5

I have been reading up on different types of DDoS attacks recently and came upon DDoS distribution by type in 2017, by Kaspersky Labs. They list 5 different DDoS types: SYN, TCP, UDP, HTTP, ICMP

In all other resources that I have come across so far, SYN DDoS and TCP DDoS attacks are used as complete synonyms, however Kaspersky Labs seems to differentiate between the two. When I search for TCP DDoS attack specifically, only information about SYN DDoS comes up.

I guess my question could be rephrased as: Is TCP DDoS attack always also a SYN attack? Or are there other ways to use TCP for DDoS purposes?

afaf12
  • 153
  • 5

2 Answers2

4

In the article they mention "TCP DDoS attacks", but the summary also says (emphasis mine):

There was a considerable drop in the share of attacks over TCP (down to 18.2% from 26.6%) and ICPM (down to 7.3% from 8.2%). This caused a rise in the percentage of SYN floods and attacks over UDP and HTTP.

DDoS attacks on L4 (TCP SYN flood) is one type of an attack using TCP, but others can involve the application layer (L7). The authors mention HTTP as a special case, but one could also flood SSH or mail services with (small) requests that require more processing from the server side. These are services that run over TCP.

Lekensteyn
  • 5,898
  • 5
  • 37
  • 62
4

There are a few other TCP based DDoS attacks, but they aren't very common due to the fact that TCP is by design quite inefficient for performing (simple) DDoS attacks. Application layer attacks (exhausting CPU, database, disk, etc) are often done based on TCP (for example by generating a lot of HTTP requests to a webserver), and there are few known attacks which try to abuse the TCP protocol, for example by sending illegal combinations of TCP flags or incorrect fragmenting. The 'teardrop attack' was a well known example of that, which used overlapping fragments to crash devices receiving the packets when reassembling them.

But as I already said, TCP isn't very popular for DDoS attacks. Since TCP requires a three-way handshake (SYN, SYNACK, ACK) before you can send any commands, it requires more resources from the nodes performing the DDoS.

Also, TCP attacks can not be done with spoofed IP addresses, because the TCP session would never reach the established state, since the SYNACK would be sent to the spoofed address. Many simple attacks rely on IP spoofing combined with protocols which send a large response given a small request (DNS, NTP, SNMP, LDAP) to generate a huge amount of traffic.

The third drawback of TCP is that it allows both ends to do flow control, thus throttling the sender when the receiver can't keep up, which is not something one would want when performing a DDoS.

Therefor, UDP attacks are much more common for all those attacks which generate tens of gigabits/sec of traffic.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35