When it comes to distributed denial of service (DDoS) attacks, the various
terms and acronyms can be quite confusing. Prolexic explains all in this
glossary of terms. To learn even more, follow the links to other Prolexic
resources.
HTTPS POST Flood
An HTTPS POST request is an encrypted version
of a HTTP POST request. The actual data transferred back and forth is
encrypted.
An HTTP response is a response to an HTTP
request. An HTTP response can be compressed with Gzip style encoding and can
include the object requested, such as an HTML page or JPEG image. HTTP
responses also include status code such as “404 Not Found.” When mitigating
DDoS attacks, Prolexic mitigation engineers analyze both HTTP requests and HTTP
responses to fingerprint the attack.
ICMP
(Internet Control Message Protocol)
Internet Control Message Protocol (ICMP) is
primarily used for error messaging and typically does not exchange data between
systems. ICMP packets may accompany TCP packets when connecting to a server. An
ICMP message may come back if a browser cannot reach a server.
IDS
(Intrusion Detection System)
IGMP floods are uncommon in modern DDoS
attacks, but they use protocol 2 with limited message variations. This type of
flood has the ability to consume large amounts of network bandwidth.
Infrastructure DDoS Attack
An infrastructure attack is a DDoS attack that
overloads the network infrastructure by consuming large amounts of bandwidth,
for example by making excessive connection requests without responding to
confirm the connection, as in the case of a SYN flood. A proxy server can
protect against these kinds of attacks by using cryptographic hashtags and SYN
cookies. Learn howProlexic Flow-based Monitoring (PLXfbm) detects
infrastructure DDoS attacks.
The Internet Protocol Suite is the family of
protocols used for Internet communications. IP (Internet Protocol) is a Layer 3
protocol used for communication between two end systems. TCP (Transmission
Control Protocol) and UDP (User Datagram Protocol) are Layer 4 protocols used
to implement the communications channel between two end systems. The Internet
Protocol Suite is commonly used on Wide Area Networks (WANs).
A spoofed IP address makes a DDoS attack
appear to come from a different source than its actual source. As a result, the
victim will not know who originated the attack.
IPS
(Intrusion Prevention System)
An IPS is a security device designed to
monitor and analyze activity at the client, server, and network level. An IPS
may include firewalls and anti-virus software. It expands upon an IDS to
perform the dropping or blocking of malicious traffic. The combination of
IDS/IPS may provide enough security to guard against malicious traffic
penetration and exploitation. However, this type of layered security measure
was not designed for identifying and stopping an unknown and unexpected DDoS
attack. They are ineffective in identifying and halting DDoS attacks with
signatures they don’t recognize and distributed traffic they cannot analyze.
Learn more aboutintrusion prevention systems (IPS) in the Executive’s Guide to DDoS
Protection.
IPv4 and IPv6 are Internet protocol versions
that set the standards for the network communications within the Internet. IP
is a connectionless or stateless protocol that does not guarantee delivery of
data nor confirm that it is delivered in proper sequence.
The name given to a suite of malicious PHP
scripts discovered on multiple compromised hosts. The main functionalities
appear to be file uploads, persistence, and DDoS traffic floods. Learn more
about itsnoproblembro.
Layer 3 and Layer 4 DDoS Attacks
Layer 3 and Layer 4 DDoS attacks are types of
volumetric DDoS attacks on a network infrastructure. Layer 3 (network layer)
and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of
data to slow down web server performance, consume bandwidth and eventually
degrade access for legitimate users. These attack types typically include ICMP,
SYN, and UDP floods. Learn more about Layer 3 (L3), Layer 4 (L4) DDoS attacks in this case study of a financial
service firm.
A Layer 7 DDoS attack is an attack structured
to overload specific elements of an application server infrastructure. Layer 7
attacks are especially complex, stealthy, and difficult to detect because they
resemble legitimate website traffic. Even simple Layer 7 attacks – for example
those targeting login pages with random user IDs and passwords, or repetitive
random searches on dynamic websites – can critically overload CPUs and databases.
Also, DDoS attackers can randomize or repeatedly change the signatures of a
Layer 7 attack, making it more difficult to detect and mitigate. Learn more
about Layer 7 (L7) attacks in the white paper, Defending Against DDoS Attacks:
Strategies for the Network, Transport and Application Layers.
Local Privilege Escalation Exploit
A small piece of code that when executed,
elevates a user to root permissions through the exploitation of various
vulnerabilities. Learn more about recent DDoS attacks in this DDoS attack report.
LOIC
(Low Orbit Ion Cannon)
Low Orbit Ion Cannon is a popular early attack
tool used by hacktivist groups like Anonymous. LOIC is a program that is
downloaded and presents the user with a simple user interface and several
options to be able to participate in group attacks. LOIC does not spoof the
attack traffic. Any time LOIC is used to attack the client, the attacker’s IP
address can be identified if the client has forensic logs in their firewall or
server. LOIC also records fairly well known signatures, making it difficult for
the hacktivist or attacker using the tool to deny that they will fully launched
the attack. Learn more about a Low Orbit Ion Cannon (LOIC) DDoS attack in this white paper.
MPLS
(Multiprotocol Label Switching)
MPLS is used in telecommunications networks to
direct data from one network node to the next using short path labels. MPLS
abstracts forwarding from the underlying transport medium. Service providers
typically use MPLS to simplify the design and deployment of discrete services
like private WAN (Wide Area Network), VPN (Virtual Private Network) and
Internet transit across a single transport infrastructure, often with rich QoS
(Quality of Service) features.
Operation Payback represents a series of DDoS
attacks launched in September and December 2010 by hacktivists from the group
Anonymous. Attacks were launched targeting organizations that spoke out against
Wikileaks or refused to process payments in support of the whistle-blowing
website.
Packet headers are protocol-specific fields
placed at the beginning of a packet. Packet headers can indicate conditions,
such as when to initiate a conversation between networks, or parts of a
conversation, and indicate that a packet is fragmented, among other things.
DDoS attackers tend to manipulate packet header bits to launch SYN Floods, ACK
Floods, and other attacks by trying to exploit certain network configurations.
A packet sniffer isa tool which allows traffic
that is traveling over a network connection to be recorded and analyzed. Packet
sniffers are passive in that they do not interfere with the flow of information
over a network.
Passive inspection is a method by which packet
sniffers are plugged into network SPAN ports or network taps are deployed to
tap into copper or fiber communication flows. Prolexic’s Application
Based Monitoring service (PLXabm) uses packet sniffing
technology to facilitate passive network inspection diagnostics.
The payload contains all of the information
contained between the header and footer. The payload includes both higher level
protocols (and their headers, footers and payloads) and the actual data that is
being transferred in the communication. Read about a 1 million byte payload in
the Dirt Jumper Vulnerability Report case study.
A script in the PHP language that can execute
commands, view files, and perform other system administrative tasks. PHP shells
are often used to take control of web servers via web application
vulnerabilities. Learn more about php shell scripts in the Booter Shell Script Threat Advisory.
Prolexic Application-Based Monitoring (PLXabm)
is a DDoS detection service that identifies application-layer (Layer 7 or L7)
DDoS attacks – including low-and-slow Layer 7 attacks, and randomized HTTP and
HTTPS attacks – that can’t be detected by load balancers and intrusion
detection (IDS) systems. An on-premise monitoring appliance provides 24/7
visibility in conjunction with cloud-based historical correlation for real-time
DDoS forensics analysis. Learn more aboutPLXabm.
The PLxconnect service plan delivers Prolexic’s
routed DDoS protection service over a direct physical connection from the
customer network through a private cloud to Prolexic’s scrubbing centers. Like
Generic Route Encapsulation (GRE), this physical enables activation of DDoS
protection for an entire subnet during a DDoS attack. Unlike GRE, there is no
impact to maximum transmission units (MTUs), latency is predictable, and
PLXconnect offers high bandwidth. Learn more about PLXconnect.
Prolexic Flow-Based Monitoring (PLXfbm) is a
DDoS detection service that monitors changes in volumetric network traffic
flows (netflow) at customer network-edge routers. This 24/7 monitoring by
Prolexic’s Security Operations Center identifies Layer 3 (L3) and Layer 4 (L4)
DDoS attacks, allowing for faster DDoS mitigation. This service may be combined
with Prolexic’s Application-Based Monitoring Service (PLXabm). Learn more
about PLXfbm.
Prolexic Proxy Solution (PLXproxy) is an
emergency DDoS protection service from Prolexic that provides fast DDoS
mitigation for organizations that are under sustained DDoS attacks and need to
implement a DDoS defense immediately. Remapping the IP address associated with
a DNS name (a DNS redirect) is all that is required to activate this service.
Learn more about PLXproxy.
Prolexic Routed Solution (PLXrouted) is
Prolexic’s standard DDoS protection service that provides maximum protection
against the broadest range of DoS and DDoS attack types and defends against
sustained attacks of 100 Gbps. PLXrouted is a flexible, asymmetric, on-demand
service that lets Prolexic customers enable DDoS attack mitigation for an
entire subnet when needed. Learn more about PLXrouted.
A proxy is a network device which terminates
incoming traffic and then creates a new communication session which is used to
send the traffic to the actual destination. The proxy fits between the
requestor and the server and mediates all of the communication between the two.
Examples of proxy technologies are content switches and load balancers. Proxy
servers are most often used for DNS requests, HTTPS, and HTTP. When HTTPS is
being proxied, the proxy server itself must have copies of the public certificate
which includes the public key and the private key so it can effectively
terminate the SSL/TLS requests. Mitigating Layer 7 DDoS attacks is sometimes
carried out using proxies. Learn more about the Prolexic Proxy Solution (PLXproxy) for DDoS protection and mitigation.
An exploit that has been released to the
public via standard channels such as mailing lists, exploit archives, or forum
posts. Learn more about exploits in these DDoS threat
advisories.
A popular underground PHP shell that can be
used to execute commands, view files, and perform other system administrative
tasks. R57 is often used to take control of web servers via web application
vulnerabilities. Learn more about php shell scripts in the Booter Shell Script Threat Advisory.
Routed mitigation is a method of redirecting
traffic to a third-party provider, typically a cloud provider, using the BGP
protocol to ensure that all inbound traffic is configured to flow through the
third-party provider. The third-party provider becomes like a logical upstream
ISP to the organization in that it can analyze and selectively activate the
appropriate mitigation technologies as needed. Learn more about the Prolexic Routed Solution (PLXrouted) for DDoS protection and mitigation.
Scrubbing centers are technical facilities
purpose-built for scrubbing or removing malicious DDoS traffic from inbound
traffic streams when mitigating Distributed Denial of Service (DDoS) attacks.
Learn more about Prolexic’s DDoS network traffic scrubbing centers.
Spoofing is a method employed in DDoS attacks
in which the source IP address is altered to make it appear that it is coming
from a legitimate party rather than from a DDoS botnet. Spoofing is a common
way that attackers generate large DoS and DDoS attacks without revealing their
identity. The goal is to consume bandwidth and/or connection table resources on
servers, firewalls and content switches. The attackers may even be smart enough
to generate fake packets that appear as if they are coming from your own origin
servers or from other trusted traffic allowed through the firewall. Also, when
an attack targets the origin site with spoofed IP addresses, the attacker is
able to simply bypass CDNs, which are only protecting front door or HTTP and
HTTPS traffic. Learn more about IP address spoofing in this white paper, How to Defend
Against DDoS attacks: Strategies for the Network, Transport, and Application
Layers.
SSL
(Secure Sockets Layer)
SSL was a popular protocol for encrypting
TCP/IP streams over the Internet. SSL was first publically available in 1995
and the last version of SSL published was version 3.0 in 1996. SSL has been
replaced by the TLS (Transport Layer Security) protocol which grew from the SSL
3.0 specification. The HTTPS protocol now typically uses TLS, although popular
vernacular still refers to HTTPS as using SSL which is not strictly true. HTTPS
can negotiate the encryption protocols to be used and client/server negotiation
converges on TLS in most websites today.
A SYN flood is a Layer 4 infrastructure DDoS
attack method in which attackers send a huge flood of TCP/SYN packets, often
with a forged sender address to the server. SYN floods bring down a network
connection by using up the number of available connections the server can
accept. Consequently, it becomes impossible for the server to respond to
legitimate connection requests during this type of DDoS denial of service
attack. Learn more about SYN floods in this case study.
A SYN packet starts all communication between
an Internet request and a server. A SYN packet determines the nature of how the
communication is established and how the interchange of information will be
completed. SYN packets consist of a combination of the TCP flag, packet
sequence number, window size, acknowledgement number, and other information to
complete the request.
TCP flags are bits within a TCP protocol
header that describe the status of the connection and give information on how a
packet should be handled. Examples of TCP flags are SYN (Synchronize), ACK
(Acknowledgement) and PSH (push).
TCP Flag Abuse floods (URG, ACK, PSH, RST,
SYN, FIN) are stateless streams of protocol 6 (TCP) messages with odd
combinations or out-of-state requests. With modification to the control bits in
the TCP header, many different types of these floods are possible.
TCP Fragment floods are DDoS attacks that try
to overload the target’s processing of TCP messages due to the expense incurred
in reconstructing the datagrams. These floods often consume significant amounts
of bandwidth.
A TCP header is a header within the IP header
that contains additional information in the packet besides source and
destination.
Transmission Control Protocol is a stateful
protocol that is part of the Internet Protocol Suite. Using the three-way
handshake of SYN/ACK/FIN messages, TCP provides reliable delivery of
information or requests transferred from one computer to another. TCP is a
polite protocol that establishes communication back and forth with the server
upon arrival of a SYN request. It requires a conversation with a response or
acknowledgement (ACK) to each SYN request that is sent to the server. Because
it complements the Internet Protocol (IP), TCP is often referred to as TCP/IP.
The three-way handshake is the method by which
all stateful connections are made in the TCP protocol to ensure reliable
communication. Like a telephone conversation in which someone calls, someone
answers, and the caller responds back, the three-way handshake is a
conversation between the SYN request and the server. The server responds to a
SYN request with an ACK (acknowledgement) message to confirm that the request
was received. A stream of SYN/ACK communication usually follows until the
connection ends with both sides communicating a FIN (finish/end) message.
Because the three-way handshake requires bidirectional communication, it is
impossible to spoof a DDoS attack if a complete (and not a half-open) TCP
session exists.
The proxies that malicious actors use to
communicate with the command and control (C&C) and/or infected machines.
Learn more about command and control (C&C or C2) in the Dirt Jumper Threat Advisory.
TLS
(Transport Layer Security)
TLS is a cryptographic protocol built on top
of TCP that provides secure transmission of information over the Internet.
Versions of TLS are used for secure web browsing, email, and instant messaging.
TLS provides a stateful connection, which guards against tampering when
client/server applications communicate over a network. Many people still refer
to HTTPS as using the SSL protocol, but today TLS has supplanted SSL in general
as the default protocol of choice.
A Trojan program, also known as a Trojan
horse, is a kind of malware that appears harmless or is packaged with a useful
program with the intent to infect a machine. A Trojan program is a common
technique to enable a command-and-control server (C&C or C2) to compel a machine to participate in a
DDoS attack.
UDP floods are used frequently for larger
bandwidth DDoS attacks because they are connectionless and it is easy to
generate protocol 17 (UDP) messages from many different scripting and compiled
languages.
UDP Fragment floods are UDP floods that
typically contain messages larger than the maximum transmission units that are
sent from the malicious actor(s) to the target, consuming network bandwidth.
A UDP header is a component of the User
Datagram Protocol (UDP) that includes source port number, destination port
number, length in bytes of the entire datagram, and the checksum field for
error checking.
The UDP protocol is a stateless transmission
protocol with an emphasis on minimal latency rather than reliability in
transmitting information and requests over the Internet. User Datagram Protocol
(UDP) allows information and requests to be sent to a server without requiring
a response or acknowledgement that the request was received. UDP is considered
an unreliable protocol because information packets or requests may arrive out
of order, may be delayed, or may appear to be duplicated. There is no guarantee
that the information you transmit will be received.Learn more about the UDP protocol in the SNMP Amplification (SAD) Threat
Advisory.
A web application firewall controls access to
a specific application or service, blocking network traffic that does not meet
the required criteria.
Website defacement is a cyber attack in which
hackers obtain administrative access to a web site for the purpose of altering
its visual appearance, such as replacing existing content with content authored
by the hacker with malicious intent. One method of defacement involves breaking
into a web server and replacing the hosted site with the hacker’s web site.
