A yo-yo attack is a specific type of DoS/DDoS aimed at cloud-hosted applications which use autoscaling to manage spikes in traffic. The attacker generates a flood of traffic until a cloud-hosted service scales outwards to handle the increase in traffic, then halts the attack, leaving the victim with over-provisioned resources. When the victim scales back down, the attack resumes causing resources to scale back up again. This can result in a reduced quality of service during the periods of scaling up and down and a financial drain on resources for the victim.
When a client attempts to create a TCP connection to a server, the client requests a connection by sending a SYN (synchronize) message to the server. The server acknowledges this request by sending SYN-ACK back to the client. The client then responds with an ACK, and the connection is established. This is called the TCP three-way handshake and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server’s final request with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, cause the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it "knows" that it never sent a SYN.
The server will wait for the last acknowledgement because network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client clog up resources on the server and may eventually exceed the resources available. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service and may also malfunction or crash the system because other operating system functions are starved of resources.
Distributed Denial of Service Attack
A distributed denial-of-service attack (DDoS attack) is an attack where the incoming traffic flooding the victim originates from many different sources. DDoS attacks are carried out with networks of Internet-connected machines. These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots and a group of bots is called a botnet. Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot. Each bot then sends requests to the target’s IP address, causing the server or network to become overwhelmed resulting in a denial-of-service to normal traffic.
This DDoS attack is a reflection-based volumetric attack in which an attacker leverages the functionality of open DNS servers to overwhelm a target with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible. DNS amplification attacks involves an attacker sending a DNS name lookup request to one or more public DNS servers, spoofing the source IP address of the targeted victim. The attacker tries to request as much information as possible, thus amplifying the DNS response that is sent to the targeted victim. Since the size of the request is significantly smaller than the response, the attacker is easily able to increase the amount of traffic directed at the target.