DDoS bandwidth consumption attacks could be divided into two different levels: flood attack or amplification attack. The flood attack is characterized that it utilizes zombie processes to deliver a large amount of flows to the damaged victim system. The purpose is to block the bandwidths. The amplification attack is similar. It constrains the bandwidth of the victim system through malicious flow amplification. The characteristics is to utilize zombie processes for message deliveries, but the messages are delivered to a broadcast IP address such that the system child network is connected to the broadcast IP address and subsequently delivers messages to victim systems.
User Datagram Protocol (UDP) floods UDP belongs to none-connection protocol. When the data packet is delivered through UDP, there is no handshaking verification as all data packets are under delivery and receipt. When a large amount of UDP data packets are delivered to the victim system, it possibly results in bandwidth saturation such that legal services cannot request to access the victim system. As being under DDoS UDP flood attack, the target ports of UDP data packets may be random or designated ports. The victim system will attempt to handle the received data packets for the assurance of local operating service. If there is no application process operating on the target port, the victim system will deliver ICMP data packet to the source IP to show “target port unachievable”. In some cases, the attacker will forge source IP address to hide itself such that the data packets from the victim system will not return to the zombie mainframe but be delivered to the mainframe of the forged address. Sometimes UDP flood attack may also affect the network connection around the victim system. It may result in problems for normal systems near the victim system. However, it depends on the network architectural structure and line speed.
“ICMP floods” is a method that delivers broadcast messages through none well setup routers to occupy system resources. “ping of death” is used to produce a packet number which exceeds IP protocol tolerance. A system will be tanked if it has no check mechanism. For TearDrop, prior to the delivery of data, the respective packet will be divided. Each divided part will record shift information for recombination. However, it is the forged shift information used for this kind of attack mode, which makes problems when recombination and results in errors.

The SYN flood delivers TCP SYN attack. TCP progress usually includes the full signal exchange established between the sender and the receiver before data packet delivery. The activation system delivers a SYN request, the receiver system returns an ACK with the self SYNC request as exchange. The sender system subsequently sends back the self ACK to authorize the communication between the two systems. If the receiver system delivers SYN data packet without ACK received, the receiver will resends a new SYN data packet again after a period of time. The processor and internal resource in the receiver system will store the request of said TCP SYN until time-out.
DDoS TCP SYN attack is also called as “resource consumption attack”. It utilizes TCP function to deliver the TCP SYN request forged by the zombie process to the victim server. Thus, it saturates the service processor resource and impedes the victim server from effectively handling the legal request. It specially utilizes the three side signal exchange between the sender system and the receiver system to deliver a large amount of deceptive original IP address TCP SYN data packets to the victim system. Finally, a large amount of TCP SYN attack requests are delivered repeatedly, in turn, the internal storage and processor resources in the victim system are exhausted such that the victim system cannot handle any request from the legal client. LAND attack is similar to SYN floods. But both the original address and the target address in the LAND attack packet are the IPs to be attacked. This kind of attack will get the attacked machine into an endless loop and finally crashed due to exhausted resources. CC attack is one kind of DDoS attacks. It utilizes the proxy server to deliver the victim server a large amount of apparent legal requests (usually uses HTTP GET). CC (Challenge Collapsar) is named after its tool. The attacker creatively utilizes proxy mechanism. It utilizes a wide range of available free proxy servers to activate DDoS attacks. Many free proxy servers support anonymous mode. This makes tracing difficult. For zombie network attack, the zombie network indicates the internet mainframe group which is controlled by a large amount of Command Controlled (C&C) servers. The attacker propagates the malicious software and composes its own zombie network. The zombie networks are difficult to be detected because the zombie mainframes will communicate with the servers only when specific commands are executed such that they are concealed and not easy to be found.
The zombie networks are categorized into IRC, HTTP or P2P etc. according to the difference of network communication protocols. “Application level floods” is different from the foregoing attack methods. “Application level floods” is mainly for the application layer, which is higher than OSI. It is also based on the purpose of mass consumption of system resources. It persecutes the normal network services by bringing up resource requests without intemperance through the network service processes such as IIS.