DoS and DDoS Glossary of Terms
When it comes to distributed denial of service (DDoS) attacks, the various terms and acronyms can be quite confusing. Prolexic explains all in this glossary of terms. To learn even more, follow the links to other Prolexic resources.
During an A record DDoS attack, malicious actors spoof the source IP address and flood victim domain name system (DNS) servers with requests for A records (commonly used to request an IP address for a domain name) using malformed domain names. The source IP spoofing technique makes it appear the requests came from the attacker’s primary target, causing the victim DNS servers to respond to the target. In a distributed reflection denial of service (DrDoS) attack, large numbers of A record queries from multiple sources can impact DNS availability on the primary target. Details about this attack method are explained in the DrDoS white paper on DNS attacks.
ACK is an abbreviation for acknowledgement, and indicates the successful receipt of a packet of data through the three way handshake of the TCP protocol. A typical TCP request is in the format of SYN-SYN-ACK-ACK. When attackers make use of SYN reflection attack techniques, victim servers generate ACK floods towards the intended target systems. Learn more in the DrDoS white paper about SYN reflection attacks.
The Amos POST flood script is PHP code that was popular during the itsoknoproblembro DDoS campaigns. The Amos PHP script launches Layer 7 application attacks against targets that originate from web compromised web servers. The Amos POST flood PHP script is sent as encoded content within a request to an infected server, and once the script executes it begins a POST flood against the target. Learn more about how to stop DDoS attacks involving the itsoknoproblembro DDoS toolkit.
Amplification is when an attacker makes a request that generates a larger response. Examples of common amplification attacks include DNS requests for large TXT records and HTTP GET requests for large image files. Learn more about amplification attacks in the SNMP Amplification (SAD) Threat Advisory.
An application-level attack is a DDoS attack that overloads an application server, such as by making excessive log-in, database-lookup or search requests. Application attacks, also called Layer 7 attacks, are harder to detect than other kinds of DDoS attacks, because the connection has already been established and the requests may appear to be from legitimate users. However, once identified, these attacks can be stopped and traced back a specific source more easily than other types of DDoS attacks. Learn how Prolexic Application-based Monitoring (PLXabm) detects application DDoS attacks.
Application monitoring is the practice of monitoring software applications using a dedicated set of algorithms, technologies and approaches to detect zero-day and application layer (Layer 7) attacks. This monitoring approach is different and goes beyond the capabilities of hybrid monitoring systems, such as web application firewalls. Learn more about application monitoring.
An APT refers to a sustained, Internet-enabled form of cyber espionage led by a powerful entity, such as a government, with the intent to gain access to a specific target, such as a political resistance group or another government. APTs often employ DDoS attacks.
An Autonomous System (AS) is a network or group of networks that has a single and clearly defined external routing policy. A public AS has a globally unique number associated with it (ASN). This ASN (Autonomous System Number) is used both in the exchange of external routing information (between neighboring autonomous systems) and as an identifier of the AS itself. Every IP address that is publicly routed belongs to an ASN. Learn more about autonomous system numbers (ASN) in this attack report.
An attack vector is an existing vulnerability that has been leveraged by a malicious actor to create an exploitable condition. The exploitable condition is used to gain unauthorized access to server resources. Learn about multi-vector attacks in this DDoS attack report.
A DDoS attack signature is a block of code unique to a specific DDoS attack. Knowing the attack signature allows a DDoS protection specialist to identify and block the DDoS attack. A hacker may randomize a portion of the attack signature in an attempt to fool security experts, but other parts of the attack signature will stay the same. See an example of an attack signature in the Pandora DDoS Threat Advisory.
Backscatter is a side effect of a spoofed distributed reflection denial-of-service (DrDoS) attack. The intermediary victim machine cannot distinguish between incoming spoofed packets and legitimate packets, so the victim must respond to all of them. The flood of responses creates the condition called backscatter. DDoS mitigation service providers use the term backscatter to refer to the high rate of responses that can be generated by DDoS mitigation equipment. In some cases, malicious actors are able to make use of DDoS mitigation equipment to engage in reflection attacks. Prolexic takes proactive steps to prevent its DDoS mitigation equipment from being used by malicious actors to produce backscatter. Learn more about backscatter and SYN reflection attacks in this Prolexic white paper.
Bandwidth rate refers to the bits per second (bps) rate of network resources consumed during a DDoS attack. When the available bandwidth of a DDoS target is exhausted, availability is impaired and communication comes to a halt, resulting in a loss of access for legitimate users. Learn more about high-bandwidth DDoS attacks in these global DDoS attack reports.
The Border Gateway Protocol (BGP) is used to make core routing decisions on the Internet and is the protocol used by organizations to exchange routing information. Prolexic uses BGP to enable organizations to redirect network traffic through its scrubbing centers.
Bitrate refers to the speed at which data flows in and out of a network, often measured in bits per second (bps). During a DDoS attack, the bitrate of the target network is significantly increased, which can cause problems with resource availability. Learn about DDoS mitigation sensors and data analytics in this white paper .
A booter is a tool used by malicious actors to launch denial of service attacks. This slang term describes a script that has been placed on a compromised server. Usually the scripts are written in PHP, but they have been observed in the wild using multiple programming languages. Some booters include BroDoS (itsoknoproblembro) and GreenShell. Lists of active booter scripts are circulated in the underground and used by fee-based DDoS-as-a-Service providers, which use compromised web servers in their botnets. Get the Booter Shell Script Threat Advisory to learn more.
Booter shell scripts are customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic. These are standalone files that execute GET/POST floods when accessed via HTTP. With booter shells, DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. The skill level required to take over a web server and convert it to a bot is greatly reduced when using a booter shell. A DDoS booter shell script can be easily deployed by anyone who purchases hosted server resources or makes use of simple web application vulnerabilities such as RFI, LFI, SQLi and WebDAV exploits. Learn more in the Booter Shell Script Threat Advisory.
A bot is a computer that is under control of a third party. Learn more about bots.
A botnet is a network of bots that can be commanded as a single group entity by a command and control system. Botnets receive instructions from command and control systems to launch DDoS attacks. Learn more about botnets.
A botnet takedown is the process of identifying bots and then working with law enforcement and security experts to measure inbound and outbound traffic to and from the bots. The goal is to trace the traffic to find the location of the command and control server that controls the botnet. When the command and control server is brought down the botnet can no longer be used in a DDoS attack. Learn more about how to take down a botnet.
A botnet takeover occurs when one hacker tries to take over another hacker’s command and control server. The intent of the rogue hacker is to subvert the control of the command and control server from its original owner by changing the passwords and locking down the server. Learn more about how to take over a botnet.
A web server infected with “itsoknoproblembro” scripts. Learn more about itsnoproblembro.
BroDoS is an abbreviated name for the itsoknoproblembro DDoS toolkit. This toolkit was used during the #opAbabil DDoS campaigns that targeted the financial industry in 2012 and 2013. Learn more in the BroDoS Threat Advisory.
BroLog.py is a free analysis tool provided to the public by PLXsert to interpret and display weblogs from compromised web servers. BroLog empowers administrators with the capability to identify points of compromise and unwilling participation in BroDoS campaigns. The results of the tool reveal decoded attack strings that indicate the times, dates, targets and IP address of the device sending the instruction to start a BroDoS attack. Learn more about DDoS mitigation of this threat in the itsoknoproblembro Threat Advisory.
ByteDOS is a Windows operating system-based tool used by script kiddies (inexperienced malicious actors) to launch denial of service attacks against low-powered servers. An example of ByteDOS use would be an attacker targeting a small server hosting the game of Minecraft. Simple tools such as ByteDOS can have a significant impact on misconfigured servers run by inexperienced administrators. Learn about the problem of DDoS attacks involving online multiplayer gaming communities.
A popular underground PHP shell that can be used to execute commands, view files, and perform other system administrative tasks. C99 is often used to take control of web servers via web application vulnerabilities. Learn more about DDoS attack types in this DDoS attack report.
A certificate authority is a trusted third party that issues digital certificates and is the ultimate keystone in building digital trust relationships.
Caching is the method in which a repetitive request for information is remembered in the server memory in order to serve up the same type of request faster. Modern systems employ extensive use of caching at almost every layer of application design. Web servers always try to cache repetitive static content from memory. Database servers also attempt to cache repetitive queries. Attackers exploit caching by making requests for items that would not likely be cached, forcing the applications to increase CPU and disk usage.
A CAPTCHA is a challenge-response test used to determine if a web application request is being made by a human, not an automated program. A CAPTCHA, which commonly appears as a series of wavy letters intended to confuse optical character recognition scripts, is useful for DDoS attack prevention. CAPTCHA processing takes less computing power to validate than a completed form. If the user does not pass the CAPTCHA test, the form is not processed. CAPTCHAs prevent attackers from using automated scripts to flood a web application form with excessive traffic from junk requests. The CAPTCHA acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
A certificate is an electronic document that contains information that can be used to answer trust questions between clients and servers and also provide the basis for secure communications. A common problem on the Internet for a client is trusting the identity of the server it is connecting to. To solve this problem, a server can present a client with a certificate, digitally “signed” by a third party that the client trusts. If the client does not trust the signing party, it can choose not to trust the server. Certificates can also be used by the server to trust clients or other servers. It is important to remember that the reason certificates exist at all is to establish trust and they depend upon a mutually trusted third party.
Character Generator Protocol (CHARGEN) protocol is a legacy service available in the TCP and UDP protocols. The CHARGEN functionality can be abused by malicious actors to create distributed reflection denial of service (DrDoS) attacks. The problem of CHARGEN misuse is more than a decade old, and in 1996 the US-CERT issued an advisory that recommended reconsidering whether this protocol needed to be used within an enterprise environment. To this day, however, CHARGEN is still widely deployed, often by default and without the knowledge of administrators. Learn more about CHARGEN reflection attacks.
A checker tool is used by malicious actors to automate the identification of stolen username:password pairs on targeted web applications, such as subscription services or e-payment services. Lists of username:password pairs often originate from major third-party breaches. The success and proliferation of custom checker development services are enabled by users who use the same username:password combination on more than one website and by webmasters who allow e-mail addresses to be used as usernames. Learn more about the underground marketplace for stolen credentials in the about white paper about DDoS attacks involving online multiplayer gaming communities.
Command and control refers to the main server used by a DDoS attacker to control the botnets used in a DDoS attack. Learn more about botnet command and control (C&C or C2).
These acronyms refer to the command and control infrastructure of infected zombie computers that are part of a botnet. Graphical PHP/MySQL-based C&C interfaces are provided as part of many DDoS attack toolkits such as Dirt Jumper and Cythosia.
A certificate revocation list is a public list that registers the revocation of digital certificates of public keys required for Internet-based transactions. When a certificate is placed on the CRL, it can no longer be used to establish trust between the client and the server. The server or the key may be compromised. Web browsers will check the URL to see if a website’s certificate has been revoked.
CsDOS is a Windows operating system-based tool used by script kiddies (inexperienced malicious actors) to launch denial of service attacks against low-powered servers. An example of the use of CsDOS would be an attacker targeting a small server hosting the game of CounterStrike. Simple tools such as CsDoS can have a significant impact on misconfigured servers that are maintained by inexperienced administrators. Learn about the problem of DDoS attacks involving online multiplayer gaming communities.
Cyberterrorism represents acts of Internet-based hacking that cause large-scale disruption to computer networks through the use of computer viruses and other malicious tools, such as worms and Trojan programs. The motivation for cyberterrorism attacks is to create widespread panic and disruption. Hacktivist groups may use cyberterrorism campaigns to protest or promote certain ideological or political beliefs.
A data breach involves obtaining unauthorized access to confidential or sensitive information such as customers’ personal information, corporate financial records, credit card or bank account details. A data breach is often accompanied by the intentional public release of the confidential information obtained by hacktivists during the cyber-attack.
Dirt Jumper is a high-risk DDoS toolkit that can be used to launch application layer attacks on websites. Dirt Jumper is a prepackaged toolkit that has evolved from the Russkill strain of malware. It is now widely available on various underground websites and retails for as little as US $150. Dirt Jumper can be spread via spam, exploit kits and fake downloads and can be pushed out to machines already infected with other forms of malware. Prolexic has developed a security-scanning tool that can be used to detect Dirt Jumper command-and-control servers. Download the Dirt Jumper threat advisory and scanner..
The Domain Name System translates Internet domain names into Internet protocol addresses. DNS transforms a domain name such as www.prolexic.com and converts it into the actual IP address, much as a phone book takes a name and converts it to a phone number. It is possible for many domain names to have the same IP address because one server can support a huge number of domain names. One DNS name can also be configured to map to several IP addresses. For example, if a URL maps to five different addresses, a web browser will go to any one of them to access the site. Learn more about how DNS is used in to redirect network traffic to a DDoS protection and mitigation service.
DNS floods are used for attacking both the infrastructure and a DNS application. This denial of service attack type allows DDoS attackers to use both reflection and spoofed direct attacks that can overwhelm a target’s infrastructure by consuming all available network bandwidth.
DNS propagation is when DNS updates propagate out to DNS servers when requested by client systems. Propagation takes time and is cached by the requestor and the intermediary DNS servers for the period defined in the time-to-live (TTL). Although TTL is by definition supposed to be respected by all clients and servers around the world, sometimes it is not. For example, if a TTL is very small, some servers ignore the TTL even though they are in violation of Internet standards and the site may refresh at lower frequencies.
A DNS reflection/amplification DDoS attack is a type of DDoS attack where the response from the server is typically larger than the request. When combined with spoofed IP addresses, the response to this type of amplified attack will go to the attacker’s true target, not the attacker. The victim and target will not know who actuallyoriginated the attack. A common form of DNS reflection attack involves an attacker making many spoofed queries to many public DNS servers. The spoofing is created in such a way where the source IP address is forged to be that of the target of the attack. When a DNS server receives the forged request it replies, but the reply is directed to the forged source address. This is the reflection component. The target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the source. If the queries (which are small packets) generate larger responses (some DNS requests, especially to TXT records) then the attack is said to have an amplifying characteristic. Reflection and amplification are two separate attributes of an attack. A reflection attack does not get amplified unless the responses are bigger than the requests. Learn more about DNS reflection in this white paper.
DNS TTL is the expression of the expiration time for the caching of a DNS record. TTL is expressed in seconds and can be set to expire in an arbitrary period of time. When using the PLXproxy mitigation service, Prolexic advises customers to set the DNS TTL to a low value so that the customer can change DNS records quickly in case of DDoS attack. You can check the status of your DNS records by using a free online DNS TTL checker such as Nabber.
DDoS is an acronym for distributed denial of service, as in a distributed denial of service (DDoS) cyber-attack. A DDoS attack l uses many computers distributed across the Internet in an attempt to consume available resources on the target. Learn more about DDoS in Prolexic DDoS attack reports.
DoS is an acronym for denial of service, as in a denial of service attack. A DoS attack typically uses one or a few computers to cause an outage on the target. Learn more about denial of service (DoS) in the DDoS Boot Camp white paper.
DoS and DDoS attacks are an attempt to make a computer resource (i.e., website, email, voice or a whole network) unavailable to its intended users. By overwhelming it with data and/or requests in a denial of service attack, the target system either responds so slowly as to be unusable or crashes completely. The data volumes required to do this are typically achieved by a network of remotely controlled zombie or botnet [robot network] computers. These have fallen under the control of an attacker, generally through the use of Trojan viruses. Learn more about DoS and DDoS attacks in the DDoS Boot Camp white paper.
DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS denial of service attack on one of its customers. This approach to block DoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic. Black holing is typically deployed by the ISP to protect other customers on its network from the adverse effects of DDoS attacks, such as slow network performance and disrupted service. Learn more about blackholing in the 12 Questions to Ask a DDoS Mitigation Provider white paper.
DDoS attack forensics, often provided in a post attack report, are a comprehensive listing of all characteristics associated with a DDoS denial of service attack. Ideally, DDoS forensics should include attack type, attack duration, attack origin and all of the real IP addresses blocked in the attack, in a database that is instantly accessible through a secure online customer portal. Learn more about DDoS attack forensics in Prolexic DDoS mitigation case studies.
DDoS mitigation appliances are hardware modules for network protection that include purpose-built automated network devices for detecting and mitigating some levels of DDoS attacks. Sometimes perimeter security hardware such as firewalls and Intrusion Detection Systems (IDS) include features intended to address some types of small DDoS attacks. Learn about human security mitigation versus automated mitigation in this white paper.
A DDoS mitigation service is a service designed to detect, monitor, and mitigate DoS and DDoS attacks. A Distributed Denial of Service (DDoS) mitigation service provided by a pure play DDoS mitigation vendor consists of a combination of proprietary detection, monitoring, and mitigation tools and skilled anti-DDoS technicians who can react in real-time to changing DDoS attack characteristics. Add-on DDoS mitigation service providers such as Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) also offer DDoS mitigation services in the form of automated tools, but they have limited network capacity to absorb large DDoS denial of service attacks. Learn more about how to choose a DDoS mitigation service.
DoS protection is an enterprise strategy for protecting the network against DoS or DDoS attacks. This can include a proxy or routed mitigation service from a DDoS monitoring and mitigation service provider, on-premise appliances for detecting DDoS attacks and DDoS monitoring appliances, and Intrusion Detection Systems (IDS) such as firewalls and other types of automated security appliances. Learn more about DoS protection.
A distributed reflection denial of service attack, also known as a DrDoS attack, is a DDoS attack that sends floods of requests to a list of third-party servers while utilizing the spoofed IP address of the intended target. The third-party victims, which may include domain name system (DNS) servers, gaming servers, or even printers and other networked devices, will direct their responses to the spoofed address, which belongs to the attacker’s target. This unwanted and unexpected flood from a large number of third-party servers can create a denial of service condition that impairs the availability of the target. Learn more about distributed reflection attacks in this series of white papers about DrDoS.
The Drive DDoS kit has been observed being used to launch diversionary DDoS attacks while cyber criminals attempt to break into customer accounts at financial firms and e-Commerce businesses, under the assumption that security teams are busy mitigating the DDoS attack. The Drive DDoS toolkit is a newer variant of the Dirt Jumper family of DDoS toolkits, one of the most popular DDoS kit frameworks. Learn how to stop DDoS attacks from the Drive toolkit.
An exploit is an application or system vulnerability. Exploits are used to obtain unauthorized access or privilege escalation.
Firewalls examine each incoming and outgoing network packet and determine whether to forward it toward its destination, based on a set of predefined security rules. Firewalls can be hardware- or software-based and are designed to protect networks against hackers, viruses, worms and other malicious traffic.
Fragmentation is the division of large packets into smaller ones. Fragmentation is primarily used to enable packets larger than an interface’s MTU (Maximum Transmission Unit) to be divided into two or more units that are smaller than the MTU. Some DDoS attacks use fragments in bulk floods to consume link bandwidth. Learn more in a case study about a DDoS attack that used fragmentation.
A GET flood is an application layer (Layer 7) DDoS attack method. GET requests are used by web applications to make legitimate requests for server resources. To conduct a GET flood attack, malicious actors will send a flood of GET requests to a server in an effort to exhaust an application, which would prevent the application from responding to the requests of legitimate users. Learn more about HTTP GET floods in this case study.
Hackers are advanced computer users who use their IT skills to discover and exploit vulnerabilities in electronics, IT systems and computer networks.
A hacking toolkit is a collection of malicious computer programs used together to exploit vulnerabilities in target systems to gain unauthorized access, steal data or upload malicious code. The malicious code may then be used to launch DDoS distributed denial of service attacks. Hacker toolkits are readily available through the Internet, either free or at a low cost. They are designed to be easy for anyone to use to launch cyber-attacks. However, because they can contain many different types of attack vectors, hacking toolkits can exploit multiple vulnerabilities of an Internet facing system. Web browsers and plugins are usually the main entry points for the malicious programs within the hacking toolkit software. Dirt Jumper and booter shell scripts are examples of malicious toolkits. Learn more about hacking toolkits in Prolexic DDoS threat advisories.
Hacktivism is a cyber-attack movement in which computer network hacking is motivated by social activism or political protest. Hacktivism often includes DoS and DDoS attacks against the websites of governments, law enforcement agencies, political parties, religious groups, or any website that expresses ideas, beliefs or policies that a hacktivist group opposes. In addition to denial of service attacks, hacktivism also manifests itself as website defacement and data breaches. In 1999, the Cult of the Dead Cow created the concept of hacktivism with Hactivismo, an organization that touted freedom of information as a basic human right.
Hacktivists are organized groups of Internet hackers such as Anonymous who launch Internet denial of service, website defacement, data exfiltration and other attacks on the websites of global brands and organizations to protest political issues and promote their own ideology. Hacktivists often launch randomized attacks with complex signatures and then take credit for them through the news media. Learn more in this case study of a DDoS attack by hacktivists against a new media website.
Hacktivist groups are well-publicized collectives of sophisticated hackers who launch DoS and DDoS attacks primarily motivated by social activism or political protest.
HOIC is considered the next generation replacement for the Low Orbit Ion Cannon (LOIC) flood attack tool. HOIC can target up to 256 addresses simultaneously and also includes support for booster files – customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic. Attackers use unique plug-ins within the booster files to attack specific features of their target, such as a social networking site or e-Commerce site. The plug-ins are typically written by expert hackers who have pre-analyzed the target and have distributed information on different attack vectors that would be the most successful against a specific target. Learn more in the High Orbit Ion Cannon (HOIC) Threat Advisory.
An HTTP GET Flood is a Layer 7 application layer DDoS attack method in which attackers send a huge flood of requests to the server to overwhelm its resources. As a result, the server cannot respond to legitimate requests from users. Learn more about HTTP GET floods in this case study.
An HTTP GET request is a method that makes a request for information from the server. A GET request asks the server to give you something, such as an image or script so that it may be rendered by your browser.
An HTTPS GET Flood is an HTTP GET Flood sent over an SSL session. Due to the use of SSL, it is necessary to decrypt the requests in order to mitigate the flood. Learn more about detecting HTTPS GET Floods with application-based DDoS monitoring.
An HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it.
HTTP headers are fields which describe which resources are requested, such as a URL, a form, JPEG, etc. HTTP headers also inform the web server what kind of web browser is being used. Common HTTP headers are GET, POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and can make them communication specific. DDoS attackers can change these and many other HTTP headers to make it more difficult to identify the attack origin. In addition, HTTP headers can be designed to manipulate caching and proxy services. For example, it is possible to ask a caching proxy to not cache the information. Learn more about DDoS attacks that change HTTP header information.
An HTTP POST flood is a type of DDoS attack in which the volume of POST requests overwhelms the server so that the server cannot respond to them all. This can result in exceptionally high utilization of system resources and consequently crash the server. Learn more about DDoS attacks, including those that use the HTTP POST Flood.
An HTTP POST request is a method that submits data in the body of the request to be processed by the server. For example, a POST request takes the information in a form and encodes it, then posts the content of the form to the server.
An HTTPS POST Flood is an HTTP POST Flood sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it. Learn more about detecting HTTPS POST Floods with application-based DDoS monitoring.
An HTTPS POST request is an encrypted version of a HTTP POST request. The actual data transferred back and forth is encrypted.
An HTTP response is a response to an HTTP request. An HTTP response can be compressed with Gzip-style encoding and can include the object requested, such as an HTML page or JPEG image. HTTP responses also include status code such as “404 Not Found.” When mitigating DDoS attacks, Prolexic mitigation engineers analyze both HTTP requests and HTTP responses to fingerprint the attack.
Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany TCP packets when connecting to a server. An ICMP message may come back if a browser cannot reach a server.
An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth. Learn more about DDoS attack types, including ICMP floods, in this DDoS attack report.
An IDS is a system that can identify, log, and report malicious traffic activity, but is designed to report only on current security policies and existing threats. An IDS by itself does not perform DDoS attack mitigation. Learn about human security mitigation versus automated mitigation in this white paper.
IGMP floods are uncommon in modern DDoS attacks, but they use protocol 2 with limited message variations. This type of flood has the ability to consume large amounts of network bandwidth.
An infrastructure attack is a DDoS attack that overloads the network infrastructure by consuming large amounts of bandwidth, for example by making excessive connection requests without responding to confirm the connection, as in the case of a SYN flood. A proxy server can protect against these kinds of attacks by using cryptographic hashtags and SYN cookies. Learn how Prolexic Flow-based Monitoring (PLXfbm) detects infrastructure DDoS attacks.
The Internet protocol suite is the family of protocols used for Internet communications. IP (Internet Protocol) is a Layer 3 protocol used for communication between two end systems. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are Layer 4 protocols used to implement the communications channel between two end systems. The Internet protocol suite is commonly used on wide-area networks (WANs).
An IP flood is a name used by some DDoS toolkits to refer to either a SYN flood or a UDP flood. In an IP flood, a malicious actor will launch a DDoS attack that sends excessive data to a target IP address, as opposed to a host name or URL. The Drive DDoS toolkit launches an IP flood and even has a slight variant attack known as IP flood2, which is essentially the same attack branded differently. Learn how to stop DDoS attacks from the Drive toolkit.
A spoofed IP address makes a DDoS attack appear to come from a different source than its actual source. As a result, the victim will not know who originated the attack.
An IPS is a security device designed to monitor and analyze activity at the client, server and network levels. An IPS may include firewalls and anti-virus software. It expands upon an IDS to perform the dropping or blocking of malicious traffic. The combination of IDS/IPS may provide enough security to guard against malicious traffic penetration and exploitation. However, this type of layered security measure was not designed for identifying and stopping an unknown and unexpected DDoS attack. They are ineffective in identifying and halting DDoS attacks with signatures they don’t recognize and distributed traffic they cannot analyze. Learn more about intrusion prevention systems (IPS) in Man, Machine and DDoS Mitigation.
IPv4 and IPv6 are Internet protocol versions that set the standards for the network communications within the Internet. IP is a connectionless or stateless protocol that does not guarantee delivery of data nor confirm that it is delivered in proper sequence.
The name given to a suite of malicious PHP scripts discovered on multiple compromised hosts. The main functionalities appear to be file uploads, persistence, and DDoS traffic floods. Learn more about itsnoproblembro.
The Drive family of malware makes use of the k= parameter when communicating with the command and control (CC) panel via POST requests from an infected workstation. This communication method is very similar to the Dirt Jumper communication protocol. Previous unsanitized use of the k parameter resulted in an SQL injection vulnerability in the Dirt Jumper C&C admin panel that allowed counterattackers to take over the botnet and/or disrupt the botnet database. Learn about Dirt Jumper SQL injection in the vulnerability disclosure report.
Latency refers to the time it takes for a server to respond to a user’s request. A long latency means the server is responding slowly to user requests, which could indicate potential availability issues due to misconfiguration or a DDoS attack. Learn about latency in this YouTube video about two banks under the same DDoS attack.
Layer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure. Layer 3 (network layer) and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of data to slow down web server performance, consume bandwidth and eventually degrade access for legitimate users. These attack types typically include ICMP, SYN and UDP floods. Learn more about Layer 3 (L3), Layer 4 (L4) DDoS attacks in this case study of a financial service firm.
A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server infrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble legitimate website traffic. Even simple Layer 7 attacks – for example those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites – can critically overload CPUs and databases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack, making it more difficult to detect and mitigate. Learn more about Layer 7 (L7) attacks in the white paper, Defending Against DDoS Attacks: Strategies for the Network, Transport and Application Layers.
A loader is a type of malware that sits silently on an infected workstation and awaits a trigger, such as an additional binary payload, before being executed.
A small piece of code that when executed, elevates a user to root permissions through the exploitation of various vulnerabilities. Learn more about recent DDoS attacks in this DDoS attack report.
Low Orbit Ion Cannon is a popular early attack tool used by hacktivist groups like Anonymous. LOIC is a program that is downloaded and presents the user with a simple user interface and several options to be able to participate in group attacks. LOIC does not spoof the attack traffic. Any time LOIC is used to attack the client, the attacker’s IP address can be identified if the client has forensic logs in their firewall or server. LOIC also records fairly well known signatures, making it difficult for the hacktivist or attacker using the tool to deny that they will fully launched the attack. Learn more about a Low Orbit Ion Cannon (LOIC) DDoS attack in this white paper.
A malicious actor is an information security industry term for an individual or groups involved in cyber-attacks, including but not limited to DDoS attacks, breaches and fraud. Learn more about malicious actors and their motives in the DDoS Bootcamp white paper.
Malware is a generic term for malicious software that disrupts operations, gathers sensitive information, or grants unauthorized access to third-party attackers. Malware is usually downloaded onto a user’s device or server through the use of exploit kits, spam or social engineering techniques. Malware such as loader Trojans may be used to infect a device or server, and then push put a DDoS payload at a later date to cause the infected machine to become part of a DDoS botnet. Learn more in the DDoS Bootcamp white paper.
MPLS is used in telecommunications networks to direct data from one network node to the next using short path labels. MPLS abstracts forwarding from the underlying transport medium. Service providers typically use MPLS to simplify the design and deployment of discrete services like private WAN (Wide Area Network), VPN (Virtual Private Network) and Internet transit across a single transport infrastructure, often with rich QoS (Quality of Service) features.
Network availability refers to the ability of a network to respond to legitimate users’ requests. Under a DDoS attack, a network may become unavailable. The resulting degradation of service and availability can cause a significant negative impact upon enterprises that rely on their web applications for business operations.
Network Time Protocol (NTP) is used to synchronize computer clocks with Internet time repositories. The NTP protocol can be leveraged by malicious actors launching a distributed reflection denial of service (DrDoS) attack. Because NTP uses the UDP protocol, it is susceptible to spoofing of the source IP address. Misconfigured network equipment can allow components of an organization’s infrastructure to become unwilling victim participants in a DDoS attack against a target server via the NTP protocol. Learn more about how to protect your network from participation in NTP attacks in this white paper.
Operation Payback represents a series of DDoS attacks launched in September and December 2010 by hacktivists from the group Anonymous. Attacks were launched targeting organizations that spoke out against Wikileaks or refused to process payments in support of the whistle-blowing website.
A packet is a unit of transmission on a network. Watch Prolexic block a 160 million packet per second (Gbps) DDoS attack (3:22 min) .
Packet headers are protocol-specific fields placed at the beginning of a packet. Packet headers can indicate conditions, such as when to initiate a conversation between networks, or parts of a conversation, and indicate that a packet is fragmented, among other things. DDoS attackers tend to manipulate packet header bits to launch SYN floods, ACK floods and other attacks by trying to exploit certain network configurations.
Packet rate is the speed at which packets traverse a network, measured in packets per second (pps). Packets are discrete blocks of information and may be large or small. DDoS attacks with larger packets and higher packet rates result stronger attacks with higher bandwidth consumption of the intended target. These stronger DDoS attacks may involve more intermediary victim servers or a large botnet with more infected zombie computers. Learn about the packet rate of DDoS attacks in the most recent Global DDoS Attack Report.
Packeting is a common slang term in the gaming community for engaging in Denial of Service attacks. Packeting refers to a denial of service attack where excessive data packets are sent to a target IP address in an effort impair its availability and cause services to slow significantly or to stop entirely. Packeting attacks can be directed at any IP address, including gamers on home connections, a game server, or an unrelated target outside of a gaming network. Learn more about DDoS attacks in online multiplayer gaming communities in this whitepaper.
A packet sniffer is a tool that allows traffic traveling over a network connection to be recorded and analyzed. Packet sniffers are passive in that they do not interfere with the flow of information over a network.
Passive inspection is a method by which packet sniffers are plugged into network SPAN ports or network taps are deployed to tap into copper or fiber communication flows. Prolexic’s Application Based Monitoring service (PLXabm) uses packet sniffing technology to facilitate passive network inspection diagnostics.
A payload contains all of the information contained between the header and footer, including higher-level protocols (and their headers, footers and payloads) and the actual data that is being transferred in the communication. Read about a one-million-byte payload mitigated by Prolexic .
Phishing is a form of social engineering that seeks to trick a user into divulging login credentials, clicking a malicious link or opening a malicious attachment. Learn more about stolen credentials in a white paper about DDoS attacks involving online multiplayer gaming communities.
A PHP attack suite is a group of PHP files that can be used by a malicious actor to launch denial of service attacks. An example of a PHP attack suite is itsoknoprobembro. Criminals offering fee-based DDoS-as-a-Service may offer PHP attack suites along with access to botnets. Learn more in the SYN reflection attacks white paper.
PHP is a programming scripting language that can be used to develop interactive database-driven web applications and automate other tasks for web applications. PHP can make GET and POST requests and is often used by malicious actors seeking to create simple yet effective denial of service scripts.
A PHP shell is a script in the PHP language that can execute commands, view files and perform other system administrative tasks. PHP shells are often used to take control of web servers via web application vulnerabilities. Learn more about PHP shell scripts in the Booter Shell Script Threat Advisory.
A DDoS mitigation playbook, also known as a runbook, is a proactive and streamlined response for all departments in an organization to practice and implement in the event of a DDoS attack. Preparation is essential for rapidly mitigating a DDoS attack. Learn more about creating a DDoS mitigation playbook for your organization.
Prolexic Application-Based Monitoring (PLXabm) is a DDoS detection service that identifies application-layer (Layer 7 or L7) DDoS attacks – including low-and-slow Layer 7 attacks and randomized HTTP and HTTPS attacks – that can’t be detected by load balancers and intrusion detection (IDS) systems. An on-premise monitoring appliance provides 24/7 visibility in conjunction with cloud-based historical correlation for real-time DDoS forensics analysis. Learn more about PLXabm.
The PLXconnect service plan delivers Prolexic’s routed DDoS protection service over a direct physical connection from the customer network through a private cloud to Prolexic’s scrubbing centers. Like Generic Route Encapsulation (GRE), this physical connection enables the activation of DDoS protection for an entire subnet during a DDoS attack. Unlike GRE, there is no impact to maximum transmission units (MTUs), latency is predictable, and PLXconnect offers high bandwidth. Learn more about PLXconnect.
PLXedge is Prolexic’s premier bundled DDoS detection, mitigation and analytics service. PLXedge delivers around-the-clock DDoS protection against all types and sizes of DDoS attacks. Learn more about PLXedge.
Prolexic Flow-Based Monitoring (PLXfbm) is a DDoS detection service that monitors changes in volumetric network traffic flows (netflow) at customer network-edge routers. This 24/7 monitoring by Prolexic’s Security Operations Center identifies Layer 3 (L3) and Layer 4 (L4) DDoS attacks, allowing for faster DDoS mitigation. PLXfbm may be combined with Prolexic’s Application-Based Monitoring Service (PLXabm). Learn more about PLXfbm.
PLXportal provides Prolexic customers with real-time data, visualizations and analysis of their network perimeter activity and the DDoS mitigation services being provided by Prolexic on the customer’s behalf. Learn more about PLXportal.
Prolexic Proxy Solution (PLXproxy) is an emergency DDoS protection service from Prolexic that provides fast DDoS mitigation for organizations that are under sustained DDoS attacks and need to implement a DDoS defense immediately. Remapping the IP address associated with a DNS name (a DNS redirect) is all that is required to activate this service. Learn more about PLXproxy.
Prolexic Routed Solution (PLXrouted) is Prolexic’s standard DDoS protection service that provides maximum protection against the broadest range of DoS and DDoS attack types and defends against sustained attacks in excess of 100 Gbps. PLXrouted is a flexible, asymmetric, on-demand service that lets Prolexic customers enable DDoS attack mitigation for an entire subnet when needed. Learn more about PLXrouted.
The Prolexic Security Engineering and Research Team, also known as PLXsert, is a team of highly experienced DDoS mitigation experts who monitor malicious cyber threats globally and analyze DDoS attacks, toolkits and threat intelligence to build an insightful, global view of DDoS attacks. PLXsert research is shared with customers and the public. Learn more about PLXsert and its service offerings.
A POST flood is an application layer (Layer 7) DDoS attack method. Web applications use POST requests to make legitimate requests for server resources, such as during a form submission. To conduct a POST flood attack, malicious actors will send a flood of POST requests to a server in an effort to exhaust an application, which would prevent the application from responding to the requests of legitimate users. Learn more about HTTP POST floods in this case study.
A proxy is a network device that terminates incoming traffic and then creates a new communication session that is used to send the traffic to the actual destination. The proxy fits between the requestor and the server and mediates all of the communication between the two. Examples of proxy technologies are content switches and load balancers. Proxy servers are most often used for DNS requests, HTTPS and HTTP. When HTTPS is being proxied, the proxy server itself must have copies of the public certificate with the public key and the private key so it can effectively terminate the SSL/TLS requests. Mitigating Layer 7 DDoS attacks is sometimes carried out using proxies. Learn more about the Prolexic Proxy Solution (PLXproxy) for DDoS protection and mitigation.
An exploit that has been released to the public via standard channels such as mailing lists, exploit archives, or forum posts. Learn more about exploits in these DDoS threat advisories.
R57 shell is a popular underground PHP shell that can be used to execute commands, view files, and perform other system administrative tasks. R57 is often used to take control of web servers via web application vulnerabilities. Learn more about PHP shell scripts in the Booter Shell Scripts DDoS Threat Advisory.
A distributed reflection denial of service attack, also known as a DrDoS attack, is a DDoS attack that sends floods of requests to a list of third-party servers, utilizing the spoofed IP address of the intended target. The third-party victims, which may include domain name system (DNS) servers, gaming servers, or even printers and other networked devices, will direct their responses to the spoofed address, which belongs to the attacker’s target. This unwanted and unexpected flood of data from a large number of third-party servers can create a denial of service condition that impairs the availability of the target. Learn more in the DrDoS series of white papers.
Resolver tools allow an individual to acquire the IP address of another participant on the network. Resolver scripts exist for almost every software platform that directly connects users such to each other, such as chat programs and video games. For example, a player in a massively multiplayer online role playing game may want to acquire the IP address of another player. In online gaming, the IP address is frequently used for targeting a packeting attack or DDoS attack. Learn about the problem of DDoS attacks in online multiplayer gaming communities in this white paper.
Routed mitigation is a method of redirecting traffic to a third-party provider, typically a cloud provider, using the BGP protocol to ensure that all inbound traffic is configured to flow through the third-party provider. The third-party provider becomes like a logical upstream ISP to the organization in that it can analyze and selectively activate the appropriate DDoS mitigation technologies as needed. Learn more about the Prolexic Routed Solution (PLXrouted) for DDoS protection and mitigation.
A DDoS mitigation runbook, also known as a playbook, is a proactive and streamlined response for all departments in an organization to practice and implement in the event of a DDoS attack. Preparation is essential for rapidly responding a DDoS attack. Learn more about creating a DDoS mitigation runbook.
The Rustock botnet ran from 2006-2011 and was composed of compromised computers running Microsoft Windows. The purpose of Rustock was to use the botnet for sending spam email messages. One use of the Rustock botnet was to infect additional Windows machines to involve them in the botnet, too. The Rustock botnet was brought down by Microsoft, law enforcement and other organizations in 2011. Learn more about botnets and denial of service.
A security operations center (SOC) is a centralized location staffed with IT security experts who monitor and defend enterprise networks and their components. The Prolexic SOC operates a 24 hours a day, 7 days a week, 365 days a year. The Prolexic SOC’s goal is to provide customers with the best DDoS protection from some of the most experienced information security professionals in the industry. Learn more about the Prolexic DDoS mitigation security operations center.
Scrubbing centers are technical facilities purpose-built for scrubbing or removing malicious DDoS traffic from inbound traffic streams when mitigating DDoS denial of service attacks. Learn more about Prolexic’s DDoS network traffic scrubbing centers.
Simple Network Management Protocol (SNMP) is an application layer protocol commonly used for the management of devices with IP addresses, such as routers, servers, printers, IP video cameras, alarms and thermometers. The SNMP protocol transmits sensor readings and other variables over the network. SNMP can be exploited maliciously in distributed reflection denial of service (DrDoS) attacks that query the device with a spoofed source IP request, which elicits the SNMP response to be directed to the attacker’s primary target. Learn more about how to identify and mitigate SNMP attacks.
A sniffer, also called a network analyzer or packet analyzer, can help DDoS mitigation experts read and decode network traffic. Wireshark and tcpdump are sniffer technologies. Sniffers can also be used by attackers, who have successfully breached a network, to observe activity and capture proprietary data. For examples of legitimate Wireshark and tcpdump use, download this white paper about DDoS attacks involving online gaming.
A snort rule is composed of syntax-based instructions that identify DDoS activity and use application firewall techniques to block a DDoS attack. Learn more in the BroDoS threat advisory, which provides samples of snort rules used to stop attacks from the BroDoS and itsoknoproblembro DDoS toolkits.
A security operations center (SOC) is a centralized location staffed with IT security experts who monitor and defend enterprise networks and their components. The Prolexic SOC operates a 24 hours a day, 7 days a week, 365 days a year. The Prolexic SOC’s goal is to provide customers with the best DDoS protection from some of the most experienced information security professionals in the industry. Learn more about the Prolexic DDoS mitigation security operations center.
Spear phishing is a technique where advanced attackers research an organization and its personnel in order to target specific individuals with spam. The goal is to cause enterprise employees with high levels of access to install malware or divulge information that can be leveraged in a cyber-attack.
A spoofed DDoS attack is one in which the source of the attack is faked by the attacker in an effort to get a third-party server or device to send unwanted information to the attacker’s target. Spoofing is only effective in Layer 3 (UDP) attacks, because UDP is a stateless protocol. Spoofing is a technique often used in reflection and amplification attacks. Learn more about spoofing in the PLXsert white paper series on reflection attacks.
The SQL schema is the default layout of SQL databases. Comparing SQL schemas for different DDoS toolkits allows an analyst to identify that one DDoS toolkit us a variant of another DDoS toolkit. For example, the command and control (C&C) admin panel of the Drive DDoS toolkit makes use of a similar SQL schema as the Dirt Jumper toolkit, whereas the SQL schemas for Pandora and DIrt Jumper are nearly identical. Learn more about Pandora, Drive and Dirt Jumper in these DDoS threat advisories.
SSL was a popular protocol for encrypting TCP/IP streams over the Internet. SSL was first publically available in 1995 and the last version of SSL published was version 3.0 in 1996. SSL has been replaced by the TLS (Transport Layer Security) protocol, which grew from the SSL 3.0 specification. The HTTPS protocol now typically uses TLS, although popular vernacular still refers to HTTPS as using SSL, which is not strictly true. HTTPS can negotiate the encryption protocols to be used and client/server negotiation converges on TLS in most websites today.
An SSL attack, such as an SSL GET flood, uses the secure sockets layer in TCP to send encrypted attack data. The use of SSL requires more processing power by the recipient, thus increasing the effect of the attack. Furthermore, an SSL flood can be more difficult to detect and mitigate, because the incoming packets are not human readable by default. Learn more about Prolexic’s SSL secure key sharing tool for DDoS mitigation.
A spoofed SYN (SSYN) flood is DDoS attack method targeting the infrastructure (Layer 4) in which attackers send a huge flood of TCP SYN packets with a spoofed source IP address to intermediary victim servers. The victim servers direct their acknowledgements to the attacker’s spoofed target, filling up the available connections and making it impossible for legitimate users to access the site. Learn more about SSYN floods in this white paper.
A stressor (stresser) suite is a DDoS toolkit used by malicious actors to launch denial of service attacks. The toolkits usually consist of PHP/MySQL a graphical user interface (GUI), an application programming interface (API), and a list of booter shells. Stressors are so named because they are advertised as legitimate stress testing services for website administrators to check load balances. However, the majority of stressor suites are made available by criminals making use of compromised server booter shells. These stressors are usually part of a fee-based DDoS-as-a-Service network. Learn about of stressors and online multiplayer gaming in this white paper.
A SYN flood is a Layer 4 infrastructure DDoS attack method in which attackers send a huge flood of TCP/SYN packets, often with a forged sender address to the server. SYN floods bring down a network connection by using up the number of available connections the server can accept. Consequently, it becomes impossible for the server to respond to legitimate connection requests during this type of DDoS denial of service attack. Learn more about SYN floods.
A SYN packet starts all communication between an Internet request and a server. A SYN packet determines the nature of how the communication is established and how the interchange of information will be completed. SYN packets consist of a combination of the TCP flag, packet sequence number, window size, acknowledgement number, and other information needed to complete the request.
The popular tool tcpdump is an open-source, command-line packet analyzer software tool that lets a user intercept and display packets of data sent via the TCP/IP protocol. tcpdump is used by DDoS mitigation experts to understand DDoS attacks. It is often used as a command line (CLI) alternative to Wireshark. For examples, see a screenshot in this white paper about DDoS attacks in online multiplayer gaming communities.
TCP flags are bits within a TCP protocol header that describe the status of the connection and give information on how a packet should be handled. Examples of TCP flags are SYN (synchronize), ACK (acknowledgement) and PSH (push).
TCP Flag Abuse floods (URG, ACK, PSH, RST, SYN, FIN) are stateless streams of protocol 6 (TCP) messages with odd combinations or out-of-state requests. With modification to the control bits in the TCP header, many different types of these floods are possible.
TCP Fragment floods are DDoS attacks that try to overload the target’s processing of TCP messages due to the expense incurred in reconstructing the datagrams. These floods often consume significant amounts of bandwidth.
A TCP header is a header within the IP header that contains additional information in the packet besides source and destination.
Transmission Control Protocol (TCP) is a stateful protocol that is part of the Internet protocol suite. Using the three-way handshake of SYN/ACK/FIN messages, TCP provides reliable delivery of information or requests transferred from one computer to another. TCP is a polite protocol that establishes communication back and forth with the server upon arrival of a SYN request. It requires a conversation with a response or acknowledgement (ACK) to each SYN request that is sent to the server. Because it complements the Internet Protocol (IP), TCP is often referred to as TCP/IP.
The three-way handshake is the method by which all stateful connections are made in the TCP protocol to ensure reliable communication. Like a telephone conversation in which someone calls, someone answers, and the caller responds back, the three-way handshake is a conversation between the SYN request and the server. The server responds to a SYN request with an ACK (acknowledgement) message to confirm that the request was received. A stream of SYN/ACK communication usually follows until the connection ends with both sides communicating a FIN (finish/end) message. Because the three-way handshake requires bidirectional communication, it is impossible to spoof a DDoS attack if a complete (and not a half-open) TCP session exists.
The proxies that malicious actors use to communicate with the command and control (C&C) and/or infected machines. Learn more about command and control (C&C or C2) in the Dirt Jumper DDoS Threat Advisory.
TLS is a cryptographic protocol built on top of TCP that provides secure transmission of information over the Internet. Versions of TLS are used for secure web browsing, email and instant messaging. TLS provides a stateful connection, which guards against tampering when client/server applications communicate over a network. Many people still refer to HTTPS as using the SSL protocol, but today TLS has supplanted SSL as the default protocol of choice.
The malware classification known as a Trojan infects a computer while a user downloads legitimate-appearing software. The name originates from the Trojan horse story of Greek mythology of the Trojan Wars. These viruses can be used to infect the unsuspecting recipient with malware that turns the computer into a zombie under the control of attackers. Learn more about DDoS and how computers are recruited into botnets in this white paper.
UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.
UDP Fragment floods are UDP floods that typically contain messages larger than the maximum transmission units that are sent from the malicious actor(s) to the target, consuming network bandwidth.
A UDP header is a component of the User Datagram Protocol (UDP) that includes source port number, destination port number, length in bytes of the entire datagram, and the checksum field for error checking.
The UDP protocol is a stateless transmission protocol with an emphasis on minimal latency rather than reliability in transmitting information and requests over the Internet. User Datagram Protocol (UDP) allows information and requests to be sent to a server without requiring a response or acknowledgement that the request was received. UDP is considered an unreliable protocol because information packets or requests may arrive out of order, may be delayed, or may appear to be duplicated. There is no guarantee that the information you transmit will be received. Learn more about the UDP protocol in the SNMP Amplification (SAD) Threat Advisory.
Volumetric DDoS attacks are also known as floods. DDoS attackers seek to overwhelm the target with excessive data, often gained through reflection and amplification DDoS techniques. Volumetric attacks seek so make use of as much bandwidth as possible. Learn about reflection and amplification of denial of service attacks in the DrDoS white paper series.
A web application firewall controls access to a specific application or service, blocking network traffic that does not meet the required criteria.
Website defacement is a cyber-attack in which hackers obtain administrative access to a website for the purpose of altering its visual appearance, such as replacing existing content with content authored by the hacker with malicious intent. One method of defacement involves breaking into a web server and replacing the hosted site with the hacker’s website.
Whale phishing is a variant on the technique of spear phishing where attackers specifically target the top tier in an organizations, such as C-level executives. Compromised credentials from these individuals will typically have much greater access permissions than the login credentials of other employees.
Wireshark is open-source packet analyzer software with a graphical interface that lets a user intercept and display packets of data sent via the TCP/IP protocol. This tool can break down packets down to a visual hexadecimal level, which allows for quick identification of DDoS attack patterns and anomalies. Wireshark is used by DDoS mitigation experts to understand DDoS attacks. See screenshots of Wireshark in the multiplayer gaming communities white paper.
A zombie is created when a computer of an unsuspecting user is infected with malware that communicates with a hidden command and control (C&C) server. The C&C allows hackers to issue commands to a network of compromised zombie machines. This centrally controlled network of zombies is known as a botnet. Learn more about zombies and botnets in the DDoS Bootcamp whitepaper.
The Cost of Denial-of-Services Attacks
Free report from The Ponemon InstituteLEARN MORE >>
Web Application Firewalls: The TCO Question
Analyst white paperLEARN MORE >>
Threat: Joomla Reflection DDoS-for-Hire
Compromised Joomla servers used for DDoS GET floodsLEARN MORE >>
Frost & Sullivan Stratecast Report
“Going to the Edge with Security”LEARN MORE >>
Threat: MS SQL Reflection Attacks
DDoS attack abuses MC-SQLR in SQL Server instancesLEARN MORE >>
Q4 2014 State of the Internet - Security Report
Number of DDoS attacks nearly doubles in a yearLEARN MORE >>