions including: carrier-grade Anti-DDoS System, Web
Application Firewall, and Network Intrusion Prevention System - all designed to help customers secure their
networks and corporate-critical information. More detailed information is available at http://www.nsfocus.com.