Understanding DDoS attacks: Volumetric vs. application

It’s been a while since we posted much here about distributed denial-of-service (DDoS) attacks, but they remain a significant threat to businesses, organizations, and individuals. Back in October 2021 we discussed some of the more destructive new flavors of DDoS here, and the trends we looked at then have indeed continued to progress.

But today I want to step back and go over some of the basics about DDoS attacks. In particular, I want to make sure you understand the difference between the two main categories of DDoS: volumetric attacks and application attacks.

The main reason it’s important to understand the differences between volumetric and application DDoS attacks is that each type requires different strategies for mitigation. Understanding your exposure to risk from each type can help you determine the right strategy for investing in protective measures.

Volumetric DDoS attacks

Volumetric DDoS attacks are what most people think of when they hear about a DDoS attack. They are designed to overwhelm a target with large amounts of traffic. These attacks usually involve flooding a targeted online application with requests from multiple sources at once.

Very often this is accomplished by the use of botnets, which are large networks of computers that have been compromised or infiltrated by a malicious actor. They can include many thousands of devices whose owners are completely unaware that they have been compromised. Once a cybercriminal has established a botnet, it is a relatively simple matter to make all the devices send repeated requests to the targeted application at the same time and over a long period of time, saturating bandwidth and exhausting memory and processor resources.

Volumetric DDoS attacks were traditionally used mainly to hinder an organization’s ability to operate, but in recent years attackers have extorted ransoms from their targets in exchange for shutting down the attack, and in some cases they use the attack as a distraction so that they can more easily steal data or install ransomware or other malware.

Application DDoS attacks

Application DDoS attacks are more sophisticated than volumetric attacks. While volumetric attacks can be used against any application that accepts requests via the internet, application attacks are individually designed to exploit specific vulnerabilities in the applications and services that they target.

For example, if an application has no limit on how long a character-string can be input to a field, an attacker can enter a very long string that exceeds the application’s buffer capacity, causing it to shut down. This is called a buffer overflow exploit. Other types of application DDoS attack include HTTP floods and slowloris attacks.

Defense against DDoS attacks

Volumetric DDoS protection solutions typically use network-level filtering techniques such as rate limiting or packet inspection to detect malicious traffic and block it before it reaches its intended target. On the other hand, application-level protection solutions focus on identifying malicious requests by analyzing their content rather than their source IP address or other network-level attributes.

Another important protection against application DDoS attacks consists of ensuring that any vulnerabilities in application code is identified and patched to block such attacks.

Many web application firewall (WAF) solutions currently available offer metered DDoS protection capabilities as an add-on. The danger of this model is that, especially in the case of volumetric attacks, the cost of defending against a large-scale, long-term attack can quickly escalate out of control.

Barracuda Application Protection stands apart from other web application and API protection (WAAP) solutions by including Full-Spectrum DDoS Protection as a standard feature. This not only provides highly advanced security against both volumetric and application DDoS attacks, but it does so without any limits on protected applications. Barracuda Application Protection also includes sophisticated WAF capabilities that monitor all your applications — both in development and in production — to identify and automatically patch vulnerabilities before they can be exploited by attackers.