DDoS Attack Trends
According to Latest Cyber Security Reports
What is LoDDoS?
LoDDoS is a DDoS and Load Test simulation platform offered as a service via cloud. The platform generates real DDoS attacks against services via real attack parameters. It also evaluates the resilience of internet-enabled web applications against high traffic.
This enables organizations to test the limits and the efficiency of their existing DDoS prevention systems prior to an actual DDoS attack. The tests which are defined on LoDDoS, are conducted with he attendance of an Operator as well as can be initiated with a single action, monitored live, stopped in a controlled manner, repeated as often as needed. Reports can be generated automatically and promptly by the end of each test thus results can be shared with third parties, if requested.
DDoS test sessions in LoDDoS platform can be monitored in real-time by all parties and can be paused at any time in case of an emergency. All tests can be repeated, and the results can be compared. Reports are generated instantly and can be saved for later evaluation.
A high number of requests targeted to web applications can be addressed with the help of LoDDoS’s Load Test feature, thus the limitations of these applications become visible. Load Test paves the way to analyze real situation that creates a considerable amount of load on applications before it occurs.


Why Perform DDos Tests?
In practice, DDoS tests are performed to assess the efficiency and the limits of the DDoS prevention products and services in place, to improve these systems and related precautions, as well as to measure and enhance the efficiency and the capabilities of an organization, within the assumption of a DDoS attack.
DDoS prevention solutions are not designed to work in a plug-and-play set-up.
Hence, prior to taking the necessary safety measures, an organization’s normal and abnormal network traffics, baselines and thresholds must be determined.
To identify these crucial elements properly, engineers should test the already-protected services against a real time DDOS attack and should also conduct some research on the current DDoS attack solutions within the market.
How To Perform DDos Tests?
As of now, most DDoS tests are being executed manually. The technical and administrative preparation stages of these tests take way too long than usual. Security and IT teams must work concurrently for a considerable amount of time to configure on premise traffic generator systems to conduct DDoS tests. Moreover, the operational aspect of this preliminary work also consumes additional load of time and cost, too.
Real-time monitoring of DDoS tests is usually not available during these manual tests, and it takes a significant amount of time to generate reports once the test phase is completed. Even if the test phase is done, predominantly these reports are not re-usable.
Supported DDoS Attack Types
The main purpose of supported DDoS attacks is to exhaust the network and system resources of the targeted destinations and to prevent these systems from being operational.
Principally, it is intended disable the resources by sending packets more that exceeds the current Internet bandwidth of the targeted systems.
TCP SYN Flood
Aim of TCP SYN Flood is to exploit TCP three-way handshake process by sending very high volume of SYN flagged TCP packets to the targeted server. Targeted server tries to respond these packets with SYN/ACK packets but gets overwhelmed by huge number of incoming requests and becomes unresponsive.
TCP SYN-ACK Flood
In TCP SYN-ACK Flood very high volume of SYN/ACK flagged TCP packets are sent to the target. Out-of-state sent SYN/ACK packets violate three-way handshake process. Responding to these requests uses very significant processing power, since these ACK packets do not belong to any of the sessions in targeted server's transmission list. This results in targeted server becoming unresponsive.
TCP ACK-FIN Flood
In TCP ACK-FIN Flood very high volume of ACK-FIN flagged TCP packets are sent to the target. Out-of-state sent ACK-FIN packets violate TCP connection termination process. Responding to these requests uses very significant processing power, since these ACK-FIN packets do not belong to any of the sessions in targeted server's transmission list. This results in targeted server becoming unresponsive.
TCP RST Flood
High volume of RST packets is sent to a TCP service serving on the target system to prevent the corresponding TCP service from serving.
TCP PUSH ACK Flood
In TCP RST Flood very high volume of RST flagged TCP packets are sent to the target server. Since these RST packets are not preceeded by a TCP handshake, targeted server goes through all of it's transmission list in order to response to incoming requests. This renders targeted server unresponsive as it requires very signification processing power.
TCP All Flags Flood
Also known as Xmas Flood, in TCP All Flags Flood very high volume of TCP packets are sent with all TCP flags (SYN-ACK-FIN-RST-PSH-URG) present in it's body. Targeted servers may response to this request differently, as a TCP packet with all flags present in it's body is considered illegal by TCP RFC. Generally, similar to other out-of-state TCP attacks, targeted servers respond to these requests with a RST packet and waste it's resources which results in server becoming unresponsive.
TCP No Flags Flood
Also known as TCP Null Flood, in TCP No Flags Flood very high volume of TCP packets with no TCP flags. Similar to the TCP All Flags Flood it's considered as illegal by TCP RFC, thus targeted server's may respond to this request differently. Generally, similar to other out-of-state TCP attacks, targeted servers respond to these requests with a RST packet and waste it's resources which results in server becoming unresponsive.
UDP Flood
Aim of UDP Flood is to saturate bandwidth and waste resources of the targeted server by sending very high volume of UDP packets. If UDP packets are sent to a port which listens for UDP packets, listening service gets overwhelmed by incoming packets and becomes unavailabile. If no service is listening for UDP packets at the targeted port, server tries to respond it with an ICMP (ping) packet which generates even more traffic resulting in server becoming unresponsive.
UDP Fragmented Flood
Similar to the UDP Flood, UDP Fragmented Flood aims to waste resources of the targeted server by sending very high volume of fragmented UDP packets of the maximum size in order to saturate the channel with as few packets as possible. Sent UDP packets are made of fragments of packets fabricated to waste targeted server's resources, resulting in making server unresponsive.
ICMP Flood
Aim of ICMP Flood is to disrupt a server's ability to use ICMP(Ping, Echo Request), by saturating it's bandwidth with very high volume of ICMP packets. ICMP protocol is used by various network components to communicate about network connectivity issues and impact of an ICMP Flood is not only limited to denial of the attacked service, but it's effects can be seen by applications that use different/higher layer network protocols.
SSL Negotiation Flood
SSL Negotiaton Flood aims to render a SSL/TLS service unresponsive by establishing too many SSL handshake with targeted server, as a SSL/TLS handshake is a lot more CPU intensive on the server side than on the client side. SSL Negotiaton Flood makes service unable to establish any new SSL connections.
HTTP(S) GET
Aim of HTTP(S) GET attack is to simulate very high number of real users requesting the resources of a web application by sending high number of HTTP(S) GET requests to the application. PDFs, Images, etc. large sized files can be targeted to increase the impact of this attack even further. Each request can imitate as if it's send by a real user to make it harder to distinguish from a legitimate request from an actual user. Application gets overwhelmed by incoming requests and unable to respond legitimate requests, becoming unavailable.
HTTP(S) POST
Aim of HTTP(S) POST attack is to simulate very high number of real users sending data to the web application by sending high number of HTTP(S) POST requests with customizable payload to the application. Each request can imitate as if it's send by a real user to make it harder to distinguish from a legitimate request from an actual user. Application gets overwhelmed by incoming requests and unable to respond legitimate requests, becoming unavailable.
Slowloris
Unlike many other attack vectors, aim of the Slowloris attack is to fill maximum concurrent connection pool of an application with minimal bandwidth usage by opening many connections to the server and keeping them open as long as possible. When targeted application's connection pool is full, targeted application denies new additional connection attemps from actual clients, and targeted application becomes unavailable.
DNS Query
In DNS Query Flood, very high number of DNS queries are sent to a DNS Server in order to saturate the bandwidth and waste resources of the DNS server. Preventing it from responding to actual DNS queries coming from real users.
DNS Random Query Flood
Similar to the DNS Query Flood, very hig number of DNS queries are sent to a DNS server in order to saturate the bandwidth and waste resources of the DNS server. Unlike DNS Query Flood, sent queries are random and requires additional processing by the DNS server, preventing the server from responding to actual DNS queries coming from real users.
Ping of Death
Ping of Death (PoD) attack sends modified and malformed ICMP packets to the targeted server. Sent ICMP packets are modified to make them larger than 63,535 bytes. Modified packets violate the RFC, and if the targeted server is an older server, there is possibility that target is vulnerable to this attack.
R-U-Dead-Yet
R.U.D.Y. is a popular low and slow attack tool that is designed to crash a web server by submitting long form fields. The attack is executed via a DoS tool which browses the target website and detects embedded web forms. Once the forms have been identified, R.U.D.Y. sends a legitimate HTTP POST request with an abnormally long ‘content-length’ header field and then t starts injecting the form with information, one byte-sized packet at a time.
Ssl Squeeze
SSL Squeeze attack aims to exploit computationally heavy SSL connection process by constantly opening and closing SSL connections. Impact of SSL Squeeze depends on ciphers used for SSL connections by server.
XSS Payload
XSS Attack attack aims to inject malicious code to the targeted server. This is achieved by crawling the target server, finding possible XSS vulnerabilities, and orchestrating the injection attack with a botnet to further improve it's impact.
All Volumetric
All Volumetric DDoS attack combines multiple Layer 3 and Layer 4 protocol DDoS attacks to provide a fast way to detect vulnerabilities on the targeted server.
IPSec VPN Load
IPSec attack aims to disrupt VPN connections by flooding the targeted VPN server with IPSec IKEv1 packets. A vulnerable VPN server could not be able to establish any new VPN connections as a result.
Test Volumes
# Bots | L3/4 Tests (Volumetric) Bandwidth Mbps (upto) | L7 Tests (Application) Running User (upto) |
---|---|---|
50 | 3.000 | 500.000 |
200 | 12.000 | 2.000.000 |
400 | 24.000 | 4.000.000 |
600 | 36.000 | 6.000.000 |
Security
Two-Factor Security
To conduct a DDoS test; both the operator (the Tester) and the client (the Target) should mutually approve the execution. Thereby, the scheduled test is guaranteed to be performed once the consent process is completed.
Emergency Stop Button
The tests being conducted can be paused with a click of an emergency button, if desired. In case of unexpected and extraordinary situations, tests can be stopped deliberately and resumed at any time.
Frequently Asked Questions
Here you can find solution to your questions or queries for LoDDoS.