DDoS Attack Trends

According to Latest Cyber Security Reports

DDoS Attacks

The number of DDoS attacks grew 150% on a global basis compared to the previous year. More than half of the attacks were aimed at organizations in EMEA

Attacks by Layers

In 2022, 78% of DDoS attacks targeted the application layer of the OSI model, 17% hit the network and transport layers, and 3% targeted DNS.

Primary Targets

End Users, Financial Services, Cloud Services, and Public Services are the targets that are subject to DDoS attacks respectively.

Complexity

DDoS attacks continue to increase in complexity. Attackers typically leverage multiple and dissimilar vectors to increase the impact and make attack mitigation harder.

What is LoDDoS?

LoDDoS is a DDoS and Load Test simulation platform offered as a service via cloud. The platform generates real DDoS attacks against services via real attack parameters. It also evaluates the resilience of internet-enabled web applications against high traffic.

This enables organizations to test the limits and the efficiency of their existing DDoS prevention systems prior to an actual DDoS attack. The tests which are defined on LoDDoS, are conducted with he attendance of an Operator as well as can be initiated with a single action, monitored live, stopped in a controlled manner, repeated as often as needed. Reports can be generated automatically and promptly by the end of each test thus results can be shared with third parties, if requested.

DDoS test sessions in LoDDoS platform can be monitored in real-time by all parties and can be paused at any time in case of an emergency. All tests can be repeated, and the results can be compared. Reports are generated instantly and can be saved for later evaluation.

A high number of requests targeted to web applications can be addressed with the help of LoDDoS’s Load Test feature, thus the limitations of these applications become visible. Load Test paves the way to analyze real situation that creates a considerable amount of load on applications before it occurs.

Datasheet
Request Info
drive02drive02

Why Perform DDos Tests?

In practice, DDoS tests are performed to assess the efficiency and the limits of the DDoS prevention products and services in place, to improve these systems and related precautions, as well as to measure and enhance the efficiency and the capabilities of an organization, within the assumption of a DDoS attack.

DDoS prevention solutions are not designed to work in a plug-and-play set-up.

Hence, prior to taking the necessary safety measures, an organization’s normal and abnormal network traffics, baselines and thresholds must be determined.

To identify these crucial elements properly, engineers should test the already-protected services against a real time DDOS attack and should also conduct some research on the current DDoS attack solutions within the market.

How To Perform DDos Tests?

As of now, most DDoS tests are being executed manually. The technical and administrative preparation stages of these tests take way too long than usual. Security and IT teams must work concurrently for a considerable amount of time to configure on premise traffic generator systems to conduct DDoS tests. Moreover, the operational aspect of this preliminary work also consumes additional load of time and cost, too.

Real-time monitoring of DDoS tests is usually not available during these manual tests, and it takes a significant amount of time to generate reports once the test phase is completed. Even if the test phase is done, predominantly these reports are not re-usable.

Supported DDoS Attack Types

The main purpose of supported DDoS attacks is to exhaust the network and system resources of the targeted destinations and to prevent these systems from being operational.

Principally, it is intended disable the resources by sending packets more that exceeds the current Internet bandwidth of the targeted systems.

TCP SYN Flood

Aim of TCP SYN Flood is to exploit TCP three-way handshake process by sending very high volume of SYN flagged TCP packets to the targeted server. Targeted server tries to respond these packets with SYN/ACK packets but gets overwhelmed by huge number of incoming requests and becomes unresponsive.

TCP SYN-ACK Flood

In TCP SYN-ACK Flood very high volume of SYN/ACK flagged TCP packets are sent to the target. Out-of-state sent SYN/ACK packets violate three-way handshake process. Responding to these requests uses very significant processing power, since these ACK packets do not belong to any of the sessions in targeted server's transmission list. This results in targeted server becoming unresponsive.

TCP ACK-FIN Flood

In TCP ACK-FIN Flood very high volume of ACK-FIN flagged TCP packets are sent to the target. Out-of-state sent ACK-FIN packets violate TCP connection termination process. Responding to these requests uses very significant processing power, since these ACK-FIN packets do not belong to any of the sessions in targeted server's transmission list. This results in targeted server becoming unresponsive.

TCP RST Flood

High volume of RST packets is sent to a TCP service serving on the target system to prevent the corresponding TCP service from serving.

TCP PUSH ACK Flood

In TCP RST Flood very high volume of RST flagged TCP packets are sent to the target server. Since these RST packets are not preceeded by a TCP handshake, targeted server goes through all of it's transmission list in order to response to incoming requests. This renders targeted server unresponsive as it requires very signification processing power.

TCP All Flags Flood

Also known as Xmas Flood, in TCP All Flags Flood very high volume of TCP packets are sent with all TCP flags (SYN-ACK-FIN-RST-PSH-URG) present in it's body. Targeted servers may response to this request differently, as a TCP packet with all flags present in it's body is considered illegal by TCP RFC. Generally, similar to other out-of-state TCP attacks, targeted servers respond to these requests with a RST packet and waste it's resources which results in server becoming unresponsive.

TCP No Flags Flood

Also known as TCP Null Flood, in TCP No Flags Flood very high volume of TCP packets with no TCP flags. Similar to the TCP All Flags Flood it's considered as illegal by TCP RFC, thus targeted server's may respond to this request differently. Generally, similar to other out-of-state TCP attacks, targeted servers respond to these requests with a RST packet and waste it's resources which results in server becoming unresponsive.

UDP Flood

Aim of UDP Flood is to saturate bandwidth and waste resources of the targeted server by sending very high volume of UDP packets. If UDP packets are sent to a port which listens for UDP packets, listening service gets overwhelmed by incoming packets and becomes unavailabile. If no service is listening for UDP packets at the targeted port, server tries to respond it with an ICMP (ping) packet which generates even more traffic resulting in server becoming unresponsive.

UDP Fragmented Flood

Similar to the UDP Flood, UDP Fragmented Flood aims to waste resources of the targeted server by sending very high volume of fragmented UDP packets of the maximum size in order to saturate the channel with as few packets as possible. Sent UDP packets are made of fragments of packets fabricated to waste targeted server's resources, resulting in making server unresponsive.

ICMP Flood

Aim of ICMP Flood is to disrupt a server's ability to use ICMP(Ping, Echo Request), by saturating it's bandwidth with very high volume of ICMP packets. ICMP protocol is used by various network components to communicate about network connectivity issues and impact of an ICMP Flood is not only limited to denial of the attacked service, but it's effects can be seen by applications that use different/higher layer network protocols.

SSL Negotiation Flood

SSL Negotiaton Flood aims to render a SSL/TLS service unresponsive by establishing too many SSL handshake with targeted server, as a SSL/TLS handshake is a lot more CPU intensive on the server side than on the client side. SSL Negotiaton Flood makes service unable to establish any new SSL connections.

HTTP(S) GET

Aim of HTTP(S) GET attack is to simulate very high number of real users requesting the resources of a web application by sending high number of HTTP(S) GET requests to the application. PDFs, Images, etc. large sized files can be targeted to increase the impact of this attack even further. Each request can imitate as if it's send by a real user to make it harder to distinguish from a legitimate request from an actual user. Application gets overwhelmed by incoming requests and unable to respond legitimate requests, becoming unavailable.

HTTP(S) POST

Aim of HTTP(S) POST attack is to simulate very high number of real users sending data to the web application by sending high number of HTTP(S) POST requests with customizable payload to the application. Each request can imitate as if it's send by a real user to make it harder to distinguish from a legitimate request from an actual user. Application gets overwhelmed by incoming requests and unable to respond legitimate requests, becoming unavailable.

Slowloris

Unlike many other attack vectors, aim of the Slowloris attack is to fill maximum concurrent connection pool of an application with minimal bandwidth usage by opening many connections to the server and keeping them open as long as possible. When targeted application's connection pool is full, targeted application denies new additional connection attemps from actual clients, and targeted application becomes unavailable.

DNS Query

In DNS Query Flood, very high number of DNS queries are sent to a DNS Server in order to saturate the bandwidth and waste resources of the DNS server. Preventing it from responding to actual DNS queries coming from real users.

DNS Random Query Flood

Similar to the DNS Query Flood, very hig number of DNS queries are sent to a DNS server in order to saturate the bandwidth and waste resources of the DNS server. Unlike DNS Query Flood, sent queries are random and requires additional processing by the DNS server, preventing the server from responding to actual DNS queries coming from real users.

Ping of Death

Ping of Death (PoD) attack sends modified and malformed ICMP packets to the targeted server. Sent ICMP packets are modified to make them larger than 63,535 bytes. Modified packets violate the RFC, and if the targeted server is an older server, there is possibility that target is vulnerable to this attack.

R-U-Dead-Yet

R.U.D.Y. is a popular low and slow attack tool that is designed to crash a web server by submitting long form fields. The attack is executed via a DoS tool which browses the target website and detects embedded web forms. Once the forms have been identified, R.U.D.Y. sends a legitimate HTTP POST request with an abnormally long ‘content-length’ header field and then t starts injecting the form with information, one byte-sized packet at a time.

Ssl Squeeze

SSL Squeeze attack aims to exploit computationally heavy SSL connection process by constantly opening and closing SSL connections. Impact of SSL Squeeze depends on ciphers used for SSL connections by server.

XSS Payload

XSS Attack attack aims to inject malicious code to the targeted server. This is achieved by crawling the target server, finding possible XSS vulnerabilities, and orchestrating the injection attack with a botnet to further improve it's impact.

All Volumetric

All Volumetric DDoS attack combines multiple Layer 3 and Layer 4 protocol DDoS attacks to provide a fast way to detect vulnerabilities on the targeted server.

IPSec VPN Load

IPSec attack aims to disrupt VPN connections by flooding the targeted VPN server with IPSec IKEv1 packets. A vulnerable VPN server could not be able to establish any new VPN connections as a result.

Test Volumes

# BotsL3/4 Tests (Volumetric) Bandwidth Mbps (upto)L7 Tests (Application) Running User (upto)
503.000 500.000
20012.0002.000.000
40024.0004.000.000
60036.000 6.000.000

Security

Two-Factor Security
Two-Factor Security

To conduct a DDoS test; both the operator (the Tester) and the client (the Target) should mutually approve the execution. Thereby, the scheduled test is guaranteed to be performed once the consent process is completed.

Emergency Stop Button
Emergency Stop Button

The tests being conducted can be paused with a click of an emergency button, if desired. In case of unexpected and extraordinary situations, tests can be stopped deliberately and resumed at any time.

Frequently Asked Questions

Here you can find solution to your questions or queries for LoDDoS.

What is LoDDoS?
LoDDoS is a DDoS and Load Test simulation platform offered as a service via cloud. The platform generates real DDoS attacks against services via real attack parameters. It also evaluates the resilience of internet-enabled web applications against high traffic.
How do you perform the attacks?
The bots are deployed on various locations around the world to perform a Distributed Denial of Service (DDoS) attack.
How do you determine the LoDDoS packages that fit our needs?
If you have already purchased a LoDDoS package via Offensify, our Sales Team will get in contact with you to guide you through by sharing with you the Scope Form to assess whether your purchase matches with the Scope of work. Once there is a mismatch, the Sales Team will advise you to purchase an extra package. If there is no mismatch, the Sales Team provide support to schedule the execution date of the test.If you would like to consult the Sales Team prior to purchasing the LoDDoS package, kindly get in touch via info@loddos-sec.com .
Can the DDoS attack duration be less than 1 hour?
Unfortunately, the minimum test duration should be for 1 hour.
How many bots can LoDDoS exceed up to?
LoDDoS can deploy and perform attacks via up to 600 bots.
What are the supported attack types?
Currently, LoDDoS supports various attack vectors within almost all OSI Layers. To name a few; ICMP Floods, TCP Floods, UDP Floods, IPSec VPN, DNS Floods, HTTP(S) GET/POST, SSL Negotiation, SSL Squeeze, Slowloris, RUDY, XSS Attack, etc.
Are there any technical requirements needed to access the LoDDoS platform?
In order to execute the test, there needs to be a VPN connection established between the target destination and LoDDoS platform.
Can we stop the attack immediately if there is something wrong during the test?
In case of an emergency, all Botnet can be shut down and the attack can be terminated with a push of a button.
What are the minimum and maximum bandwidths per bot?
There is no minimum bandwidth limit. However, depending on the attack type and target's network bandwidth, LoDDoS can generate up to 60Mbps traffic per bot.
Can LoDDoS exceed the maximum bandwith?
During a DDoS test there may be cases where Botnet total bandwidth exceeds the intended bandwidth for a short period of time, due to the nature of distributed Botnets.
Does LoDDoS have a trial feature/demo version for the interested customers prior to purchasing?
If requested, our Sales Team can schedule a LoDDoS presentation with one of the LoDDoS operators. For inquiries as such, please get in contact via info@loddos-sec.com.
Can we control the console within the scheduled test time?
Upon request, customers may operate the DDoS Test by themselves only under an operator supervision.
If we purchased a package, can we upgrade to other packages immediately?
Yes, you can coordinate with the Sales Team to upgrade your LoDDoS package.
Do you offer a discount for bulk purchases?
Yes, you can browse the bulk options within Offensify (Main Page>Bundle Offers) for the pre-bundled packages or you can reach out to the Sales Team via info@loddos-sec.com to retrieve a tailor-made bulk package for your request.
How many days we should notify you prior to schedule the test?
You should allow the Team at least a week to schedule and confirm the test once the purchase process is finalized.
In what density are the bots are distributed?
Currently, LoDDoS Botnet is distributed to 4 regions (APAC, Europe, North America, South America) and 16 countries in total.
Can we choose the regions of the bots to be included or excluded?
Botnet location preferences could be determined prior to the DDoS test. In cases where there are specific location requirements, please get in touch with the Sales Team to receive the confirmation.
Is it possible to use the purchased LoDDoS package sometime later?
The purchased LoDDoS packages must be consumed within one calendar year.
Does LoDDoS support simultaneous attacks?
Presently, LoDDoS can perform two Layer 3 or Layer 4 attacks simultaneously.
Do you have a sample report?
Yes, you can get in touch with the Sales Team to receive the Sample Report of LoDDoS.
How long does it take to generate a report?
LoDDoS can automatically generate a report once the execution is completed.
Do you have a detailed report option that contains the location of the bots?
The report that is generated via LoDDoS platform contains both the location and IP addresses of the bots for each attack performed during the DDoS test.
What are the payment options?
You can purchase LoDDoS via Offensify either by credit card or bank transfer. Please get in touch with the Sales Team to retrieve the Bank Account details. Kindly be informed that without receiving the transfer of the funds, tests will not be executed.
Can we purchase LoDDoS as a white label solution?
Unfortunately, there are additional requirements to be eligible to offer LoDDoS as a white label solution. Kindly reach out to the Sales Team via info@loddos-sec.com for further information.
What are the requirements to become a Reseller?
LoDDoS has a diverse and distributed B2B portfolio across the globe. Meaning, majority of LoDDoS customers are Resellers. Please get in touch with the Sales Team via info@loddos-sec.com for special discount rates.
What are the requirements to become a verified distributor for specific regions?
Please get in contact with the Sales Team via info@loddos-sec.com to be informed regarding the Criteria Set as well as the Terms&Conditions to become a verified distributor.