12 Common Types Of DDOS Attacks — Explained By DMARCReport

At DMARCReport, we take email and network security seriously. While our primary focus is on DMARC, SPF, and DKIM, we also understand the broader threat landscape — including Distributed Denial-of-Service (DDoS) attacks. In this comprehensive guide, we walk you through the 12 most common types of DDoS attacks, their underlying mechanisms, and why understanding them matters — even for organizations that prioritize email security.

What Is a DDoS Attack?

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to make an online service unavailable by overwhelming it with a flood of traffic from multiple sources. In a DDoS attack, threat actors often use a network of compromised devices — known as a botnet — to send huge volumes of fake or malicious traffic. These botnets can cripple websites, applications, or network infrastructure, causing downtime, service disruption, and reputational damage.

Unlike a simple DoS (Denial of Service) attack, which might originate from a single source, DDoS leverages many machines at once, making mitigation more challenging.

Understanding the Network: The OSI Model

To fully grasp how different DDoS attacks work, it’s helpful to understand how data travels in a network. The OSI (Open Systems Interconnection) model is a conceptual framework that describes seven layers of network communication:

1. Layer 7 – Application Layer: Where applications like web browsers or email clients operate.
2. Layer 6 – Presentation Layer: Handles data formatting, encryption, and compression.
3. Layer 5 – Session Layer: Manages communication sessions and their states.
4. Layer 4 – Transport Layer: Segments data and ensures reliable transmission (e.g., TCP).
5. Layer 3 – Network Layer: Routes packets using IP addresses.
6. Layer 2 – Data Link Layer: Manages physical link connections (e.g., switches).
7. Layer 1 – Physical Layer: The physical medium (cables, wireless) that carries raw bits.
   

Different DDoS attacks target different layers of this model. Broadly, we categorize them into:

1. Application Layer Attacks

Application-layer attacks (Layer 7) aim at the very front of your infrastructure — the part users interact with — such as web servers, APIs, or login pages. Because these attacks can mimic legitimate user behavior, they’re often difficult to detect.

a) DNS Server Targeting Attacks

• Attackers send spoofed, high-volume DNS requests, sometimes leveraging amplification techniques.
• A small query can trigger a much larger response, overwhelming the DNS resolver.
• These “floods” may appear legitimate, making filtering difficult.
  

b) HTTP(S) Encrypted Flood

• Botnets generate a high frequency of HTTP requests (GET, POST, DELETE, PUT, and more) to a target web server.
• Because these requests often come via HTTPS, they are encrypted, harder to inspect, and more resource-intensive for the server to process.
• The goal is to saturate the server’s ability to handle simultaneous connections, leading to denial of service for real users.
  

2. Protocol Attacks

Protocol attacks (Layer 3 and 4) aim to exploit weaknesses in communication protocols. These attacks typically target network infrastructure — not just the end application — and are meant to exhaust server and networking equipment resources.

Here are four common protocol-based DDoS types:

a) Ping of Death

• Historically, attackers would send malformed ping packets that exceed permissible sizes.
• These oversized pings can crash or reboot systems.
• Though largely outdated, variations remain a risk in poorly patched systems.
  

b) SYN Flood

• This attack abuses the TCP three-way handshake.
• Attackers send numerous SYN packets with spoofed IPs to a server.
• The target responds with SYN-ACK and waits for final ACK, but because the source is fake, that ACK never arrives.
• This ties up open connections until the server’s connection table is exhausted — blocking legitimate connection attempts.
  

c) Tsunami SYN Flood

• A more aggressive version of the SYN flood.
• Packets are larger (around 1,000 bytes), increasing the load per connection.
• This intensifies the strain on both bandwidth and connection-handling capacity.
  

d) Connection Exhaustion (State-Exhaustion)

• Attackers target devices like firewalls, load balancers, or stateful routers, exhausting their capacity to track connection states.
• Because these attacks don’t always rely on spoofed IPs, they are often harder to filter.
• There is also a variation targeting SSL/TLS: by continuously renegotiating handshakes or sending invalid packets, attackers can tie up stateful resources on SSL servers.
  

3. Volumetric Attacks

Volumetric attacks aim to consume bandwidth and saturate the network. The measure here is typically in bits per second (bps) — and these attacks can scale into hundreds of gigabits or even terabits per second.

Here are some of the most notorious volumetric attack variants:

a) DNS Amplification

• Attackers send DNS queries with a spoofed source IP address (that of the victim) to open DNS resolvers.
• These resolvers reply to the victim with large “ANY” response packets.
• Because the response is much larger than the initial request, traffic is amplified, flooding the target with many times the volume of malicious traffic.
  

b) UDP Flood

• A flood of User Datagram Protocol (UDP) packets is sent to random or specific ports on the target.
• These packets may be small, but they consume network resources.
• Attackers often spoof the source IP to hide their identity and complicate tracing.
  

c) ICMP (Ping) Flood

• Attackers bombard the target with ICMP echo-request (“ping”) packets.
• The target attempts to reply with echo-reply, tying up resources.
• This type can overwhelm both bandwidth and processing capacity.
  

d) RST-FIN Flood

• This is a TCP-based volumetric attack using RST (reset) and FIN (finish) packets.
• Since FIN and RST packets are used to gracefully and forcefully shut down connections, floods of them can confuse the TCP stack on a target system.
• The repeated termination signals consume resources, leading to degraded or halted service.
  

e) Smurf Attack

• Targets IP broadcast networks by sending spoofed ICMP echo requests.
• The source IP is forged to be that of the victim, so all broadcast devices reply to the victim.
• The reply flood can overwhelm the victim’s bandwidth and processing capacity.
• The name “Smurf” comes from a tool that was used for this look-alike attack long ago.
  

Why These Attacks Matter (Even for Email Security Teams)

As DMARCReport, our primary concern is protecting email domains. But the same bad actors who launch phishing or spoofing campaigns often combine them with DDoS attacks. Here’s why understanding DDoS is important for organizations worried about email security:

1. Collateral Damage: A DDoS attack could take down web-based admin tools for your email infrastructure, making it difficult to monitor or respond.
2. Diversion Tactic: Attackers may use DDoS as a smokescreen while executing more targeted attacks (e.g., domain spoofing, phishing).
3. Domain Reputation: If your infrastructure is disrupted, it may affect how other services (like DNS) respond, which in turn can impact email deliverability.
4. Recovery Costs: DDoS isn’t just about downtime — mitigating it (via scrubbing services, firewalls, etc.) can be expensive, and that cost can divert resources from email security projects.
   

How to Mitigate These Threats

Based on our experience and best practices across security domains, here’s how you can defend against these common DDoS attacks:

• Use DDoS Mitigation Services: Employ cloud-based scrubbing services or DDoS protection appliances that can absorb volumetric traffic before it reaches your core infrastructure.
• Rate Limiting & Filtering: Implement rate limits for DNS queries, HTTP requests, or any externally exposed service. Use filters to drop malformed or suspicious packets.
• Stateful Resource Protection: Make sure your firewalls, load balancers, or stateful devices have capacity planning and do not allow unlimited connection states.
• TLS/SSL Hardening: Use the latest protocols and ensure that SSL/TLS handshake renegotiation is limited. Drop invalid handshake attempts.
• Redundancy & Anycast: Distribute your infrastructure (DNS, web, API servers) across multiple geographic regions or use Anycast routing to absorb traffic.
• Monitoring & Alerting: Set up real-time monitoring for unusual traffic patterns, connection exhaustion, or sudden spikes in requests.
• Incident Response Plan: Have a clear plan (and team) ready for DDoS attacks — including failover, communication, and recovery procedures.
• Collaboration: Work with your ISP or DDoS mitigation provider; they might have an upstream scrubbing center.
  

Final Thoughts

DDoS attacks remain one of the most potent and disruptive cyber threats for online services. At DMARCReport, we believe that defending your email domain isn’t just about SPF, DKIM, and DMARC — it’s also about protecting the underlying infrastructure that supports your email infrastructure. By understanding the 12 common types of DDoS attacks, security teams can be better prepared to detect, mitigate, and respond to incidents.

Even though DDoS attacks may seem unrelated to email, in reality, they intersect at multiple points — whether through DNS, TLS, or web interfaces. A multi-layered defense strategy (combining network-level protections with email authentication) gives you the best chance to stay resilient in a threat landscape where attackers use every tool in their arsenal.