Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Explore the different types of DDoS (Distribution Denial of Service) attacks by reading our comprehensive table detailing the various attack types and their characteristics.
Volumetric attack types
Definition
Impact
ICMP Flood
ICMP (Internet Control Message Protocol) is a type of message that computers use to communicate with each other over the internet. These messages are meant to assist computers troubleshoot and manage their network connections.
This document will explain the following:
These attacks are also referred as Oversize payload attacks or Jumbo payload attacks. The attacked exploits the HTTP POST method to overwhelm a web server by sending it an abnormally large amount of data in each request.
In this attack, the targeted web server may become unresponsive or inaccessible to legitimate users attempting to access the website or submit valid requests because it's struggling with resource exhaustion by handling the large requests.
Replay attack
This attack uses "recorded" bits of network traffic, which the attacker then replays (often on loop and from many sources) to mimic "real" traffic. Sequence numbers and such will not line up, so it will typically not establish a real session, but as it is valid protocol traffic it does tie up the server and/or application in needing to process the packet before rejecting it
The impact is typically that the application will be busy trying to process the replayed packets before rejecting them as invalid. This will usually either result in an increased CPU/memory load (which slows the experience for connected users) or session tables becoming full (hindering new users/sessions from connecting)
In an ICMP flood attack, the malicious party sends a massive number of ICMP messages to a target computer or network. Due to the flood of messages, it overwhelms the computer or network's ability to process them, resulting in it becoming slow or unresponsive. Therefore, legitimate traffic may not be able to get through.
IP/ICMP Fragmentation
Data packages can be too big to send all at once. Therefore, they are broken up into smaller fragments to be sent. This type of attack happens when a malicious actor sends a large amount of fragmented data packets to a computer or network.
When the target computer or network receives these packets, it slows things down or even crashes the system because it's trying to reassemble the packages back to it's original datagram.
UDP Flood
UDP (User Datagram Protocol) is a method for sending data over the internet, mostly used for online gaming and streaming video. An attacker will send a massive number of UDP packets to the target. The goal of these attacks is almost always to fill up the pipe with traffic to congest the port. The packets could be completely random or pretend to be from a fake source.
The target computer or network gets bombarded by all of these packets, trying to process them all. Since the target is spending all of its resources dealing with these useless packets, it will not be able to handle legitimate requests properly. As a result, it might slow down, or even crash entirely.
IPSec Flood (IKE/ISAKMP association attempts)
IKE (Internet Key Exchange) and ISAKMP (Internet Security and Key Management Protocol) are protocols within IPSec that help to set up secure connections between devices. In this attack type, the malicious actor bombards a target device or network with a ton of requests to establish secure connections using IKE/ISAKMP, hoping one of those connections will work. These attacks are typically aimed at firewalls or nodes that are expected to be tunnel endpoints. The goal is to either occupy the target with bogus connection attempts. As a result, it's swamped trying to sort through them causing failures on the real tunnels.
This results in the target computer or network becoming slow or unresponsive.
DNS reflection amplification DDoS attack
This is an attack similar to a reflection amplification DDoS attack, but the only difference is with this type, it exploits vulnerable DNS (Domain Name System) servers to amplify the attack traffic. The attacker spoofs the source IP address in their DNS queries from arbitrary source IP addresses. These servers are then exploited to amplifying the attack traffic.
As the responses from the vulnerable DNS servers are directed towards the target server or network, they consume its available bandwidth, computational resources, or other network resources, causing it to become overwhelmed. Moreover, this flood of traffic prevents legitimate users from accessing the targeted service or website, resulting in a denial of service.
State Exhaustion Attacks
Definition
Impact
HTTP/S Flood
In an attack, the malicious actor floods the website with an enormous amount of HTTP or HTTPS requests in a short amount of time.
Dealing with the flood of requests ties up the server's resources such as processing power, memory, and network bandwidth. As a result, the server becomes slow or unresponsive. When legitimate users are trying to access the website will experience delays, timeouts of even denial of service since the server cannot handle their requests amidst the flood of malicious ones.
SYN Flood
A SYN packet is a communication protocol by which simply put, a computer tries to connect with another network or computer. The attacker sends a flood of SYN packets (Synchronize) to start a connection with no intention of continuing the connection, which leaves the target hanging. The goal is to typically fill up the connection state table on the server.
As a result, it leads to being unable to process any new connections. This causes troubles for new users or systems trying to connect.
SSL Exhaustion
An SSL (Secure Sockets Layer) is a technology that encrypts data sent between your computer and a website. In an attack, the malicious actor floods the target server with a huge number of requests to set up secure connections (the SSL handshake).
Each request requires the server to generate new encryption keys. The flood of requests can quickly use up the server's capacity for delivering keys. This in turn legitimate users trying to access the website might experience delays or find the site unresponsive.
DNS query / NXDOMAIN floods
When your computer wants to visit a website, it sends a request to the DNS server asking for the IP address associated with the website's name. If the website doesn't exist, the DNS server will respond with an NXDOMAIN error.
An attacker floods the target DNS server with a massive number of requests, asking for the IP address of non-existent or random domain names, making it unable to handle legitimate requests. This results in slowing down internet access for others.
Application layer attacks
Definition
Impact
Slowloris attack
In a Slowloris attack, the attacker will open many connections to the target web server, but will send data very slowly or in tiny, incomplete chunks.
Because web servers have a limit on the number of connections they can handle at once, the server struggles to handle new legitimate requests from other users. As a result, the web server will become unresponsive or slow for others trying to access the website.
Slow POST attack
In a Slow POST attack, the malicious actor sends a series of requests to the server, pretending to upload data, but sending it slowly.
The web server keeps the connection open and reserves resources to handle the slow upload. This results in the served to become overwhelmed and struggles to handle new legitimate requests.
Slow Read attack
When you visit a website, your web browser sends requests to the server asking for web pages. In turn the server responds back the requested web page, by which your browser then displays. In a Slow Read attack, the attacker will send requests to the server for a web page, but then will read the response extremely slowly.
While the server is waiting for the slow reader to finish, it keeps the connection open and reserves resources to handle it. As a result, with many slow connections tying up its resources, the server becomes overwhelmed and slow since it struggles to handle new legitimate requests.
Low and Slow attack
In this attack, the malicious actor does not bombard the target system with a massive number of requests all at once, they send requests at a slow pace in order to evade detection.
Despite the slow pace, the continuous stream of requests eventually adds up, overwhelming the target system's resources over time.
Large payload POST attacks
GLAD (Global Low-Latency anti-DDoS protection) is a collection of in-house tools that we offer at i3D.net that can prevent, detect, and thwart a strike. It's important to understand what a "strike" is, what strikes can do to disrupt services, and how our GLAD product can deter such attacks. For more information about how attacks work and how they can impact services, see the DDoS attack types overview.
Warden is i3D.net's advanced protocol-aware DDoS protection system, operating as a standalone add-on to GLAD Advanced. Unlike traditional DDoS protection that relies on volumetric filtering, Warden provides intelligent traffic analysis at the packet level, making it ideal for gaming, real-time communication, and applications using custom protocols.
Key Benefits of Warden:
Zero latency impact - Direct NIC-level processing bypasses OS overhead
Protocol-specific protection - Understands legitimate vs. malicious traffic patterns
Eliminates false positives - Prevents blocking of legitimate users during attacks
Real-time management - API-driven configuration with sub-second propagation
Below is an explanation of our i3D.net's GLAD's tooling and how each functionality can help to thwart DDoS attacks.
With automatic detection, it will discover incoming DDoS attacks. Once an attacker network is detected, this service blocks all traffic from it. Also, null routing silently discards (or "drops") malicious incoming traffic. The undesired traffic is directed to a route that goes nowhere, protecting the infrastructure. Null routing renders the target server inaccessible to anyone, including clean traffic.
Advanced also includes the features from the Standard package above.
If a specific destination IP/port combination is not critical to the continued operation of the application running on the server, it can be set to receive a limited amount of traffic.
It limits total traffic for a destination to a configurable Mbps value, such as “all traffic to a certain destination port.”
If the rate limit is exceeded, the overflow traffic is discarded randomly, affecting both legitimate and illegitimate traffic.
Understanding Rate Limits
Rate limits control the number of requests that a server can receive within a specific timeframe. These limits help maintain service quality and prevent abuse. Once exceeded, further requests may be blocked or delayed until the limit resets.
For example:
If you normally expect 10 Mbps traffic to a certain destination IP & destination port combination, you might decide to set a 20 Mbps rate limit.
But if you then receive a 90 Mbps attack, the 20 Mbps rate limit will drop exceeding 80 Mbps randomly meaning you’ll pass through approximately 4 Mbps of legitimate traffic and 16 Mbps of illegitimate traffic.
This means you effectively have 60% packet loss on your legitimate 10 Mbps of traffic when the rate limit is performing exactly as it was configured to do.
Clients often rate limit ICMP traffic to ensure servers respond to pings during normal operation, but halt responses during ICMP-based DDoS attacks. Meanwhile, the application/protocol/port which runs on the server remains unaffected by this ICMP traffic rate limit.
Premium also includes the features from the Advanced and Standard packages above.
Byte matching is a technique that identifies and filters out malicious or undesirable traffic from incoming network packets based on specific byte patterns. Customers can tailor specified signatures. As a result, it blocks the bytes that are not supposed to enter the network by taking appropriate actions to safeguard the targeted infrastructure.
Warden is a part of the GLAD Premium package and provides enterprise-grade, protocol-aware DDoS protection.
For unparalleled anti-DDoS protection, Warden is our custom software that filters traffic on a dynamic whitelist furnished by the customer. Its capabilities provide inline filtering, which allows you to achieve a higher level of specificity and detail when filtering their traffic stream.
Warden is designed to be flexible and adaptable. New features are continuously added whenever technically feasible, enabling you to benefit from the latest advancements in traffic filtering technology. In the event of server failures, Warden follows a fail-open system. If the redundant systems fail, instead of dropping traffic, Warden allows all traffic to pass through. This ensures that your network remains operational even in challenging situations.
Warden also supports Active-Active setups, allowing horizontal scaling. This means we can expand the capacity of our filtering infrastructure by adding more instances of Warden, distributing the workload, and ensuring scalability.
For more information on integrating Warden, please refer to Warden: Overview of how it works
Below is an overview of our product packages, detailing the features included.
Default ACL on VLAN
X
X
X
Automatic detection and auto null-route
X
X
X
Custom ACL on VLAN
-
X
GLAD packages are available immediately upon service activation
Warden requires initial configuration consultation
GLAD API access for Warden is provided with comprehensive documentation at https://glad-api.i3d.net/
For more information on integrating Warden, please refer to Warden: Overview of how it works
GLAD API reference: https://glad-api.i3d.net/
X
Rate limiting
-
X
X
Byte matching
-
-
X
API Access
-
-
X
Priority Support
-
-
X
Dynamic IP Whitelisting (Warden)
-
-
X
Advanced Payload Fingerprinting (Warden)
-
-
X
Protocol-Aware Intelligence (Warden)
-
-
X
Zero-Latency Processing (Warden)
-
-
X
It's a malicious cyber attack in which a large number of compromised (infected with malware/virus) computers, often referred to as "botnets," are used to overwhelm a target system such as a network or website with an excessive amount of traffic. The malicious actor's goal of a DDoS attack is to make the targeted service unavailable to its intended users by flooding it with so much traffic that it becomes unable to handle legitimate user requests, which causes a disruption of service.
The attacker first gains control over a network of compromised devices. These devices can include computers, servers, and more which are usually infected with malware. Once the attacker has control over this botnet, they orchestrate a coordinated attack.
The attacker then directs the botnet to send a massive volume of traffic towards the target system or network. This flood of traffic can come in various forms, such as HTTP requests or even legitimate-looking requests that are specifically designed to exploit vulnerabilities in the target's infrastructure.
As a result, the infrastructure becomes overwhelmed by the flood of incoming requests. In turn, legitimate user requests struggle to get through because the resources are tied up in handling the malicious traffic.
As the target system's resources get consumed by the attack, its performance starts to degrade. It may become slow, unresponsive, or even crash completely. In severe cases, the targeted service may go offline entirely, resulting in a denial of service for legitimate users. That's where our GLAD services come in to thwart such attacks to your infrastructure. On the following pages, we have listed various DDoS attacks that can potentially affect services. To help thwart such attacks, we offer an Anti-DDoS product: GLAD, our Global Low-Latency Anti-DDoS solution. It offers a proprietary set of custom tools to detect, intercept, and deflect impending attacks.
Welcome to GLAD! This guide will walk you through the steps required to configure your account for optimal traffic protection.
The first step in the process is to create your GLAD account.
Request account creation: Your GLAD account will be created.
API token: After your account is created, you will receive an API token.
Create your IP lists: You will need to prepare a whitelist and a blacklist of IP addresses. Afterwards, provide us with the IPs that will access the API.
The NetOps team will whitelist these IPs at the ACL (Access Control List) level to grant API access.
When you work with the GLAD team, they will assist you on configuring armors within Warden for you.
Align on traffic protection: With this crucial step, you work with the GLAD team to identify the traffic that requires protection.
Provide the following traffic details:
TCP/UDP Protocols
Ports
Whitelist IPs through the API: The GLAD team will enable you to share your whitelisted IPs.
Use GLAD API: Utilize the POST lists function from the GLAD API to share your whitelisted IPs.
IP protection: Provide a list of IPs that need protection.
Packet per Second (PPS) threshold: Set up the PPS threshold for graylisted traffic.
Protocol configuration: Configure the protocol for UDP or TCP traffic. If you are protecting both, create 2 separate armors.
You will receive a Grafana environment for monitoring.
You have now configured your GLAD account for optimal traffic protection. If you have any questions or need more assistance, please contact our support team.
Warden is our proprietary software solution designed to enhance the security and manageability of your network traffic. By leveraging a dynamic whitelist, which is meticulously tailored and maintained by you, Warden enables unparalleled control and precision in traffic filtering. This document provides an overview of its key capabilities and benefits.
Warden's ability to operate with a custom dynamic whitelist is at the core of its functionality. You can curate this list to suit your specific needs, ensuring that only approved traffic passes through. This feature provides extensive flexibility and personalization, making it an integral component of secure network management.
Warden excels in providing inline filtering capabilities, which are instrumental in achieving a higher degree of detail and specificity when filtering network traffic. By processing data in real-time, Warden ensures that only desired traffic is allowed, enhancing both security and performance without introducing latency.
Enhanced Security: With its dynamic whitelist and inline filtering, Warden provides an extra layer of security, reducing the potential for harmful traffic to infiltrate the network.
Customizability: You have full control over the whitelist, making Warden adaptable to various network environments and requirements.
Real-Time Processing: The software's ability to process traffic inline ensures quick responses to potential threats, maintaining the flow of legitimate data without delay.
With real-time traffic filtering and customizable whitelists, studios can protect their servers from malicious attacks and ensure that only legitimate players are accessing their games. Warden's scalability ensures that as a game grows in popularity, its network infrastructure can handle increased traffic without compromising gameplay experience. By integrating Warden, game studios can focus more on developing engaging content, while enjoying peace of mind regarding network security and performance.
In today's digital environment, maintaining control over network traffic is essential. Warden stands out by offering a robust, customizable, and real-time traffic management solution. By utilizing a dynamic whitelist tailored by you, Warden provides not just security, but a precision tool for effectively managing and filtering network activity to meet your unique needs. Contact our to get started.
Bare Metal IP information
Bytematching details (if applicable)
Commence a dry run (Traffic fingerprint):
We will set up test armors to monitor your traffic.
This allows us to accurately configure the parameters for production.
When you use our Anti-DDoS solutions, it's important to understand listings and how they are used.
The section explains the purpose and use of whitelisting, greylisting, and blacklisting in Anti-DDoS solutions. Whitelisting allows only trusted IPs, greylisting temporarily blocks potential threats for verification, and blacklisting denies access to known malicious IPs.
These methods help manage and prevent DDoS attacks by filtering traffic based on its origin.
Blocks traffic from harmful or suspicious IP addresses or domains. Once blacklisted, their traffic is automatically denied to prevent attacks from known threats.
Greylisting is only used as a buffer during the authentication period. Warden allows you to connect, even though you are not whitelisted, requiring extra checks before allowing access. Warden will start limiting traffic in a greylist (and dropped) if you are in the middle of a DDoS attack, where traffic from unauthenticated IP addresses can be dropped as a safety measure.
Creates a list of approved IP addresses or domains allowed to access the network or service. Whitelisted traffic is not rate limited.
Our system verifies the protocol type, determining if it is TCP or UDP. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
In Anti-DDoS strategies:
TCP provides reliable, ordered, and error-checked delivery of streams of data between applications. It's essential for ensuring that traffic flows as intended without disruptions.
UDP offers a simpler transmission model with no handshakes, suitable for time-sensitive communications like gaming or streaming, where speed is prioritized over reliability.
Using Transmission Control Protocol
First, Warden will check to see if the player IP address is blacklisted by you. If it is, then they are dropped and denied access to the network.
Based on your list of approved IP addresses, Warden will check to see if the player IP address is whitelisted. If it is, then the IP address is approved, and in turn the player is allowed access to the network.
If the player IP address is not whitelisted, then Warden verifies if the destination port is allowed. If it isn't, the packet is dropped.
If the destination port is valid, then the packet goes through rate-limiting. If the PPS is below the configured threshold, then the packet is allowed. Otherwise, it is dropped.
Using User Data Protocol
Warden will check to see if the player IP address is blacklisted. If it is, the player IP address is dropped and denied access to the network.
If the player's IP address is already whitelisted, Warden performs bytematching (if enabled in the Armor). There are 2 scenarios that can occur afterwards:
If it passes bytematching, or in the absence of bytematching rules, the packet is allowed into the network.
If the packet fails bytematching, then it is denied access into the network.
Warden was originally designed to handle billions of entries in its lists, and work with very long expiration duration values (e.g. in the order of 24 hours per item), since there was no mechanism to refresh the expiration through the POST /lists/{id} at the time.
In that historical context, as a database optimization measure (consider that an expiration can be multiple years in the future as well), the design decision was made for the Warden dataplane to process natural whitelist expiration on whole clock hours only.
This means that Warden rounds down the expires value passed via the POST /lists/{id} endpoint to the nearest full hour. Some examples:
"expires": "2025-08-20T19:04:55Z" becomes "2025-08-20T19:00:00Z" in the Warden dataplane.
"expires": "2025-08-20T20:55:31Z" becomes "2025-08-20T20:00:00Z" in the Warden dataplane.
When exact expiration times are required, as a workaround it is possible to issue a longer expiration (e.g. add +1h to your intended timestamp) and then at a time of your choosing make a second POST /lists/{id} call with an expires value in the past which will immediately revoke that item from the list and propagate to the Warden dataplane.
We are currently working on a migration to a different database backend that will not require this optimization measure, thereby enabling Warden to handle far more granular natural expiration of IPs on lists. It is expected to be brought live in the coming weeks.
Full service continuity while attacks are ongoing: New players can continue to connect to the game instance even while the server is under attack. When relying on greylisting, untrusted IPs will experience degraded service or may even have no service at all when the greylist-pps value is exceeded.
Reduced operational overhead: You can skip thinking about how to interact with the blocklisting feature entirely, anything that is not trusted will be automatically dropped.
Reduced exposure to low-and-slow attacks: You cannot receive packets from untrustworthy sources, significantly reducing the attack surface of your game and helping to defend against application layer attacks, such as those involving malformed packets. To avoid triggering greylisting, manage your PPS (Packets Per Second) and ensure it remains below the specified threshold.
In some cases it's not possible to integrate with the authentication layer, then the game operator could instead choose to add IPs to the trusted list based on that IP's interactions with the server while in the greylist.
Once your request reaches the GLAD API, updates propagate rapidly through Warden nodes worldwide. However, in some cases the user still tries to connect to the game instance before the IP address collected during authentication makes it onto Warden's trusted IPs list - a greylist would allow for the user to still complete their initial connection successfully.
If the player's IP is not whitelisted, Warden verifies if the destination port is allowed. If it isn't, the packet is dropped.
If the destination port is valid, then Warden performs bytematching (if enabled in the Armor).
If the packet fails bytematching, then it is denied access into the network.
If it passes bytematching, and if the packet per second is below the configured threshold, then the packet is allowed to enter the network.
Easier troubleshooting: Debugging is much easier because a connection will either always work completely, or never work at all, there is no intermittency factor.
enabled
true
Enables the armor (i.e. routes traffic through Warden)
prevention-mode
true
Allows Warden to actually drop packets
ports
["80", "443"]
A list of ports/port ranges to allow through Warden
protocol
tcp
Defines the armor as a TCP/UDP armor
tcp-established
true
Allow the protected IP to initiate connections to the Internet
tcp-gl-pps
0
Sets the limit (in PPS) for greylisted (non-whitelisted) TCP traffic
udp-gl-pps
75000
Sets the limit (in PPS) for greylisted (non-whitelisted) UDP traffic
dpi-profile
""
(UDP only) sets a bytematching profile
reject-src-port-1024
true
Rejects packets if the source port is less than 1024
prefix
32
The CIDR part of the subnet
description
"Client gameserver"
An optional description text
tenant-id
42
The client's tenant ID
enabled
true
Enables the armor (i.e. routes traffic through Warden)
prevention-mode
true
Allows Warden to actually drop packets
ports
["1024-2048", "4096"]
A list of ports/port ranges to allow through Warden
protocol
udp
Defines the armor as a TCP/UDP armor
tcp-established
false
Allow the protected IP to initiate connections to the Internet
tcp-gl-pps
50000
Sets the limit (in PPS) for greylisted (non-whitelisted) TCP traffic
udp-gl-pps
0
Sets the limit (in PPS) for greylisted (non-whitelisted) UDP traffic
dpi-profile
""
(UDP only) sets a bytematching profile
reject-src-port-1024
true
Rejects packets if the source port is less than 1024
ip
"1.2.3.4"
The net ID part of the subnet (first IP)
prefix
32
The CIDR part of the subnet
description
"Client web server"
An optional description text
tenant-id
42
The client's tenant ID
