When it comes to distributed denial of service (DDoS) attacks, the various terms and acronyms can be quite confusing. Prolexic explains all in this glossary of terms. To learn even more, follow the links to other Prolexic resources.
HTTPS POST Flood
An HTTPS POST Flood is an HTTP POST Flood sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it. Learn more about detecting HTTPS POST Floods with application-based DDoS monitoring.
An HTTPS POST request is an encrypted version of a HTTP POST request. The actual data transferred back and forth is encrypted.
An HTTP response is a response to an HTTP request. An HTTP response can be compressed with Gzip style encoding and can include the object requested, such as an HTML page or JPEG image. HTTP responses also include status code such as “404 Not Found.” When mitigating DDoS attacks, Prolexic mitigation engineers analyze both HTTP requests and HTTP responses to fingerprint the attack.
Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany TCP packets when connecting to a server. An ICMP message may come back if a browser cannot reach a server.
An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth. Learn more about DDoS attack types, including ICMP floods, in this DDoS attack report.
An IDS is a system that can identify, log, and report malicious traffic activity, but is designed to report only on current security policies and existing threats. An IDS by itself does not perform DDoS attack mitigation. Learn about human security mitigation versus automated mitigation in this white paper.
IGMP floods are uncommon in modern DDoS attacks, but they use protocol 2 with limited message variations. This type of flood has the ability to consume large amounts of network bandwidth.
An infrastructure attack is a DDoS attack that overloads the network infrastructure by consuming large amounts of bandwidth, for example by making excessive connection requests without responding to confirm the connection, as in the case of a SYN flood. A proxy server can protect against these kinds of attacks by using cryptographic hashtags and SYN cookies. Learn howProlexic Flow-based Monitoring (PLXfbm) detects infrastructure DDoS attacks.
The Internet Protocol Suite is the family of protocols used for Internet communications. IP (Internet Protocol) is a Layer 3 protocol used for communication between two end systems. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are Layer 4 protocols used to implement the communications channel between two end systems. The Internet Protocol Suite is commonly used on Wide Area Networks (WANs).
A spoofed IP address makes a DDoS attack appear to come from a different source than its actual source. As a result, the victim will not know who originated the attack.
An IPS is a security device designed to monitor and analyze activity at the client, server, and network level. An IPS may include firewalls and anti-virus software. It expands upon an IDS to perform the dropping or blocking of malicious traffic. The combination of IDS/IPS may provide enough security to guard against malicious traffic penetration and exploitation. However, this type of layered security measure was not designed for identifying and stopping an unknown and unexpected DDoS attack. They are ineffective in identifying and halting DDoS attacks with signatures they don’t recognize and distributed traffic they cannot analyze. Learn more aboutintrusion prevention systems (IPS) in the Executive’s Guide to DDoS Protection.
IPv4 and IPv6 are Internet protocol versions that set the standards for the network communications within the Internet. IP is a connectionless or stateless protocol that does not guarantee delivery of data nor confirm that it is delivered in proper sequence.
The name given to a suite of malicious PHP scripts discovered on multiple compromised hosts. The main functionalities appear to be file uploads, persistence, and DDoS traffic floods. Learn more about itsnoproblembro.
Layer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure. Layer 3 (network layer) and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of data to slow down web server performance, consume bandwidth and eventually degrade access for legitimate users. These attack types typically include ICMP, SYN, and UDP floods. Learn more about Layer 3 (L3), Layer 4 (L4) DDoS attacks in this case study of a financial service firm.
A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server infrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble legitimate website traffic. Even simple Layer 7 attacks – for example those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites – can critically overload CPUs and databases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack, making it more difficult to detect and mitigate. Learn more about Layer 7 (L7) attacks in the white paper, Defending Against DDoS Attacks: Strategies for the Network, Transport and Application Layers.
A small piece of code that when executed, elevates a user to root permissions through the exploitation of various vulnerabilities. Learn more about recent DDoS attacks in this DDoS attack report.
Low Orbit Ion Cannon is a popular early attack tool used by hacktivist groups like Anonymous. LOIC is a program that is downloaded and presents the user with a simple user interface and several options to be able to participate in group attacks. LOIC does not spoof the attack traffic. Any time LOIC is used to attack the client, the attacker’s IP address can be identified if the client has forensic logs in their firewall or server. LOIC also records fairly well known signatures, making it difficult for the hacktivist or attacker using the tool to deny that they will fully launched the attack. Learn more about a Low Orbit Ion Cannon (LOIC) DDoS attack in this white paper.
MPLS is used in telecommunications networks to direct data from one network node to the next using short path labels. MPLS abstracts forwarding from the underlying transport medium. Service providers typically use MPLS to simplify the design and deployment of discrete services like private WAN (Wide Area Network), VPN (Virtual Private Network) and Internet transit across a single transport infrastructure, often with rich QoS (Quality of Service) features.
Operation Payback represents a series of DDoS attacks launched in September and December 2010 by hacktivists from the group Anonymous. Attacks were launched targeting organizations that spoke out against Wikileaks or refused to process payments in support of the whistle-blowing website.
A packet is a unit of transmission on a network. Read the press release Prolexic Mitigates World’s Largest Packet per Second DDoS Attack in 2011.
Packet headers are protocol-specific fields placed at the beginning of a packet. Packet headers can indicate conditions, such as when to initiate a conversation between networks, or parts of a conversation, and indicate that a packet is fragmented, among other things. DDoS attackers tend to manipulate packet header bits to launch SYN Floods, ACK Floods, and other attacks by trying to exploit certain network configurations.
A packet sniffer isa tool which allows traffic that is traveling over a network connection to be recorded and analyzed. Packet sniffers are passive in that they do not interfere with the flow of information over a network.
Passive inspection is a method by which packet sniffers are plugged into network SPAN ports or network taps are deployed to tap into copper or fiber communication flows. Prolexic’s Application Based Monitoring service (PLXabm) uses packet sniffing technology to facilitate passive network inspection diagnostics.
The payload contains all of the information contained between the header and footer. The payload includes both higher level protocols (and their headers, footers and payloads) and the actual data that is being transferred in the communication. Read about a 1 million byte payload in the Dirt Jumper Vulnerability Report case study.
A script in the PHP language that can execute commands, view files, and perform other system administrative tasks. PHP shells are often used to take control of web servers via web application vulnerabilities. Learn more about php shell scripts in the Booter Shell Script Threat Advisory.
Prolexic Application-Based Monitoring (PLXabm) is a DDoS detection service that identifies application-layer (Layer 7 or L7) DDoS attacks – including low-and-slow Layer 7 attacks, and randomized HTTP and HTTPS attacks – that can’t be detected by load balancers and intrusion detection (IDS) systems. An on-premise monitoring appliance provides 24/7 visibility in conjunction with cloud-based historical correlation for real-time DDoS forensics analysis. Learn more aboutPLXabm.
The PLxconnect service plan delivers Prolexic’s routed DDoS protection service over a direct physical connection from the customer network through a private cloud to Prolexic’s scrubbing centers. Like Generic Route Encapsulation (GRE), this physical enables activation of DDoS protection for an entire subnet during a DDoS attack. Unlike GRE, there is no impact to maximum transmission units (MTUs), latency is predictable, and PLXconnect offers high bandwidth. Learn more about PLXconnect.
Prolexic Flow-Based Monitoring (PLXfbm) is a DDoS detection service that monitors changes in volumetric network traffic flows (netflow) at customer network-edge routers. This 24/7 monitoring by Prolexic’s Security Operations Center identifies Layer 3 (L3) and Layer 4 (L4) DDoS attacks, allowing for faster DDoS mitigation. This service may be combined with Prolexic’s Application-Based Monitoring Service (PLXabm). Learn more about PLXfbm.
Prolexic Proxy Solution (PLXproxy) is an emergency DDoS protection service from Prolexic that provides fast DDoS mitigation for organizations that are under sustained DDoS attacks and need to implement a DDoS defense immediately. Remapping the IP address associated with a DNS name (a DNS redirect) is all that is required to activate this service. Learn more about PLXproxy.
Prolexic Routed Solution (PLXrouted) is Prolexic’s standard DDoS protection service that provides maximum protection against the broadest range of DoS and DDoS attack types and defends against sustained attacks of 100 Gbps. PLXrouted is a flexible, asymmetric, on-demand service that lets Prolexic customers enable DDoS attack mitigation for an entire subnet when needed. Learn more about PLXrouted.
A proxy is a network device which terminates incoming traffic and then creates a new communication session which is used to send the traffic to the actual destination. The proxy fits between the requestor and the server and mediates all of the communication between the two. Examples of proxy technologies are content switches and load balancers. Proxy servers are most often used for DNS requests, HTTPS, and HTTP. When HTTPS is being proxied, the proxy server itself must have copies of the public certificate which includes the public key and the private key so it can effectively terminate the SSL/TLS requests. Mitigating Layer 7 DDoS attacks is sometimes carried out using proxies. Learn more about the Prolexic Proxy Solution (PLXproxy) for DDoS protection and mitigation.
An exploit that has been released to the public via standard channels such as mailing lists, exploit archives, or forum posts. Learn more about exploits in these DDoS threat advisories.
A popular underground PHP shell that can be used to execute commands, view files, and perform other system administrative tasks. R57 is often used to take control of web servers via web application vulnerabilities. Learn more about php shell scripts in the Booter Shell Script Threat Advisory.
Routed mitigation is a method of redirecting traffic to a third-party provider, typically a cloud provider, using the BGP protocol to ensure that all inbound traffic is configured to flow through the third-party provider. The third-party provider becomes like a logical upstream ISP to the organization in that it can analyze and selectively activate the appropriate mitigation technologies as needed. Learn more about the Prolexic Routed Solution (PLXrouted) for DDoS protection and mitigation.
Scrubbing centers are technical facilities purpose-built for scrubbing or removing malicious DDoS traffic from inbound traffic streams when mitigating Distributed Denial of Service (DDoS) attacks. Learn more about Prolexic’s DDoS network traffic scrubbing centers.
Spoofing is a method employed in DDoS attacks in which the source IP address is altered to make it appear that it is coming from a legitimate party rather than from a DDoS botnet. Spoofing is a common way that attackers generate large DoS and DDoS attacks without revealing their identity. The goal is to consume bandwidth and/or connection table resources on servers, firewalls and content switches. The attackers may even be smart enough to generate fake packets that appear as if they are coming from your own origin servers or from other trusted traffic allowed through the firewall. Also, when an attack targets the origin site with spoofed IP addresses, the attacker is able to simply bypass CDNs, which are only protecting front door or HTTP and HTTPS traffic. Learn more about IP address spoofing in this white paper, How to Defend Against DDoS attacks: Strategies for the Network, Transport, and Application Layers.
SSL was a popular protocol for encrypting TCP/IP streams over the Internet. SSL was first publically available in 1995 and the last version of SSL published was version 3.0 in 1996. SSL has been replaced by the TLS (Transport Layer Security) protocol which grew from the SSL 3.0 specification. The HTTPS protocol now typically uses TLS, although popular vernacular still refers to HTTPS as using SSL which is not strictly true. HTTPS can negotiate the encryption protocols to be used and client/server negotiation converges on TLS in most websites today.
A SYN flood is a Layer 4 infrastructure DDoS attack method in which attackers send a huge flood of TCP/SYN packets, often with a forged sender address to the server. SYN floods bring down a network connection by using up the number of available connections the server can accept. Consequently, it becomes impossible for the server to respond to legitimate connection requests during this type of DDoS denial of service attack. Learn more about SYN floods in this case study.
A SYN packet starts all communication between an Internet request and a server. A SYN packet determines the nature of how the communication is established and how the interchange of information will be completed. SYN packets consist of a combination of the TCP flag, packet sequence number, window size, acknowledgement number, and other information to complete the request.
TCP flags are bits within a TCP protocol header that describe the status of the connection and give information on how a packet should be handled. Examples of TCP flags are SYN (Synchronize), ACK (Acknowledgement) and PSH (push).
TCP Flag Abuse floods (URG, ACK, PSH, RST, SYN, FIN) are stateless streams of protocol 6 (TCP) messages with odd combinations or out-of-state requests. With modification to the control bits in the TCP header, many different types of these floods are possible.
TCP Fragment floods are DDoS attacks that try to overload the target’s processing of TCP messages due to the expense incurred in reconstructing the datagrams. These floods often consume significant amounts of bandwidth.
A TCP header is a header within the IP header that contains additional information in the packet besides source and destination.
Transmission Control Protocol is a stateful protocol that is part of the Internet Protocol Suite. Using the three-way handshake of SYN/ACK/FIN messages, TCP provides reliable delivery of information or requests transferred from one computer to another. TCP is a polite protocol that establishes communication back and forth with the server upon arrival of a SYN request. It requires a conversation with a response or acknowledgement (ACK) to each SYN request that is sent to the server. Because it complements the Internet Protocol (IP), TCP is often referred to as TCP/IP.
The three-way handshake is the method by which all stateful connections are made in the TCP protocol to ensure reliable communication. Like a telephone conversation in which someone calls, someone answers, and the caller responds back, the three-way handshake is a conversation between the SYN request and the server. The server responds to a SYN request with an ACK (acknowledgement) message to confirm that the request was received. A stream of SYN/ACK communication usually follows until the connection ends with both sides communicating a FIN (finish/end) message. Because the three-way handshake requires bidirectional communication, it is impossible to spoof a DDoS attack if a complete (and not a half-open) TCP session exists.
The proxies that malicious actors use to communicate with the command and control (C&C) and/or infected machines. Learn more about command and control (C&C or C2) in the Dirt Jumper Threat Advisory.
TLS is a cryptographic protocol built on top of TCP that provides secure transmission of information over the Internet. Versions of TLS are used for secure web browsing, email, and instant messaging. TLS provides a stateful connection, which guards against tampering when client/server applications communicate over a network. Many people still refer to HTTPS as using the SSL protocol, but today TLS has supplanted SSL in general as the default protocol of choice.
A Trojan program, also known as a Trojan horse, is a kind of malware that appears harmless or is packaged with a useful program with the intent to infect a machine. A Trojan program is a common technique to enable a command-and-control server (C&C or C2) to compel a machine to participate in a DDoS attack.
UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.
UDP Fragment floods are UDP floods that typically contain messages larger than the maximum transmission units that are sent from the malicious actor(s) to the target, consuming network bandwidth.
A UDP header is a component of the User Datagram Protocol (UDP) that includes source port number, destination port number, length in bytes of the entire datagram, and the checksum field for error checking.
The UDP protocol is a stateless transmission protocol with an emphasis on minimal latency rather than reliability in transmitting information and requests over the Internet. User Datagram Protocol (UDP) allows information and requests to be sent to a server without requiring a response or acknowledgement that the request was received. UDP is considered an unreliable protocol because information packets or requests may arrive out of order, may be delayed, or may appear to be duplicated. There is no guarantee that the information you transmit will be received.Learn more about the UDP protocol in the SNMP Amplification (SAD) Threat Advisory.
A web application firewall controls access to a specific application or service, blocking network traffic that does not meet the required criteria.
Website defacement is a cyber attack in which hackers obtain administrative access to a web site for the purpose of altering its visual appearance, such as replacing existing content with content authored by the hacker with malicious intent. One method of defacement involves breaking into a web server and replacing the hosted site with the hacker’s web site.