When it comes to
distributed denial of service (DDoS) attacks, the various terms and acronyms
can be quite confusing. Prolexic explains all in this glossary of terms. To
learn even more, follow the links to other Prolexic resources.
Amplification is when an attacker makes a
request that generates a larger response. Examples of common amplification
attacks include DNS requests for large TXT records and HTTP GET requests for
large image files. Learn more about amplification attacks in the SNMP Amplification (SAD) Threat Advisory.
Application DDoS Attack
An application-level attack is a DDoS attack
that overloads an application server, such as by making excessive login,
database lookup or search requests. Application attacks are harder to detect
than other kinds of DDoS attacks, because the connection has already been
established and the requests may appear to be from legitimate users. However,
once identified, these attacks can be stopped and traced back a specific source
more easily than other types of DDoS attacks. Learn how Prolexic Application-based Monitoring (PLXabm) detects
application DDoS attacks.
Application monitoring is the practice of
monitoring software applications using a dedicated set of algorithms,
technologies and approaches to detect zero-day and application layer (Layer 7
attacks). This monitoring approach is different and goes beyond the
capabilities of hybrid monitoring systems, such as web application firewalls.
Learn more about application monitoring.
An APT refers to a sustained, Internet-enabled
form of cyber espionage led by a powerful entity, such as a government, with
the intent to gain access to a specific target, such as a political resistance
group or another government. APTs often employ DDoS attacks.
An Autonomous System (AS) is a network or
group of networks that has a single and clearly defined external routing
policy. A public AS has a globally unique number associated with it (ASN). This
ASN (Autonomous System Number) is used both in the exchange of external routing
information (between neighboring autonomous systems) and as an identifier of
the AS itself. Every IP address that is publicly routed belongs to an ASN.
Learn more about autonomous system numbers (ASN) in this attack report.
A DDoS attack signature is a block of code
unique to a specific DDoS attack. Knowing the attack signature allows a DDoS
protection specialist to identify and block the DDoS attack. A hacker may
randomize a portion of the attack signature in an attempt to fool security
experts, but other parts of the attack signature will stay the same. See an
example of an attack signature in the Pandora DDoS Threat Advisory.
The Border Gateway Protocol (BGP) is used to
make core routing decisions on the Internet and is the protocol used by
organizations to exchange routing information. Prolexic uses BGP to enable
organizations to redirect network traffic through its scrubbing centers.
Booter shell scripts are customizable scripts
that randomize attack signatures and make attacks more difficult to
differentiate from legitimate traffic. These are standalone files that execute
GET/POST floods when accessed via HTTP. With booter shells, DDoS attacks can be
launched more readily and can cause more damage, with far fewer machines. The
skill level required to take over a web server and convert it to a bot is
greatly reduced when using a booter shell. A DDoS booter shell script can be
easily deployed by anyone who purchases hosted server resources or makes use of
simple web application vulnerabilities such as RFI, LFI, SQLi and WebDAV
exploits. Learn more in the Booter Shell Script Threat Advisory.
A bot is a computer that is under control of a
third party. Learn more about bots.
A botnet is a network of bots that can be
commanded as a single group entity by a command and control system. Botnets
receive instructions from command and control systems to launch DDoS
attacks. Learn more about botnets.
A botnet takedown is the process of
identifying bots and then working with law enforcement and security experts to
measure inbound and outbound traffic to and from the bots. The goal is to trace
the traffic to find the location of the command and control server that
controls the botnet. When the command and control server is brought down the
botnet can no longer be used in a DDoS attack. Learn more about how to take down a botnet.
A botnet takeover occurs when one hacker tries
to take over another hacker’s command and control server. The intent of the
rogue hacker is to subvert the control of the command and control server from
its original owner by changing the passwords and locking down the server. Learn
more about how to take over a botnet.
A web server infected with “itsoknoproblembro”
scripts. Learn more about itsnoproblembro.
A popular underground PHP shell that can be
used to execute commands, view files, and perform other system administrative
tasks. C99 is often used to take control of web servers via web application
vulnerabilities. Learn more about DDoS attack types in this DDoS attack
report.
A certificate authority is a trusted third
party which issues digital certificates and is the ultimate key-stone in
building digital trust relationships.
Caching is the method in which a repetitive
request for information is remembered in the server memory in order to serve up
the same type of request faster. Modern systems employ extensive use of caching
at almost every layer of application design. Web servers always try to cache
repetitive static content from memory. Database servers also attempt to cache
repetitive queries. Attackers exploit caching by making requests for items that
would not likely be cached, forcing the applications to increase CPU and disk
usage.
A certificate is an electronic document that
contains information that can be used to answer trust questions between clients
and servers and also provide the basis for secure communications. A common
problem on the Internet for a client is trusting the identity of the server it
is connecting to. To solve this problem, a server can present a client with a
certificate, digitally “signed” by a third party that the client trusts. If the
client does not trust the signing party, it can choose not to trust the server.
Certificates can also be used by the server to trust clients or other servers.
It is important to remember that the reason certificates exist at all is to
establish trust and they depend upon a mutually trusted third party.
Command and Control
Command and control refers to the main server
used by a DDoS attacker to control the botnets used in a DDoS attack. Learn
more about botnet command and control (C&C or C2).
A certificate revocation list is a public list
that registers the revocation of digital certificates of public keys required
for Internet-based transactions. When a certificate is placed on the CRL, it
can no longer be used to establish trust between the client and the server. The
server or the key may be compromised. Web browsers will check the URL to see if
a website’s certificate has been revoked.
Cyberterrorism represents acts of
Internet-based hacking that cause large-scale disruption to computer networks
through the use of computer viruses and other malicious tools, such as worms
and Trojan programs. The motivation for cyberterrorism attacks is to create
widespread panic and disruption. Hacktivist groups may use cyberterrorism
campaigns to protest or promote certain ideological or political beliefs.
A data breach involves obtaining unauthorized
access to confidential or sensitive information such as customers’ personal
information, corporate financial records, credit card or bank account details.
A data breach is often accompanied by the intentional public release of the
confidential information obtained by hacktivists during the cyber attack.
Dirt Jumper is a high-risk DDoS toolkit that
can be used to launch application layer attacks on websites. Dirt Jumper is a
prepackaged toolkit that has evolved from the Russkill strain of malware. It is
now widely available on various underground websites and retails for as little
as US $150. Dirt Jumper can be spread via spam, exploit kits and fake downloads
and can be pushed out to machines already infected with other forms of malware.
Prolexic has developed a security-scanning tool that can be used to detect Dirt
Jumper command-and-control servers. Download the Dirt Jumper threat advisory and scanner..
The Domain Name System translates Internet
domain names into Internet protocol addresses. DNS transforms a domain name
such as www.prolexic.com and
converts it into the actual IP address much as a phone book takes a name and
converts it to a phone number. It is possible for many domain names to have the
same IP address because one server can support a huge number of domain names.
One DNS name can also be configured to map to several IP addresses. For
example, if a URL maps to five different addresses, a web browser will go to
any one of them to access the site. Learn more about how DNS is used in to redirect network traffic to a DDoS protection and
mitigation service.
DNS floods are used for attacking both the
infrastructure and a DNS application. This denial of service attack type allows
DDoS attackers to use both reflection and spoofed direct attacks that can
overwhelm a target’s infrastructure by consuming all available network
bandwidth.
DNS propagation is when DNS updates propagate
out to DNS servers when requested by client systems. Propagation takes time and
is cached by the requestor and the intermediary DNS servers for the period
defined in the time-to-live (TTL). Although TTL is by definition supposed to be
respected by all clients and servers around the world, sometimes it is not. For
example, if a TTL is very small, some servers ignore the TTL even though they
are in violation of Internet standards and the site may refresh at lower
frequencies.
A DNS reflection/amplification DDoS attack is
a type of DDoS attack where the response from the server is typically larger
than the request. When combined with spoofed IP addresses, the response to this
type of amplified attack will go to the attacker’s true victim, not the
attacker. The victim will not know who originated the attack. A common form of
DNS reflection attack involves an attacker making many spoofed queries to many
public DNS servers. The spoofing is created in such a way where the source IP
address is forged to be that of the target of the attack. When a DNS server
receives the forged request it replies, but the reply is directed to the forged
source address. This is the “reflection” component. The target of the attack
receives replies from all the DNS servers that are used. This type of attack
makes it very difficult to identify the source. If the queries (which are small
packets) generate larger responses (some DNS requests, especially to TXT
records) then the attack is said to have an “amplifying characteristic.”
Reflection and Amplification are two separate attributes of an attack. A
reflection attack does not get amplified unless the responses are bigger than
the requests. Learn more about DNS reflection in the Executive’s Guide to DDoS Protection.
DNS TTL is the expression of the expiration
time for the caching of a DNS record. TTL is expressed in seconds and can be
set to expire in an arbitrary period of time. When using the PLX proxy
mitigation service, Prolexic advises customers to set the DNS TTL to a low
value so that the customer can change DNS records quickly in case of DDoS
attack. You can check the status of your DNS records by using a free online DNS
TTL checker such as Nabber.
DDoS is an acronym for Distributed Denial of
Service as in a Distributed Denial of Service (DDoS) cyber-attack. DDoS in
general uses many computers distributed across the Internet in an attempt to
consume available resources on the target. Learn more about DDoS in our
attack reports.
DoS is an acronym for Denial of Service as in
a Denial of Service attack. DoS typically uses one or a few computers to cause
an outage on the target. Learn more about denial of service (DoS) in the Executive’s Guide to DDoS
Protection.
DoS and DDoS attacks are an attempt to make a
computer resource (i.e. – website, email, voice, or a whole network)
unavailable to its intended users. By overwhelming it with data and/or requests
in a denial of service attack, the target system either responds so slowly as
to be unusable or crashes completely. The data volumes required to do this are
typically achieved by a network of remotely controlled zombie or botnet [robot
network] computers. These have fallen under the control of an attacker, generally
through the use of Trojan viruses. Learn more about DoS and DDoS attacks in the Executive’s Guide to DDoS
Protection..
DDoS attack blocking, commonly referred to as
blackholing, is a method typically used by ISPs to stop a DDoS denial of
service attack on one of its customers. This approach to block DoS attacks
makes the site in question completely inaccessible to all traffic, both
malicious attack traffic and legitimate user traffic. Black holing is typically
deployed by the ISP to protect other customers on its network from the adverse
effects of DDoS attacks, such as slow network performance and disrupted service. Learn more about blackholing in the 12 Questions to Ask a DDoS Mitigation
Provider white paper.
DDoS attack forensics, often provided in a
post attack report, are a comprehensive listing of all characteristics
associated with a DDoS denial of service attack. Ideally, DDoS forensics should
include attack type, attack duration, attack origin and all of the real IP
addresses blocked in the attack, in a database that is instantly accessible
through a secure online customer portal. Learn more about
DDoS attack forensics in our DDoS mitigation case studies.
DDoS mitigation appliances are hardware
modules for network protection that include purpose-built automated network
devices for detecting and mitigating some levels of DDoS attacks. Sometimes
perimeter security hardware such as firewalls and Intrusion Detection Systems
(IDS) include features intended to address some types of small DDoS
attacks. Learn about human security mitigation versus automated mitigation in this
white paper.
A DDoS mitigation service is a service
designed to detect, monitor, and mitigate DoS and DDoS attacks. A Distributed
Denial of Service (DDoS) mitigation service provided by a pure play DDoS
mitigation vendor consists of a combination of proprietary detection,
monitoring, and mitigation tools and skilled anti-DDoS technicians who can
react in real-time to changing DDoS attack characteristics. Add-on DDoS
mitigation service providers such as Internet Service Providers (ISPs) and
Content Delivery Networks (CDNs) also offer DDoS mitigation services in the
form of automated tools, but they have limited network capacity to absorb large
DDoS denial of service attacks. Learn more about how to choose a DDoS mitigation service.
DoS protection is an enterprise strategy for
protecting the network against DoS or DDoS attacks. This can include a proxy or
routed mitigation service from a DDoS monitoring and mitigation service
provider, on-premise appliances for detecting DDoS attacks and DDoS monitoring
appliances, and Intrusion Detection Systems (IDS) such as firewalls and other
types of automated security appliances. Learn more about DoS protection.
Exploit
An exploit is an application or system
vulnerability. Exploits are used to obtain unauthorized access or privilege
escalation.
Firewalls examines each incoming and outgoing
network packet and determines whether to forward it toward its destination,
based on a set of predefined security rules. Firewalls can be hardware- or
software-based and are designed to protect networks against hackers, viruses, worms
and other malicious traffic.
Fragmentation is the division of large packets
into smaller ones. Fragmentation is primarily used to enable packets larger
than an interface’s MTU (Maximum Transmission Unit) to be divided into two or
more units that are smaller than the MTU. Some DDoS attacks use fragments in
bulk floods to consume link bandwidth. Learn more in a case study about a DDoS attack that used fragmentation.
Hackers are advanced computer users who use
their IT skills to discover and exploit vulnerabilities in electronics, IT
systems and computer networks.
A hacking toolkit is a collection of malicious
computer programs used together to exploit vulnerabilities in target systems to
gain unauthorized access, steal data or upload malicious code. The malicious
code may then be used to launch DDoS distributed denial of service attacks.
Hacker toolkits are readily available through the Internet, either free or at a
low cost. They are designed to be easy for anyone to use to launch cyber
attacks. However, because they can contain many different types of attack vectors,
hacking toolkits can exploit multiple vulnerabilities of an Internet facing
system. Web browsers and plugins are usually the main entry points for the
malicious programs within the hacking toolkit software. DirtJumper and booter
shell scripts are examples of malicious toolkits. Learn more about hacking
toolkits in our DDoS threat advisories.
Hacktivism is a cyberattack movement in which
computer network hacking is motivated by social activism or political protest.
Hacktivism often includes DoS and DDoS attacks against the websites of
governments, law enforcement agencies, political parties, religious groups, or
any website that expresses ideas, beliefs or policies that a hacktivist group
opposes. In addition to denial of service attacks, hacktivism also manifests
itself as website defacement and data breaches. In 1999, the Cult of the Dead
Cow created the concept of hacktivism with Hactivismo, an organization that
touted freedom of information as a basic human right.
Hacktivists are organized groups of Internet
hackers such as Anonymous who launch Internet denial of service, website
defacement, data exfiltration and other attacks on the websites of global
brands and organizations to protest political issues and promote their own
ideology. Hacktivists often launch randomized attacks with complex signatures
and then take credit for them through the news media. Learn more in this case study of a DDoS attack by hacktivists against a
new media website.
Hacktivist groups are well-publicized
collectives of sophisticated hackers who launch DoS and DDoS attacks primarily
motivated by social activism or political protest.
HOIC is considered the next generation
replacement for the Low Orbit Ion Cannon (LOIC) flood attack tool. HOIC can
target up to 256 addresses simultaneously and also includes support for booster
files – customizable scripts that randomize attack signatures and make attacks
more difficult to differentiate from legitimate traffic. Attackers use unique
plug-ins within the booster files to attack specific features of their target,
such as a social networking site or e-Commerce site. The plug-ins are typically
written by expert hackers who have pre-analyzed the target and have distributed
information on different attack vectors that would be the most successful
against a specific target. Learn more in the High Orbit Ion Cannon (HOIC) Threat Advisory.
An HTTP GET Flood is a Layer 7 application
layer DDoS attack method in which attackers send a huge flood of requests to
the server to overwhelm its resources. As a result, the server cannot respond
to legitimate requests from users. Learn more about HTTP GET floods in this case study.
An HTTP GET request is a method that makes a
request for information from the server. A GET request asks the server to give
you something, such as an image or script so that it may be rendered by your
browser.
An HTTPS GET Flood is an HTTP GET Flood sent
over an SSL session. Due to the use of SSL, it is necessary to decrypt the
requests in order to mitigate the flood. Learn more about detecting HTTPS
GET Floods with application-based DDoS monitoring.
An HTTPS GET Request is an HTTP GET Request
sent over an SSL session. Due to the use of SSL it is necessary to decrypt this
request in order to inspect it.
HTTP headers are fields which describe which
resources are requested, such as a URL, a form, JPEG, etc. HTTP headers also
inform the web server what kind of web browser is being used. Common HTTP
headers are GET, POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can
insert as many headers as they want and can make them communication specific.
DDoS attackers can change these and many other HTTP headers to make it more
difficult to identify the attack origin. In addition, HTTP headers can be
designed to manipulate caching and proxy services. For example, it is possible
to ask a caching proxy to not cache the information. Learn more about DDoS attacks
that change HTTP header information.
An HTTP POST flood is a type of DDoS attack in
which the volume of POST requests overwhelms the server so that the server
cannot respond to them all. This can result in exceptionally high utilization
of system resources and consequently crash the server. Learn more about DDoS attacks,
including those that use the HTTP POST Flood.
An HTTP POST request is a method that submits
data in the body of the request to be processed by the server. For example, a
POST request takes the information in a form and encodes it, then posts the
content of the form to the server.
No comments:
Post a Comment