Volumetric or Volume Based DDoS attacks are currently one of the most popular. One of their purposes is to saturate the bandwidth of the communication link through which the service is provided, preventing access to the site or causing extreme slowness.
Regardless of the perimeter security equipment that you have (firewalls, ips, waf among others) it is not possible to stop an attack like this without some help from the ISP or some provider that is higher up on the Internet that is capable of absorbing the volume of traffic, filter malicious traffic and send only legitimate traffic to the destination.
While volumetric DDoS attacks are primarily focused on causing congestion, they can also be a sign of an ulterior motive, covering up more sophisticated and surgical DDoS attacks, such as penetration attempts on exposed services. In such cases, attackers may be attempting to cause as much operational disruption and distraction as possible, including monitoring and rapid mutation of their attacks to evade static mitigation techniques. These types of DDoS attacks have been dubbed Trojan Horse DDoS and may be intended to disable a firewall or intrusion prevention system, allowing attackers to infiltrate a network, install malware, and ultimately steal.
Now imagine that the bandwidth of the link is symmetric and 10 Mbps, and that the average consumption of output is 7 Mbps and that of input is 1 Mbps. It is the incoming bandwidth that is exploited in a volumetric attack, generally using traffic amplification techniques, exploiting vulnerabilities in public DNS servers, NTP among others that generally work over UDP.
The best we can do to prevent these attacks is:
▸Use flow telemetry analysis, complemented by behavioral analysis to detect anomalies and DDoS attacks. By focusing on understanding what is normal, it is easier to identify abnormalities.
▸When a volumetric DDoS attack is detected, use FlowSpec to automatically activate network-based mitigation to block attacks at the edges of the network.
Also check:
HTTP Flood DDoS attack method
SYN Flood variant of DDoS attack
ICMP Flood denial of service attack type
