Search This Blog

Monday, 29 April 2013

DoS and DDoS Glossary of Terms (Part 1)

When it comes to distributed denial of service (DDoS) attacks, the various terms and acronyms can be quite confusing. Prolexic explains all in this glossary of terms. To learn even more, follow the links to other Prolexic resources.

Amplification Attack
Amplification is when an attacker makes a request that generates a larger response. Examples of common amplification attacks include DNS requests for large TXT records and HTTP GET requests for large image files. Learn more about amplification attacks in the SNMP Amplification (SAD) Threat Advisory.
Application DDoS Attack
An application-level attack is a DDoS attack that overloads an application server, such as by making excessive login, database lookup or search requests. Application attacks are harder to detect than other kinds of DDoS attacks, because the connection has already been established and the requests may appear to be from legitimate users. However, once identified, these attacks can be stopped and traced back a specific source more easily than other types of DDoS attacks. Learn how Prolexic Application-based Monitoring (PLXabm) detects application DDoS attacks.
Application Monitoring
Application monitoring is the practice of monitoring software applications using a dedicated set of algorithms, technologies and approaches to detect zero-day and application layer (Layer 7 attacks). This monitoring approach is different and goes beyond the capabilities of hybrid monitoring systems, such as web application firewalls. Learn more about application monitoring.
APT (Advanced Persistent Threat)
An APT refers to a sustained, Internet-enabled form of cyber espionage led by a powerful entity, such as a government, with the intent to gain access to a specific target, such as a political resistance group or another government. APTs often employ DDoS attacks.
ASN (Autonomous System Number)
An Autonomous System (AS) is a network or group of networks that has a single and clearly defined external routing policy. A public AS has a globally unique number associated with it (ASN). This ASN (Autonomous System Number) is used both in the exchange of external routing information (between neighboring autonomous systems) and as an identifier of the AS itself. Every IP address that is publicly routed belongs to an ASN. Learn more about autonomous system numbers (ASN) in this attack report.
Attack Signature
A DDoS attack signature is a block of code unique to a specific DDoS attack. Knowing the attack signature allows a DDoS protection specialist to identify and block the DDoS attack. A hacker may randomize a portion of the attack signature in an attempt to fool security experts, but other parts of the attack signature will stay the same. See an example of an attack signature in the Pandora DDoS Threat Advisory.
BGP (Border Gateway Protocol)
The Border Gateway Protocol (BGP) is used to make core routing decisions on the Internet and is the protocol used by organizations to exchange routing information. Prolexic uses BGP to enable organizations to redirect network traffic through its scrubbing centers.
Booter Shell Scripts
Booter shell scripts are customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic. These are standalone files that execute GET/POST floods when accessed via HTTP. With booter shells, DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. The skill level required to take over a web server and convert it to a bot is greatly reduced when using a booter shell. A DDoS booter shell script can be easily deployed by anyone who purchases hosted server resources or makes use of simple web application vulnerabilities such as RFI, LFI, SQLi and WebDAV exploits. Learn more in the Booter Shell Script Threat Advisory.
A bot is a computer that is under control of a third party. Learn more about bots.
A botnet is a network of bots that can be commanded as a single group entity by a command and control system. Botnets receive instructions from command and control systems to launch DDoS attacks. Learn more about botnets.
Botnet Takedown
A botnet takedown is the process of identifying bots and then working with law enforcement and security experts to measure inbound and outbound traffic to and from the bots. The goal is to trace the traffic to find the location of the command and control server that controls the botnet. When the command and control server is brought down the botnet can no longer be used in a DDoS attack. Learn more about how to take down a botnet.
Botnet Takeover
A botnet takeover occurs when one hacker tries to take over another hacker’s command and control server. The intent of the rogue hacker is to subvert the control of the command and control server from its original owner by changing the passwords and locking down the server. Learn more about how to take over a botnet.
A web server infected with “itsoknoproblembro” scripts. Learn more about itsnoproblembro.
C99 Shell
A popular underground PHP shell that can be used to execute commands, view files, and perform other system administrative tasks. C99 is often used to take control of web servers via web application vulnerabilities. Learn more about DDoS attack types in this DDoS attack report.
CA (Certificate Authority)
A certificate authority is a trusted third party which issues digital certificates and is the ultimate key-stone in building digital trust relationships.
Caching is the method in which a repetitive request for information is remembered in the server memory in order to serve up the same type of request faster. Modern systems employ extensive use of caching at almost every layer of application design. Web servers always try to cache repetitive static content from memory. Database servers also attempt to cache repetitive queries. Attackers exploit caching by making requests for items that would not likely be cached, forcing the applications to increase CPU and disk usage.
A certificate is an electronic document that contains information that can be used to answer trust questions between clients and servers and also provide the basis for secure communications. A common problem on the Internet for a client is trusting the identity of the server it is connecting to. To solve this problem, a server can present a client with a certificate, digitally “signed” by a third party that the client trusts. If the client does not trust the signing party, it can choose not to trust the server. Certificates can also be used by the server to trust clients or other servers. It is important to remember that the reason certificates exist at all is to establish trust and they depend upon a mutually trusted third party.

Command and Control
Command and control refers to the main server used by a DDoS attacker to control the botnets used in a DDoS attack. Learn more about botnet command and control (C&C or C2).
A certificate revocation list is a public list that registers the revocation of digital certificates of public keys required for Internet-based transactions. When a certificate is placed on the CRL, it can no longer be used to establish trust between the client and the server. The server or the key may be compromised. Web browsers will check the URL to see if a website’s certificate has been revoked.
Cyberterrorism represents acts of Internet-based hacking that cause large-scale disruption to computer networks through the use of computer viruses and other malicious tools, such as worms and Trojan programs. The motivation for cyberterrorism attacks is to create widespread panic and disruption. Hacktivist groups may use cyberterrorism campaigns to protest or promote certain ideological or political beliefs.
Data Breach
A data breach involves obtaining unauthorized access to confidential or sensitive information such as customers’ personal information, corporate financial records, credit card or bank account details. A data breach is often accompanied by the intentional public release of the confidential information obtained by hacktivists during the cyber attack.
Dirt Jumper
Dirt Jumper is a high-risk DDoS toolkit that can be used to launch application layer attacks on websites. Dirt Jumper is a prepackaged toolkit that has evolved from the Russkill strain of malware. It is now widely available on various underground websites and retails for as little as US $150. Dirt Jumper can be spread via spam, exploit kits and fake downloads and can be pushed out to machines already infected with other forms of malware. Prolexic has developed a security-scanning tool that can be used to detect Dirt Jumper command-and-control servers. Download the Dirt Jumper threat advisory and scanner..
DNS (Domain Name System)
The Domain Name System translates Internet domain names into Internet protocol addresses. DNS transforms a domain name such as and converts it into the actual IP address much as a phone book takes a name and converts it to a phone number. It is possible for many domain names to have the same IP address because one server can support a huge number of domain names. One DNS name can also be configured to map to several IP addresses. For example, if a URL maps to five different addresses, a web browser will go to any one of them to access the site. Learn more about how DNS is used in to redirect network traffic to a DDoS protection and mitigation service.
DNS Flood
DNS floods are used for attacking both the infrastructure and a DNS application. This denial of service attack type allows DDoS attackers to use both reflection and spoofed direct attacks that can overwhelm a target’s infrastructure by consuming all available network bandwidth.
DNS Propagation
DNS propagation is when DNS updates propagate out to DNS servers when requested by client systems. Propagation takes time and is cached by the requestor and the intermediary DNS servers for the period defined in the time-to-live (TTL). Although TTL is by definition supposed to be respected by all clients and servers around the world, sometimes it is not. For example, if a TTL is very small, some servers ignore the TTL even though they are in violation of Internet standards and the site may refresh at lower frequencies.
DNS Reflection or Amplification DDoS Attack
A DNS reflection/amplification DDoS attack is a type of DDoS attack where the response from the server is typically larger than the request. When combined with spoofed IP addresses, the response to this type of amplified attack will go to the attacker’s true victim, not the attacker. The victim will not know who originated the attack. A common form of DNS reflection attack involves an attacker making many spoofed queries to many public DNS servers. The spoofing is created in such a way where the source IP address is forged to be that of the target of the attack. When a DNS server receives the forged request it replies, but the reply is directed to the forged source address. This is the “reflection” component. The target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the source. If the queries (which are small packets) generate larger responses (some DNS requests, especially to TXT records) then the attack is said to have an “amplifying characteristic.” Reflection and Amplification are two separate attributes of an attack. A reflection attack does not get amplified unless the responses are bigger than the requests. Learn more about DNS reflection in the Executive’s Guide to DDoS Protection.
DNS TTL (Domain Name System Time to Live)
DNS TTL is the expression of the expiration time for the caching of a DNS record. TTL is expressed in seconds and can be set to expire in an arbitrary period of time. When using the PLX proxy mitigation service, Prolexic advises customers to set the DNS TTL to a low value so that the customer can change DNS records quickly in case of DDoS attack. You can check the status of your DNS records by using a free online DNS TTL checker such as Nabber.
DDoS (Distributed Denial of Service)
DDoS is an acronym for Distributed Denial of Service as in a Distributed Denial of Service (DDoS) cyber-attack. DDoS in general uses many computers distributed across the Internet in an attempt to consume available resources on the target. Learn more about DDoS in our attack reports.
DoS (Denial of Service)
DoS is an acronym for Denial of Service as in a Denial of Service attack. DoS typically uses one or a few computers to cause an outage on the target. Learn more about denial of service (DoS) in the Executive’s Guide to DDoS Protection.
DoS and DDoS Attacks
DoS and DDoS attacks are an attempt to make a computer resource (i.e. – website, email, voice, or a whole network) unavailable to its intended users. By overwhelming it with data and/or requests in a denial of service attack, the target system either responds so slowly as to be unusable or crashes completely. The data volumes required to do this are typically achieved by a network of remotely controlled zombie or botnet [robot network] computers. These have fallen under the control of an attacker, generally through the use of Trojan viruses. Learn more about DoS and DDoS attacks in the Executive’s Guide to DDoS Protection..
DDoS Attack Blocking – Blackholing
DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS denial of service attack on one of its customers. This approach to block DoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic. Black holing is typically deployed by the ISP to protect other customers on its network from the adverse effects of DDoS attacks, such as slow network performance and disrupted service. Learn more about blackholing in the 12 Questions to Ask a DDoS Mitigation Provider white paper.
DDoS Attack Forensics
DDoS attack forensics, often provided in a post attack report, are a comprehensive listing of all characteristics associated with a DDoS denial of service attack. Ideally, DDoS forensics should include attack type, attack duration, attack origin and all of the real IP addresses blocked in the attack, in a database that is instantly accessible through a secure online customer portal. Learn more about DDoS attack forensics in our DDoS mitigation case studies.
DDoS Mitigation Appliance
DDoS mitigation appliances are hardware modules for network protection that include purpose-built automated network devices for detecting and mitigating some levels of DDoS attacks. Sometimes perimeter security hardware such as firewalls and Intrusion Detection Systems (IDS) include features intended to address some types of small DDoS attacks. Learn about human security mitigation versus automated mitigation in this white paper.
DDoS Mitigation Service
A DDoS mitigation service is a service designed to detect, monitor, and mitigate DoS and DDoS attacks. A Distributed Denial of Service (DDoS) mitigation service provided by a pure play DDoS mitigation vendor consists of a combination of proprietary detection, monitoring, and mitigation tools and skilled anti-DDoS technicians who can react in real-time to changing DDoS attack characteristics. Add-on DDoS mitigation service providers such as Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) also offer DDoS mitigation services in the form of automated tools, but they have limited network capacity to absorb large DDoS denial of service attacks. Learn more about how to choose a DDoS mitigation service.
DoS Protection
DoS protection is an enterprise strategy for protecting the network against DoS or DDoS attacks. This can include a proxy or routed mitigation service from a DDoS monitoring and mitigation service provider, on-premise appliances for detecting DDoS attacks and DDoS monitoring appliances, and Intrusion Detection Systems (IDS) such as firewalls and other types of automated security appliances. Learn more about DoS protection.

An exploit is an application or system vulnerability. Exploits are used to obtain unauthorized access or privilege escalation.
Firewalls examines each incoming and outgoing network packet and determines whether to forward it toward its destination, based on a set of predefined security rules. Firewalls can be hardware- or software-based and are designed to protect networks against hackers, viruses, worms and other malicious traffic.
Fragmentation is the division of large packets into smaller ones. Fragmentation is primarily used to enable packets larger than an interface’s MTU (Maximum Transmission Unit) to be divided into two or more units that are smaller than the MTU. Some DDoS attacks use fragments in bulk floods to consume link bandwidth. Learn more in a case study about a DDoS attack that used fragmentation.
Hackers are advanced computer users who use their IT skills to discover and exploit vulnerabilities in electronics, IT systems and computer networks.
Hacking Toolkit
A hacking toolkit is a collection of malicious computer programs used together to exploit vulnerabilities in target systems to gain unauthorized access, steal data or upload malicious code. The malicious code may then be used to launch DDoS distributed denial of service attacks. Hacker toolkits are readily available through the Internet, either free or at a low cost. They are designed to be easy for anyone to use to launch cyber attacks. However, because they can contain many different types of attack vectors, hacking toolkits can exploit multiple vulnerabilities of an Internet facing system. Web browsers and plugins are usually the main entry points for the malicious programs within the hacking toolkit software. DirtJumper and booter shell scripts are examples of malicious toolkits. Learn more about hacking toolkits in our DDoS threat advisories.
Hacktivism is a cyberattack movement in which computer network hacking is motivated by social activism or political protest. Hacktivism often includes DoS and DDoS attacks against the websites of governments, law enforcement agencies, political parties, religious groups, or any website that expresses ideas, beliefs or policies that a hacktivist group opposes. In addition to denial of service attacks, hacktivism also manifests itself as website defacement and data breaches. In 1999, the Cult of the Dead Cow created the concept of hacktivism with Hactivismo, an organization that touted freedom of information as a basic human right.
Hacktivists are organized groups of Internet hackers such as Anonymous who launch Internet denial of service, website defacement, data exfiltration and other attacks on the websites of global brands and organizations to protest political issues and promote their own ideology. Hacktivists often launch randomized attacks with complex signatures and then take credit for them through the news media. Learn more in this case study of a DDoS attack by hacktivists against a new media website.
Hacktivist Groups
Hacktivist groups are well-publicized collectives of sophisticated hackers who launch DoS and DDoS attacks primarily motivated by social activism or political protest.
HOIC (High Orbit Ion Cannon)
HOIC is considered the next generation replacement for the Low Orbit Ion Cannon (LOIC) flood attack tool. HOIC can target up to 256 addresses simultaneously and also includes support for booster files – customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic. Attackers use unique plug-ins within the booster files to attack specific features of their target, such as a social networking site or e-Commerce site. The plug-ins are typically written by expert hackers who have pre-analyzed the target and have distributed information on different attack vectors that would be the most successful against a specific target. Learn more in the High Orbit Ion Cannon (HOIC) Threat Advisory.
An HTTP GET Flood is a Layer 7 application layer DDoS attack method in which attackers send a huge flood of requests to the server to overwhelm its resources. As a result, the server cannot respond to legitimate requests from users. Learn more about HTTP GET floods in this case study.
HTTP GET Request
An HTTP GET request is a method that makes a request for information from the server. A GET request asks the server to give you something, such as an image or script so that it may be rendered by your browser.
An HTTPS GET Flood is an HTTP GET Flood sent over an SSL session. Due to the use of SSL, it is necessary to decrypt the requests in order to mitigate the flood. Learn more about detecting HTTPS GET Floods with application-based DDoS monitoring.
An HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it.
HTTP Header
HTTP headers are fields which describe which resources are requested, such as a URL, a form, JPEG, etc. HTTP headers also inform the web server what kind of web browser is being used. Common HTTP headers are GET, POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and can make them communication specific. DDoS attackers can change these and many other HTTP headers to make it more difficult to identify the attack origin. In addition, HTTP headers can be designed to manipulate caching and proxy services. For example, it is possible to ask a caching proxy to not cache the information. Learn more about DDoS attacks that change HTTP header information.
An HTTP POST flood is a type of DDoS attack in which the volume of POST requests overwhelms the server so that the server cannot respond to them all. This can result in exceptionally high utilization of system resources and consequently crash the server. Learn more about DDoS attacks, including those that use the HTTP POST Flood.
An HTTP POST request is a method that submits data in the body of the request to be processed by the server. For example, a POST request takes the information in a form and encodes it, then posts the content of the form to the server.

No comments:

Post a Comment