Search This Blog

Monday, 29 April 2013

DoS and DDoS Glossary of Terms (Part 2)

When it comes to distributed denial of service (DDoS) attacks, the various terms and acronyms can be quite confusing. Prolexic explains all in this glossary of terms. To learn even more, follow the links to other Prolexic resources.

An HTTPS POST Flood is an HTTP POST Flood sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it. Learn more about detecting HTTPS POST Floods with application-based DDoS monitoring.
An HTTPS POST request is an encrypted version of a HTTP POST request. The actual data transferred back and forth is encrypted.
HTTP Response
An HTTP response is a response to an HTTP request. An HTTP response can be compressed with Gzip style encoding and can include the object requested, such as an HTML page or JPEG image. HTTP responses also include status code such as “404 Not Found.” When mitigating DDoS attacks, Prolexic mitigation engineers analyze both HTTP requests and HTTP responses to fingerprint the attack.
ICMP (Internet Control Message Protocol)
Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany TCP packets when connecting to a server. An ICMP message may come back if a browser cannot reach a server.
ICMP Flood
An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth. Learn more about DDoS attack types, including ICMP floods, in this DDoS attack report.
IDS (Intrusion Detection System)
An IDS is a system that can identify, log, and report malicious traffic activity, but is designed to report only on current security policies and existing threats. An IDS by itself does not perform DDoS attack mitigation. Learn about human security mitigation versus automated mitigation in this white paper.
IGMP Flood
IGMP floods are uncommon in modern DDoS attacks, but they use protocol 2 with limited message variations. This type of flood has the ability to consume large amounts of network bandwidth.
Infrastructure DDoS Attack
An infrastructure attack is a DDoS attack that overloads the network infrastructure by consuming large amounts of bandwidth, for example by making excessive connection requests without responding to confirm the connection, as in the case of a SYN flood. A proxy server can protect against these kinds of attacks by using cryptographic hashtags and SYN cookies. Learn howProlexic Flow-based Monitoring (PLXfbm) detects infrastructure DDoS attacks.
Internet Protocol Suite
The Internet Protocol Suite is the family of protocols used for Internet communications. IP (Internet Protocol) is a Layer 3 protocol used for communication between two end systems. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are Layer 4 protocols used to implement the communications channel between two end systems. The Internet Protocol Suite is commonly used on Wide Area Networks (WANs).
IP Spoof
A spoofed IP address makes a DDoS attack appear to come from a different source than its actual source. As a result, the victim will not know who originated the attack.
IPS (Intrusion Prevention System)
An IPS is a security device designed to monitor and analyze activity at the client, server, and network level. An IPS may include firewalls and anti-virus software. It expands upon an IDS to perform the dropping or blocking of malicious traffic. The combination of IDS/IPS may provide enough security to guard against malicious traffic penetration and exploitation. However, this type of layered security measure was not designed for identifying and stopping an unknown and unexpected DDoS attack. They are ineffective in identifying and halting DDoS attacks with signatures they don’t recognize and distributed traffic they cannot analyze. Learn more aboutintrusion prevention systems (IPS) in the Executive’s Guide to DDoS Protection.
IPv4 and IPv6
IPv4 and IPv6 are Internet protocol versions that set the standards for the network communications within the Internet. IP is a connectionless or stateless protocol that does not guarantee delivery of data nor confirm that it is delivered in proper sequence.
The name given to a suite of malicious PHP scripts discovered on multiple compromised hosts. The main functionalities appear to be file uploads, persistence, and DDoS traffic floods. Learn more about itsnoproblembro.
Layer 3 and Layer 4 DDoS Attacks
Layer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure. Layer 3 (network layer) and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of data to slow down web server performance, consume bandwidth and eventually degrade access for legitimate users. These attack types typically include ICMP, SYN, and UDP floods. Learn more about Layer 3 (L3), Layer 4 (L4) DDoS attacks in this case study of a financial service firm.
Layer 7 DDoS Attack
A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server infrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble legitimate website traffic. Even simple Layer 7 attacks – for example those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites – can critically overload CPUs and databases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack, making it more difficult to detect and mitigate. Learn more about Layer 7 (L7) attacks in the white paper, Defending Against DDoS Attacks: Strategies for the Network, Transport and Application Layers.
Local Privilege Escalation Exploit
A small piece of code that when executed, elevates a user to root permissions through the exploitation of various vulnerabilities. Learn more about recent DDoS attacks in this DDoS attack report.
LOIC (Low Orbit Ion Cannon)
Low Orbit Ion Cannon is a popular early attack tool used by hacktivist groups like Anonymous. LOIC is a program that is downloaded and presents the user with a simple user interface and several options to be able to participate in group attacks. LOIC does not spoof the attack traffic. Any time LOIC is used to attack the client, the attacker’s IP address can be identified if the client has forensic logs in their firewall or server. LOIC also records fairly well known signatures, making it difficult for the hacktivist or attacker using the tool to deny that they will fully launched the attack. Learn more about a Low Orbit Ion Cannon (LOIC) DDoS attack in this white paper.
MPLS (Multiprotocol Label Switching)
MPLS is used in telecommunications networks to direct data from one network node to the next using short path labels. MPLS abstracts forwarding from the underlying transport medium. Service providers typically use MPLS to simplify the design and deployment of discrete services like private WAN (Wide Area Network), VPN (Virtual Private Network) and Internet transit across a single transport infrastructure, often with rich QoS (Quality of Service) features.
Operation Payback
Operation Payback represents a series of DDoS attacks launched in September and December 2010 by hacktivists from the group Anonymous. Attacks were launched targeting organizations that spoke out against Wikileaks or refused to process payments in support of the whistle-blowing website.
A packet is a unit of transmission on a network. Read the press release Prolexic Mitigates World’s Largest Packet per Second DDoS Attack in 2011.
Packet Header
Packet headers are protocol-specific fields placed at the beginning of a packet. Packet headers can indicate conditions, such as when to initiate a conversation between networks, or parts of a conversation, and indicate that a packet is fragmented, among other things. DDoS attackers tend to manipulate packet header bits to launch SYN Floods, ACK Floods, and other attacks by trying to exploit certain network configurations.
Packet Sniffer
A packet sniffer isa tool which allows traffic that is traveling over a network connection to be recorded and analyzed. Packet sniffers are passive in that they do not interfere with the flow of information over a network.
Passive Inspection
Passive inspection is a method by which packet sniffers are plugged into network SPAN ports or network taps are deployed to tap into copper or fiber communication flows. Prolexic’s Application Based Monitoring service (PLXabm) uses packet sniffing technology to facilitate passive network inspection diagnostics.
The payload contains all of the information contained between the header and footer. The payload includes both higher level protocols (and their headers, footers and payloads) and the actual data that is being transferred in the communication. Read about a 1 million byte payload in the Dirt Jumper Vulnerability Report case study.
PHP Shell, PHP Webshell
A script in the PHP language that can execute commands, view files, and perform other system administrative tasks. PHP shells are often used to take control of web servers via web application vulnerabilities. Learn more about php shell scripts in the Booter Shell Script Threat Advisory.
Prolexic Application-Based Monitoring (PLXabm) is a DDoS detection service that identifies application-layer (Layer 7 or L7) DDoS attacks – including low-and-slow Layer 7 attacks, and randomized HTTP and HTTPS attacks – that can’t be detected by load balancers and intrusion detection (IDS) systems. An on-premise monitoring appliance provides 24/7 visibility in conjunction with cloud-based historical correlation for real-time DDoS forensics analysis. Learn more aboutPLXabm.
The PLxconnect service plan delivers Prolexic’s routed DDoS protection service over a direct physical connection from the customer network through a private cloud to Prolexic’s scrubbing centers. Like Generic Route Encapsulation (GRE), this physical enables activation of DDoS protection for an entire subnet during a DDoS attack. Unlike GRE, there is no impact to maximum transmission units (MTUs), latency is predictable, and PLXconnect offers high bandwidth. Learn more about PLXconnect.
Prolexic Flow-Based Monitoring (PLXfbm) is a DDoS detection service that monitors changes in volumetric network traffic flows (netflow) at customer network-edge routers. This 24/7 monitoring by Prolexic’s Security Operations Center identifies Layer 3 (L3) and Layer 4 (L4) DDoS attacks, allowing for faster DDoS mitigation. This service may be combined with Prolexic’s Application-Based Monitoring Service (PLXabm). Learn more about PLXfbm.
Prolexic Proxy Solution (PLXproxy) is an emergency DDoS protection service from Prolexic that provides fast DDoS mitigation for organizations that are under sustained DDoS attacks and need to implement a DDoS defense immediately. Remapping the IP address associated with a DNS name (a DNS redirect) is all that is required to activate this service. Learn more about PLXproxy.
Prolexic Routed Solution (PLXrouted) is Prolexic’s standard DDoS protection service that provides maximum protection against the broadest range of DoS and DDoS attack types and defends against sustained attacks of 100 Gbps. PLXrouted is a flexible, asymmetric, on-demand service that lets Prolexic customers enable DDoS attack mitigation for an entire subnet when needed. Learn more about PLXrouted.
A proxy is a network device which terminates incoming traffic and then creates a new communication session which is used to send the traffic to the actual destination. The proxy fits between the requestor and the server and mediates all of the communication between the two. Examples of proxy technologies are content switches and load balancers. Proxy servers are most often used for DNS requests, HTTPS, and HTTP. When HTTPS is being proxied, the proxy server itself must have copies of the public certificate which includes the public key and the private key so it can effectively terminate the SSL/TLS requests. Mitigating Layer 7 DDoS attacks is sometimes carried out using proxies. Learn more about the Prolexic Proxy Solution (PLXproxy) for DDoS protection and mitigation.
Public Exploit
An exploit that has been released to the public via standard channels such as mailing lists, exploit archives, or forum posts. Learn more about exploits in these DDoS threat advisories.
R57 Shell
A popular underground PHP shell that can be used to execute commands, view files, and perform other system administrative tasks. R57 is often used to take control of web servers via web application vulnerabilities. Learn more about php shell scripts in the Booter Shell Script Threat Advisory.
Routed Mitigation
Routed mitigation is a method of redirecting traffic to a third-party provider, typically a cloud provider, using the BGP protocol to ensure that all inbound traffic is configured to flow through the third-party provider. The third-party provider becomes like a logical upstream ISP to the organization in that it can analyze and selectively activate the appropriate mitigation technologies as needed. Learn more about the Prolexic Routed Solution (PLXrouted) for DDoS protection and mitigation.
Scrubbing Centers
Scrubbing centers are technical facilities purpose-built for scrubbing or removing malicious DDoS traffic from inbound traffic streams when mitigating Distributed Denial of Service (DDoS) attacks. Learn more about Prolexic’s DDoS network traffic scrubbing centers.
Spoofing IP Addresses
Spoofing is a method employed in DDoS attacks in which the source IP address is altered to make it appear that it is coming from a legitimate party rather than from a DDoS botnet. Spoofing is a common way that attackers generate large DoS and DDoS attacks without revealing their identity. The goal is to consume bandwidth and/or connection table resources on servers, firewalls and content switches. The attackers may even be smart enough to generate fake packets that appear as if they are coming from your own origin servers or from other trusted traffic allowed through the firewall. Also, when an attack targets the origin site with spoofed IP addresses, the attacker is able to simply bypass CDNs, which are only protecting front door or HTTP and HTTPS traffic. Learn more about IP address spoofing in this white paper, How to Defend Against DDoS attacks: Strategies for the Network, Transport, and Application Layers.
SSL (Secure Sockets Layer)
SSL was a popular protocol for encrypting TCP/IP streams over the Internet. SSL was first publically available in 1995 and the last version of SSL published was version 3.0 in 1996. SSL has been replaced by the TLS (Transport Layer Security) protocol which grew from the SSL 3.0 specification. The HTTPS protocol now typically uses TLS, although popular vernacular still refers to HTTPS as using SSL which is not strictly true. HTTPS can negotiate the encryption protocols to be used and client/server negotiation converges on TLS in most websites today.
SYN Flood
A SYN flood is a Layer 4 infrastructure DDoS attack method in which attackers send a huge flood of TCP/SYN packets, often with a forged sender address to the server. SYN floods bring down a network connection by using up the number of available connections the server can accept. Consequently, it becomes impossible for the server to respond to legitimate connection requests during this type of DDoS denial of service attack. Learn more about SYN floods in this case study.
SYN Packet
A SYN packet starts all communication between an Internet request and a server. A SYN packet determines the nature of how the communication is established and how the interchange of information will be completed. SYN packets consist of a combination of the TCP flag, packet sequence number, window size, acknowledgement number, and other information to complete the request.
TCP Flags
TCP flags are bits within a TCP protocol header that describe the status of the connection and give information on how a packet should be handled. Examples of TCP flags are SYN (Synchronize), ACK (Acknowledgement) and PSH (push).
TCP Flag Abuse Flood
TCP Flag Abuse floods (URG, ACK, PSH, RST, SYN, FIN) are stateless streams of protocol 6 (TCP) messages with odd combinations or out-of-state requests. With modification to the control bits in the TCP header, many different types of these floods are possible.
TCP Fragment Flood
TCP Fragment floods are DDoS attacks that try to overload the target’s processing of TCP messages due to the expense incurred in reconstructing the datagrams. These floods often consume significant amounts of bandwidth.
TCP Header
A TCP header is a header within the IP header that contains additional information in the packet besides source and destination.
TCP Protocol
Transmission Control Protocol is a stateful protocol that is part of the Internet Protocol Suite. Using the three-way handshake of SYN/ACK/FIN messages, TCP provides reliable delivery of information or requests transferred from one computer to another. TCP is a polite protocol that establishes communication back and forth with the server upon arrival of a SYN request. It requires a conversation with a response or acknowledgement (ACK) to each SYN request that is sent to the server. Because it complements the Internet Protocol (IP), TCP is often referred to as TCP/IP.
Three-Way Handshake
The three-way handshake is the method by which all stateful connections are made in the TCP protocol to ensure reliable communication. Like a telephone conversation in which someone calls, someone answers, and the caller responds back, the three-way handshake is a conversation between the SYN request and the server. The server responds to a SYN request with an ACK (acknowledgement) message to confirm that the request was received. A stream of SYN/ACK communication usually follows until the connection ends with both sides communicating a FIN (finish/end) message. Because the three-way handshake requires bidirectional communication, it is impossible to spoof a DDoS attack if a complete (and not a half-open) TCP session exists.
Tier-2 Network
The proxies that malicious actors use to communicate with the command and control (C&C) and/or infected machines. Learn more about command and control (C&C or C2) in the Dirt Jumper Threat Advisory.
TLS (Transport Layer Security)
TLS is a cryptographic protocol built on top of TCP that provides secure transmission of information over the Internet. Versions of TLS are used for secure web browsing, email, and instant messaging. TLS provides a stateful connection, which guards against tampering when client/server applications communicate over a network. Many people still refer to HTTPS as using the SSL protocol, but today TLS has supplanted SSL in general as the default protocol of choice.
Trojan Program
A Trojan program, also known as a Trojan horse, is a kind of malware that appears harmless or is packaged with a useful program with the intent to infect a machine. A Trojan program is a common technique to enable a command-and-control server (C&C or C2) to compel a machine to participate in a DDoS attack.
UDP Flood
UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.
UDP Fragment Flood
UDP Fragment floods are UDP floods that typically contain messages larger than the maximum transmission units that are sent from the malicious actor(s) to the target, consuming network bandwidth.
UDP Header
A UDP header is a component of the User Datagram Protocol (UDP) that includes source port number, destination port number, length in bytes of the entire datagram, and the checksum field for error checking.
UDP Protocol
The UDP protocol is a stateless transmission protocol with an emphasis on minimal latency rather than reliability in transmitting information and requests over the Internet. User Datagram Protocol (UDP) allows information and requests to be sent to a server without requiring a response or acknowledgement that the request was received. UDP is considered an unreliable protocol because information packets or requests may arrive out of order, may be delayed, or may appear to be duplicated. There is no guarantee that the information you transmit will be received.Learn more about the UDP protocol in the SNMP Amplification (SAD) Threat Advisory.
Web Application Firewall
A web application firewall controls access to a specific application or service, blocking network traffic that does not meet the required criteria.
Website Defacement
Website defacement is a cyber attack in which hackers obtain administrative access to a web site for the purpose of altering its visual appearance, such as replacing existing content with content authored by the hacker with malicious intent. One method of defacement involves breaking into a web server and replacing the hosted site with the hacker’s web site.

DoS and DDoS Glossary of Terms (Part 1)

When it comes to distributed denial of service (DDoS) attacks, the various terms and acronyms can be quite confusing. Prolexic explains all in this glossary of terms. To learn even more, follow the links to other Prolexic resources.

Amplification Attack
Amplification is when an attacker makes a request that generates a larger response. Examples of common amplification attacks include DNS requests for large TXT records and HTTP GET requests for large image files. Learn more about amplification attacks in the SNMP Amplification (SAD) Threat Advisory.
Application DDoS Attack
An application-level attack is a DDoS attack that overloads an application server, such as by making excessive login, database lookup or search requests. Application attacks are harder to detect than other kinds of DDoS attacks, because the connection has already been established and the requests may appear to be from legitimate users. However, once identified, these attacks can be stopped and traced back a specific source more easily than other types of DDoS attacks. Learn how Prolexic Application-based Monitoring (PLXabm) detects application DDoS attacks.
Application Monitoring
Application monitoring is the practice of monitoring software applications using a dedicated set of algorithms, technologies and approaches to detect zero-day and application layer (Layer 7 attacks). This monitoring approach is different and goes beyond the capabilities of hybrid monitoring systems, such as web application firewalls. Learn more about application monitoring.
APT (Advanced Persistent Threat)
An APT refers to a sustained, Internet-enabled form of cyber espionage led by a powerful entity, such as a government, with the intent to gain access to a specific target, such as a political resistance group or another government. APTs often employ DDoS attacks.
ASN (Autonomous System Number)
An Autonomous System (AS) is a network or group of networks that has a single and clearly defined external routing policy. A public AS has a globally unique number associated with it (ASN). This ASN (Autonomous System Number) is used both in the exchange of external routing information (between neighboring autonomous systems) and as an identifier of the AS itself. Every IP address that is publicly routed belongs to an ASN. Learn more about autonomous system numbers (ASN) in this attack report.
Attack Signature
A DDoS attack signature is a block of code unique to a specific DDoS attack. Knowing the attack signature allows a DDoS protection specialist to identify and block the DDoS attack. A hacker may randomize a portion of the attack signature in an attempt to fool security experts, but other parts of the attack signature will stay the same. See an example of an attack signature in the Pandora DDoS Threat Advisory.
BGP (Border Gateway Protocol)
The Border Gateway Protocol (BGP) is used to make core routing decisions on the Internet and is the protocol used by organizations to exchange routing information. Prolexic uses BGP to enable organizations to redirect network traffic through its scrubbing centers.
Booter Shell Scripts
Booter shell scripts are customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic. These are standalone files that execute GET/POST floods when accessed via HTTP. With booter shells, DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. The skill level required to take over a web server and convert it to a bot is greatly reduced when using a booter shell. A DDoS booter shell script can be easily deployed by anyone who purchases hosted server resources or makes use of simple web application vulnerabilities such as RFI, LFI, SQLi and WebDAV exploits. Learn more in the Booter Shell Script Threat Advisory.
A bot is a computer that is under control of a third party. Learn more about bots.
A botnet is a network of bots that can be commanded as a single group entity by a command and control system. Botnets receive instructions from command and control systems to launch DDoS attacks. Learn more about botnets.
Botnet Takedown
A botnet takedown is the process of identifying bots and then working with law enforcement and security experts to measure inbound and outbound traffic to and from the bots. The goal is to trace the traffic to find the location of the command and control server that controls the botnet. When the command and control server is brought down the botnet can no longer be used in a DDoS attack. Learn more about how to take down a botnet.
Botnet Takeover
A botnet takeover occurs when one hacker tries to take over another hacker’s command and control server. The intent of the rogue hacker is to subvert the control of the command and control server from its original owner by changing the passwords and locking down the server. Learn more about how to take over a botnet.
A web server infected with “itsoknoproblembro” scripts. Learn more about itsnoproblembro.
C99 Shell
A popular underground PHP shell that can be used to execute commands, view files, and perform other system administrative tasks. C99 is often used to take control of web servers via web application vulnerabilities. Learn more about DDoS attack types in this DDoS attack report.
CA (Certificate Authority)
A certificate authority is a trusted third party which issues digital certificates and is the ultimate key-stone in building digital trust relationships.
Caching is the method in which a repetitive request for information is remembered in the server memory in order to serve up the same type of request faster. Modern systems employ extensive use of caching at almost every layer of application design. Web servers always try to cache repetitive static content from memory. Database servers also attempt to cache repetitive queries. Attackers exploit caching by making requests for items that would not likely be cached, forcing the applications to increase CPU and disk usage.
A certificate is an electronic document that contains information that can be used to answer trust questions between clients and servers and also provide the basis for secure communications. A common problem on the Internet for a client is trusting the identity of the server it is connecting to. To solve this problem, a server can present a client with a certificate, digitally “signed” by a third party that the client trusts. If the client does not trust the signing party, it can choose not to trust the server. Certificates can also be used by the server to trust clients or other servers. It is important to remember that the reason certificates exist at all is to establish trust and they depend upon a mutually trusted third party.

Command and Control
Command and control refers to the main server used by a DDoS attacker to control the botnets used in a DDoS attack. Learn more about botnet command and control (C&C or C2).
A certificate revocation list is a public list that registers the revocation of digital certificates of public keys required for Internet-based transactions. When a certificate is placed on the CRL, it can no longer be used to establish trust between the client and the server. The server or the key may be compromised. Web browsers will check the URL to see if a website’s certificate has been revoked.
Cyberterrorism represents acts of Internet-based hacking that cause large-scale disruption to computer networks through the use of computer viruses and other malicious tools, such as worms and Trojan programs. The motivation for cyberterrorism attacks is to create widespread panic and disruption. Hacktivist groups may use cyberterrorism campaigns to protest or promote certain ideological or political beliefs.
Data Breach
A data breach involves obtaining unauthorized access to confidential or sensitive information such as customers’ personal information, corporate financial records, credit card or bank account details. A data breach is often accompanied by the intentional public release of the confidential information obtained by hacktivists during the cyber attack.
Dirt Jumper
Dirt Jumper is a high-risk DDoS toolkit that can be used to launch application layer attacks on websites. Dirt Jumper is a prepackaged toolkit that has evolved from the Russkill strain of malware. It is now widely available on various underground websites and retails for as little as US $150. Dirt Jumper can be spread via spam, exploit kits and fake downloads and can be pushed out to machines already infected with other forms of malware. Prolexic has developed a security-scanning tool that can be used to detect Dirt Jumper command-and-control servers. Download the Dirt Jumper threat advisory and scanner..
DNS (Domain Name System)
The Domain Name System translates Internet domain names into Internet protocol addresses. DNS transforms a domain name such as and converts it into the actual IP address much as a phone book takes a name and converts it to a phone number. It is possible for many domain names to have the same IP address because one server can support a huge number of domain names. One DNS name can also be configured to map to several IP addresses. For example, if a URL maps to five different addresses, a web browser will go to any one of them to access the site. Learn more about how DNS is used in to redirect network traffic to a DDoS protection and mitigation service.
DNS Flood
DNS floods are used for attacking both the infrastructure and a DNS application. This denial of service attack type allows DDoS attackers to use both reflection and spoofed direct attacks that can overwhelm a target’s infrastructure by consuming all available network bandwidth.
DNS Propagation
DNS propagation is when DNS updates propagate out to DNS servers when requested by client systems. Propagation takes time and is cached by the requestor and the intermediary DNS servers for the period defined in the time-to-live (TTL). Although TTL is by definition supposed to be respected by all clients and servers around the world, sometimes it is not. For example, if a TTL is very small, some servers ignore the TTL even though they are in violation of Internet standards and the site may refresh at lower frequencies.
DNS Reflection or Amplification DDoS Attack
A DNS reflection/amplification DDoS attack is a type of DDoS attack where the response from the server is typically larger than the request. When combined with spoofed IP addresses, the response to this type of amplified attack will go to the attacker’s true victim, not the attacker. The victim will not know who originated the attack. A common form of DNS reflection attack involves an attacker making many spoofed queries to many public DNS servers. The spoofing is created in such a way where the source IP address is forged to be that of the target of the attack. When a DNS server receives the forged request it replies, but the reply is directed to the forged source address. This is the “reflection” component. The target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the source. If the queries (which are small packets) generate larger responses (some DNS requests, especially to TXT records) then the attack is said to have an “amplifying characteristic.” Reflection and Amplification are two separate attributes of an attack. A reflection attack does not get amplified unless the responses are bigger than the requests. Learn more about DNS reflection in the Executive’s Guide to DDoS Protection.
DNS TTL (Domain Name System Time to Live)
DNS TTL is the expression of the expiration time for the caching of a DNS record. TTL is expressed in seconds and can be set to expire in an arbitrary period of time. When using the PLX proxy mitigation service, Prolexic advises customers to set the DNS TTL to a low value so that the customer can change DNS records quickly in case of DDoS attack. You can check the status of your DNS records by using a free online DNS TTL checker such as Nabber.
DDoS (Distributed Denial of Service)
DDoS is an acronym for Distributed Denial of Service as in a Distributed Denial of Service (DDoS) cyber-attack. DDoS in general uses many computers distributed across the Internet in an attempt to consume available resources on the target. Learn more about DDoS in our attack reports.
DoS (Denial of Service)
DoS is an acronym for Denial of Service as in a Denial of Service attack. DoS typically uses one or a few computers to cause an outage on the target. Learn more about denial of service (DoS) in the Executive’s Guide to DDoS Protection.
DoS and DDoS Attacks
DoS and DDoS attacks are an attempt to make a computer resource (i.e. – website, email, voice, or a whole network) unavailable to its intended users. By overwhelming it with data and/or requests in a denial of service attack, the target system either responds so slowly as to be unusable or crashes completely. The data volumes required to do this are typically achieved by a network of remotely controlled zombie or botnet [robot network] computers. These have fallen under the control of an attacker, generally through the use of Trojan viruses. Learn more about DoS and DDoS attacks in the Executive’s Guide to DDoS Protection..
DDoS Attack Blocking – Blackholing
DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS denial of service attack on one of its customers. This approach to block DoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic. Black holing is typically deployed by the ISP to protect other customers on its network from the adverse effects of DDoS attacks, such as slow network performance and disrupted service. Learn more about blackholing in the 12 Questions to Ask a DDoS Mitigation Provider white paper.
DDoS Attack Forensics
DDoS attack forensics, often provided in a post attack report, are a comprehensive listing of all characteristics associated with a DDoS denial of service attack. Ideally, DDoS forensics should include attack type, attack duration, attack origin and all of the real IP addresses blocked in the attack, in a database that is instantly accessible through a secure online customer portal. Learn more about DDoS attack forensics in our DDoS mitigation case studies.
DDoS Mitigation Appliance
DDoS mitigation appliances are hardware modules for network protection that include purpose-built automated network devices for detecting and mitigating some levels of DDoS attacks. Sometimes perimeter security hardware such as firewalls and Intrusion Detection Systems (IDS) include features intended to address some types of small DDoS attacks. Learn about human security mitigation versus automated mitigation in this white paper.
DDoS Mitigation Service
A DDoS mitigation service is a service designed to detect, monitor, and mitigate DoS and DDoS attacks. A Distributed Denial of Service (DDoS) mitigation service provided by a pure play DDoS mitigation vendor consists of a combination of proprietary detection, monitoring, and mitigation tools and skilled anti-DDoS technicians who can react in real-time to changing DDoS attack characteristics. Add-on DDoS mitigation service providers such as Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) also offer DDoS mitigation services in the form of automated tools, but they have limited network capacity to absorb large DDoS denial of service attacks. Learn more about how to choose a DDoS mitigation service.
DoS Protection
DoS protection is an enterprise strategy for protecting the network against DoS or DDoS attacks. This can include a proxy or routed mitigation service from a DDoS monitoring and mitigation service provider, on-premise appliances for detecting DDoS attacks and DDoS monitoring appliances, and Intrusion Detection Systems (IDS) such as firewalls and other types of automated security appliances. Learn more about DoS protection.

An exploit is an application or system vulnerability. Exploits are used to obtain unauthorized access or privilege escalation.
Firewalls examines each incoming and outgoing network packet and determines whether to forward it toward its destination, based on a set of predefined security rules. Firewalls can be hardware- or software-based and are designed to protect networks against hackers, viruses, worms and other malicious traffic.
Fragmentation is the division of large packets into smaller ones. Fragmentation is primarily used to enable packets larger than an interface’s MTU (Maximum Transmission Unit) to be divided into two or more units that are smaller than the MTU. Some DDoS attacks use fragments in bulk floods to consume link bandwidth. Learn more in a case study about a DDoS attack that used fragmentation.
Hackers are advanced computer users who use their IT skills to discover and exploit vulnerabilities in electronics, IT systems and computer networks.
Hacking Toolkit
A hacking toolkit is a collection of malicious computer programs used together to exploit vulnerabilities in target systems to gain unauthorized access, steal data or upload malicious code. The malicious code may then be used to launch DDoS distributed denial of service attacks. Hacker toolkits are readily available through the Internet, either free or at a low cost. They are designed to be easy for anyone to use to launch cyber attacks. However, because they can contain many different types of attack vectors, hacking toolkits can exploit multiple vulnerabilities of an Internet facing system. Web browsers and plugins are usually the main entry points for the malicious programs within the hacking toolkit software. DirtJumper and booter shell scripts are examples of malicious toolkits. Learn more about hacking toolkits in our DDoS threat advisories.
Hacktivism is a cyberattack movement in which computer network hacking is motivated by social activism or political protest. Hacktivism often includes DoS and DDoS attacks against the websites of governments, law enforcement agencies, political parties, religious groups, or any website that expresses ideas, beliefs or policies that a hacktivist group opposes. In addition to denial of service attacks, hacktivism also manifests itself as website defacement and data breaches. In 1999, the Cult of the Dead Cow created the concept of hacktivism with Hactivismo, an organization that touted freedom of information as a basic human right.
Hacktivists are organized groups of Internet hackers such as Anonymous who launch Internet denial of service, website defacement, data exfiltration and other attacks on the websites of global brands and organizations to protest political issues and promote their own ideology. Hacktivists often launch randomized attacks with complex signatures and then take credit for them through the news media. Learn more in this case study of a DDoS attack by hacktivists against a new media website.
Hacktivist Groups
Hacktivist groups are well-publicized collectives of sophisticated hackers who launch DoS and DDoS attacks primarily motivated by social activism or political protest.
HOIC (High Orbit Ion Cannon)
HOIC is considered the next generation replacement for the Low Orbit Ion Cannon (LOIC) flood attack tool. HOIC can target up to 256 addresses simultaneously and also includes support for booster files – customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic. Attackers use unique plug-ins within the booster files to attack specific features of their target, such as a social networking site or e-Commerce site. The plug-ins are typically written by expert hackers who have pre-analyzed the target and have distributed information on different attack vectors that would be the most successful against a specific target. Learn more in the High Orbit Ion Cannon (HOIC) Threat Advisory.
An HTTP GET Flood is a Layer 7 application layer DDoS attack method in which attackers send a huge flood of requests to the server to overwhelm its resources. As a result, the server cannot respond to legitimate requests from users. Learn more about HTTP GET floods in this case study.
HTTP GET Request
An HTTP GET request is a method that makes a request for information from the server. A GET request asks the server to give you something, such as an image or script so that it may be rendered by your browser.
An HTTPS GET Flood is an HTTP GET Flood sent over an SSL session. Due to the use of SSL, it is necessary to decrypt the requests in order to mitigate the flood. Learn more about detecting HTTPS GET Floods with application-based DDoS monitoring.
An HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it.
HTTP Header
HTTP headers are fields which describe which resources are requested, such as a URL, a form, JPEG, etc. HTTP headers also inform the web server what kind of web browser is being used. Common HTTP headers are GET, POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and can make them communication specific. DDoS attackers can change these and many other HTTP headers to make it more difficult to identify the attack origin. In addition, HTTP headers can be designed to manipulate caching and proxy services. For example, it is possible to ask a caching proxy to not cache the information. Learn more about DDoS attacks that change HTTP header information.
An HTTP POST flood is a type of DDoS attack in which the volume of POST requests overwhelms the server so that the server cannot respond to them all. This can result in exceptionally high utilization of system resources and consequently crash the server. Learn more about DDoS attacks, including those that use the HTTP POST Flood.
An HTTP POST request is a method that submits data in the body of the request to be processed by the server. For example, a POST request takes the information in a form and encodes it, then posts the content of the form to the server.