Infrastructure layer (Layer 2 to 4) DoS attacks flood the network with unnecessary traffic until systems become unavailable. The LoadMaster network processing engine validates connections and checks for protocol correctness (header, URL, HTTP version, method) while proxying and protecting the Real Servers.

The LoadMaster can help mitigate the below categories of attacks via the:

  • Network processing engine
  • WAF engine and subscription rules
  • Whitelist/blacklists
  • High capacity connection ability
  • Content switching
  • SSL/TLS termination and SSL/TLS validation

SYN Flood Attack

The attackers use half-open TCP connections to cause the server to exhaust its resource by keeping the information describing all pending connections. This results in a system crash or system failure.

TCP Reset Attack

By listening to the TCP connections of the victim, the attacker sends a fake TCP RESET packet to the victim. This causes the victim to inadvertently terminate its TCP connection.

ICMP Attack

The attacker broadcasts a large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP to the network. Most devices on the network will (by default) respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work. ICMP datagram can also be used to start an attack via ping. Attackers use the ping command to construct oversized ICMP datagram to launch the attack.

UDP Storm Attack

This kind of attack impairs the host’s services and congests or slows down the prevailing network. In this attack, a connection is established between two UDP services, each of which produces a very huge number of packets.

Reflected request (DNS/NTP) attack

In this attack scenario, the attacker sends a large number of UDP-based requests to a name server or NTP server using a spoofed source IP address. Then the server, acting as an intermediate party in the attack, responds by sending information back to the spoofed IP address which is the victim. Because of the amplification effect of an unproportional response, it can cause serious bandwidth shortage. For example, a reflected NTP attack can amplify 556 times the amount of traffic as used to create the attack making it easy for attackers to force multiple their stolen resources.

The below figure show some mechanisms on how a LoadMaster can mitigate NTP servers being from being part of a NTP amplification attack.