Back to Blog

The Three Categories of DDoS Attacks

DDoS attacks are broadly classified into three categories based on which layer of the network stack they target. Understanding this taxonomy is essential for choosing the right detection and mitigation strategy because each category requires fundamentally different defenses.

  1. Volumetric attacks (Layer 3/4) - Flood the target's bandwidth with sheer traffic volume. Measured in bits per second (BPS) or packets per second (PPS).
  2. Protocol attacks (Layer 3/4) - Exploit weaknesses in network protocols to exhaust server resources like connection tables, CPU, or memory. Measured in PPS.
  3. Application-layer attacks (Layer 7) - Target specific applications or services with seemingly legitimate requests designed to exhaust application resources. Measured in requests per second (RPS).

Modern attacks increasingly combine multiple types simultaneously, a strategy known as multi-vector attacks. Flowtriq's classification engine identifies all three categories and their specific sub-types.

Volumetric Attacks

Volumetric attacks aim to saturate the target's network bandwidth. They are the most common DDoS type, accounting for approximately 65% of all attacks. The goal is simple: send more traffic than the link can handle.

UDP Flood

The most basic volumetric attack. The attacker sends a large volume of UDP packets to random ports on the target. The server must check each port for a listening application and respond with ICMP "Destination Unreachable" when nothing is found. With enough volume, this consumes all available bandwidth and CPU. See our detailed UDP flood mitigation guide.

Detection signature: Sudden PPS spike, predominantly UDP traffic, high source port entropy (random ports), many ICMP unreachable responses generated.

DNS Amplification

Exploits open DNS resolvers to amplify traffic 28-54x. The attacker sends small DNS queries with the victim's spoofed IP to open resolvers, which respond with much larger DNS responses to the victim. See our complete DNS amplification guide.

Detection signature: Inbound UDP from source port 53, large DNS response packets (>2 KB), high BPS-to-PPS ratio, no corresponding outbound DNS queries.

NTP Amplification

Abuses the NTP monlist command on misconfigured NTP servers. A 234-byte request can generate responses up to 100x larger. NTP amplification can reach amplification factors of 556x with certain configurations.

Detection signature: Inbound UDP from source port 123, large response packets, NTP Mode 7 (private) responses without corresponding queries.

Memcached Amplification

The highest amplification factor of any known vector: up to 50,000x. Abuses memcached servers with UDP enabled. See our detailed memcached amplification detection guide.

Detection signature: Inbound UDP from source port 11211, extremely high BPS, heavy IP fragmentation, memcached response headers in payloads.

SSDP Amplification

Exploits the Simple Service Discovery Protocol used by UPnP devices. The attacker sends SSDP search requests to UPnP-enabled devices with the victim's spoofed IP. Amplification factor is approximately 30x.

Detection signature: Inbound UDP from source port 1900, XML-formatted SSDP responses, traffic from residential IP ranges (IoT devices).

CLDAP Amplification

Connectionless LDAP (CLDAP) on UDP port 389 can produce amplification factors of 56-70x. It has become increasingly popular since 2020 as other amplification vectors are gradually cleaned up.

Detection signature: Inbound UDP from source port 389, LDAP response payloads, typically from enterprise or cloud IP ranges.

Protocol Attacks

Protocol attacks exploit weaknesses in Layer 3 and Layer 4 protocols to consume server resources without necessarily saturating bandwidth. They are often smaller in total volume but can be equally devastating.

SYN Flood

The classic protocol attack. The attacker sends a flood of TCP SYN packets (connection initiation) with spoofed or non-responding source IPs. The server allocates resources for each half-open connection, eventually exhausting its connection table. With modern SYN cookies, basic SYN floods are less effective, but high-volume SYN floods can still overwhelm firewall state tables and consume CPU. See our SYN flood iptables guide.

Detection signature: Massive SYN_RECV count, high ratio of SYN to SYN-ACK packets, many unique source IPs with no completed handshakes.

ACK Flood

Sends a flood of TCP ACK packets that do not correspond to any established connection. The server must look up each packet in its connection table to determine it is invalid, consuming CPU cycles. Stateful firewalls are particularly vulnerable because they track every connection.

Detection signature: High volume of TCP ACK packets with no matching connection state, packets from many source IPs.

RST Flood

Similar to ACK floods but using TCP RST (reset) packets. Can disrupt legitimate connections if the attacker can guess valid sequence numbers.

Ping of Death / ICMP Flood

Sends malformed or oversized ICMP packets to overwhelm the target. Modern systems are largely immune to the original "Ping of Death" (oversized packets causing buffer overflows), but ICMP floods can still consume bandwidth and CPU.

Detection signature: Massive ICMP echo request volume, oversized ICMP packets, fragmented ICMP payloads.

IP Fragment Flood

Sends a stream of IP fragments that require reassembly. Each fragment consumes memory in the reassembly buffer. Incomplete fragment chains (where the last fragment never arrives) hold memory until the reassembly timeout expires.

Detection signature: High IP fragment rate, incomplete fragment reassembly, many fragment reassembly timeouts.

Application-Layer Attacks

Application-layer (Layer 7) attacks are the most sophisticated and hardest to detect because they mimic legitimate user traffic. Each individual request appears normal; it is only the volume and pattern that reveals the attack.

HTTP Flood

Sends a large number of HTTP requests to resource-intensive endpoints. Unlike volumetric attacks, HTTP floods complete the TCP handshake and send valid HTTP requests. A single HTTP GET to a database-heavy page can consume thousands of times more server resources than the request itself. Attackers target search pages, report generators, and API endpoints that trigger expensive backend operations.

Detection signature: High request rate from many IPs to specific URLs, requests with identical or scripted user agents, no JavaScript execution (detected via cookie challenges), requests targeting known expensive endpoints.

Slowloris

Opens many connections to the web server and keeps them open by sending partial HTTP headers at regular intervals. Each connection consumes a server thread/worker while the attacker uses minimal bandwidth. Particularly effective against Apache and other thread-per-connection servers.

Detection signature: Many connections in ESTABLISHED state with very slow data transfer, connections from the same IPs lasting much longer than normal, incomplete HTTP headers.

Slow POST (R.U.D.Y.)

Similar to Slowloris but targets HTTP POST requests. The attacker sends the Content-Length header indicating a large body, then sends the body data one byte at a time at long intervals. The server waits for the complete body, keeping the connection and associated resources allocated.

DNS Query Flood

Targets DNS servers with a flood of legitimate-looking DNS queries for non-existent or random subdomains. The server must process each query, potentially triggering recursive lookups that consume CPU, memory, and upstream bandwidth. Known as "random subdomain attack" or "DNS water torture."

Detection signature: Massive query rate for NXDOMAIN responses, queries for random subdomains of a specific domain, cache miss rate spike.

Flowtriq classifies 8 attack types automatically: UDP flood, SYN flood, DNS amplification, NTP amplification, memcached amplification, ICMP flood, HTTP flood, and multi-vector attacks. Classification happens within seconds of detection and is included in all alert notifications.

Detection Strategy by Attack Type

No single metric catches all attack types. Effective detection requires monitoring multiple signals simultaneously:

  • PPS + BPS: Catches volumetric attacks. A high BPS-to-PPS ratio indicates large-packet floods (amplification). A high PPS-to-BPS ratio indicates small-packet floods (SYN, ACK, UDP random).
  • Protocol distribution: Catches amplification and UDP floods by detecting shifts in the UDP/TCP traffic ratio.
  • Connection state tracking: Catches SYN floods, Slowloris, and other connection-exhaustion attacks by monitoring half-open and slow connections.
  • Source entropy: Distinguishes botnet attacks (high source diversity) from amplification attacks (low source port diversity).
  • Request rate analysis: Catches application-layer attacks by monitoring per-endpoint request rates and response patterns.

Flowtriq's per-second detection engine monitors all of these signals simultaneously and uses dynamic baselines to distinguish attacks from legitimate traffic spikes.

Start your free 7-day trial to see automatic attack classification in action.

Back to Blog

Related Articles

Fundamentals

How to detect a DDoS attack

Early warning signs, monitoring tools, and step-by-step response procedures.
Fundamentals

Volumetric vs application-layer attacks

A deep comparison of the two main DDoS categories and why they require different defenses.
Attack Analysis

Multi-vector DDoS attacks

Why attackers combine multiple attack types and how to detect them.