DNS (Domain Name System)
A system that keeps the information about Internet domains, with its key function being to provide the IP address of a node or other resource upon receiving its full domain name. The system consists of multiple servers and has a distributed hierarchical architecture. In order to minimize DNS hacking attack risks and ensure the integrity and authenticity of data kept by DNS, its servers use built-in protection and security features, such as DNSSEC, TSIG, DANE, and others.
DoS (Denial of Service)An attack against a system aiming to cause it to stop providing a service – a flood of bogus requests made to the system causes its overload, making it unable to handle requests from legitimate users. Being cheap to implement and efficient, DoS attacks are often used for unfair competition and other illegal purposes.
DDoS (Distributed Denial of Service)
A distributed DoS attack carried out simultaneously from a vast number of devices that attackers have taken control over, gaining the ability to send commands to generate floods of bogus requests. An attack of this kind can cause a denial of service to systems owned by a large enterprise or to an entire network.
UDP (User Datagram Protocol)
A protocol for sending messages (datagrams) to other hosts without error checking or correction. UDP offers the advantage of being able to quickly process requests from very large number of clients.
A network-based DoS attack carried out by sending large amounts of UDP packets to a remote host’s ports, which results in traffic being congested by bogus messages.
Smurf attackA kind of amplification DoS attack carried out using network broadcasting (by exploiting the namesake abilities provided by various network protocols): forged ICMP Echo requests are sent to broadcast addresses, with a victim's IP address spoofed as the source IP of the requests. This causes the nodes of the network offering a broadcast service to send large amount of responses, resulting in the victim’s node overload.
A service allowing to host IT systems and resources (servers, websites, business applications, databases, content portals, virtual machines, etc.) at premises and on hardware managed by a hosting provider. Usually, the provider offers a reliable high-speed Internet connection along with technical support, physical/IT security, and data integrity services (backup, etc.) for the customer’s IT assets.
A type of hosting service where the customer is provided with a dedicated physical server connected to the Internet. Usually, the leased assets are used for the deployment of mission-critical and/or resource-intensive applications and websites. The service is often used for accelerated implementation of projects that are critical for the customer’s business and require significant IT resources.
VDS/VPS (Virtual Dedicated/Private Server)
A type of hosting service where the customer rents a virtual dedicated server or virtual private server (with the two terms having a similar meaning), deployed on hardware that is managed by a hosting provider. A virtual server is a virtual machine deployed on a physical server. The VM has server software installed that emulates the operation and resources of a separate physical server. Usually, a virtual dedicated server costs less than a conventional physical dedicated server. In addition, a VDS can be easily scaled whenever necessary.
DNS hostingA service for hosting the customer’s DNS zones. For a website to be discoverable on the Internet, its domain name must be included in the DNS. For that, a primary DNS server is required that contains the domain name record, as well as secondary DNS servers, which pass the domain name information along the network.
HSTS (HTTP Strict Transport Security)A mechanism that forces a web client and server to establish an HTTPS-based secure connection at once, without first using the unprotected HTTP protocol. The approach helps to minimize the risk of attacks aimed at wiretapping or tampering with a web connection.
SSL (Secure Sockets Layer)
A protocol for cryptographically secure data exchange using popular Internet protocols, such as HTTP, FTP, TELNET, etc. SSL certificates are used to verify that a public key belongs to its actual owner. The authentication of keys used for data exchange using the protocol is based on asymmetric cryptography. The traffic itself, meanwhile, is protected from unauthorized access using symmetric encryption. The message integrity is verified using message authentication codes (MACs).
Teardrop AttackA DDoS attack carried out using fragmented packets with an offset, based on exploiting a TCP/IP stack vulnerability. During the attack, a victim's server is bombarded with large counts of fragmented packets, which it tries to handle unsuccessfully, wasting a huge amount of resources.
A DoS attack against a victim server, carried out by sending a huge flood of forged ICMP packets from multiple IP addresses, which results in the server's being overwhelmed due to processing the packets.
A type of DoS attack targeting network equipment – a variant of ICMP flood attack that is carried out using programs or utilities being a part of desktop operating systems, such as the diagnostic ping utility: a server is overwhelmed by ping (ICMP Echo) requests, leading to a denial of service.
TCP (Transmission Control Protocol)A transport layer protocol in the OSI model, one of the main protocols of the Internet protocol suite. It was initially developed to control data transmission and ensure its reliability. Currently, many types of DDoS attacks are known that exploit various TCP features and vulnerabilities.
SSDP (Simple Service Discovery Protocol)
A network protocol used in small-sized networks, such as residential ones, for advertising and discovery of network services, primarily the ones supported by the Universal Plug-and-Play (UPnP) architecture. Features of SSDP are used in DDoS attacks belonging to the SSDP amplification type.
HTTP (HyperText Transfer Protocol)
The World Wide Web protocol used for data communication between web servers and clients. Initially, the protocol did not have web traffic encryption, although later it has been implemented in the HTTPS extension.
An HTTP request made to a web server in order to receive data needed by a web client. GET requests offer a way to transfer parameters, which is employed in a web services’ implementation widely used these days.
HTTPS (HyperText Transfer Protocol Secure)
An extension of HTTP allowing to secure web traffic using cryptography algorithms based on the SSL and TLS protocols.
ICMP (Internet Control Message Protocol)A TCP/IP stack protocol used for notifying about exception conditions that can occur in the Internet. Some of the protocol options are used for “internal” purposes only, without involving the transfer of any meaningful data.
Creating a virtual channel for data exchange between two Internet-connected networks by way of encapsulating traffic inside the IP protocol: the packets that need to be sent from one network to another are transferred as data inside conventional IP packets. To protect the traffic sent inside an IP tunnel from unauthorized access, various cryptographic protocols are used.
SSL trafficTraffic secured by encryption using the SSL protocol. The reliability of protection depends upon the encryption algorithm used for session key agreement.
SYN (flag)A flag for sequence number synchronization that uses bits 10 to 15 of the TCP packet header. If the flag is set, it means that both the server and client are ready to establish a connection.
SYN messageA TCP request for initiating a connection – step 1: a connection request from a client to a server (the client sends a TCP packet with the SYN flag set); step 2: server response (the client is sent a packet with SYN and ACK flags set); step 3: acknowledgment of the client’s readiness to establish the connection (the server is sent a packet with the ACK flag set). The connection is deemed to be established if all the 3 steps (the so-called TCP three-way handshake) have been successful.
SYN cookieA method to prevent SYN flood attacks by a TCP server’s responding in a special way to a client's request while establishing a connection with the former. This can decrease the load created by a SYN attack, although these days SYN cookies are not very efficient against real-world SYN attacks.
Zero Day (0day DDoS) attack
When the term is used in relation to popular protocols, it means a DDoS attack that exploits vulnerabilities previously unknown to security experts. If used when talking about popular software products, the term refers to security bugs of which their developers were previously unaware. Often, a DDoS-attack can be referred to as zero-day if it is implemented using brand new methods that were never used before.
A character-string based identifier (name) of an Internet domain. Domain names are intended to ease the designation of individual nodes and resources deployed on top of them from human readability viewpoint. All the Internet domains are unified by a hierarchy. A fully qualified domain name is a dot-separated series of domains, such as domain3.domain2.domain1, where domain1 is the topmost-level domain. The Domain Name System (DNS) ensures the matching between domain names and IP addresses.
BandwidthThe data transfer rate of a communication link. Bandwidth determines the amount of data that can be sent across a link per a unit of time (usually, per second).
A special device whose key function is to forward (route) network-level packets from one network segment to another using a set of rules specific to the network, and data contained in the routing table.
1) a dedicated computer ensuring automated execution of a set of service functions;
2) a software system ensuring automated execution of requests made by other software components (clients).
1) a flow of data through a specific node, network part or network as a whole;
2) the amount of data (the number of packets or amount of information) passing a given node, network part or entire network within a specified period of time.
Round-Trip Time, RTTThe time period from the moment a data packet was sent until receiving an acknowledgment of its receipt.
Internet Protocol, IPA network level protocol used in data networks based on Internet standards. Ensures data transmission from one Internet node to any other by “slicing” it and “packaging” into IP packets.
Link bandwidth, link throughputA key link characteristic, the maximum data transfer rate achievable via the link.
MAC (Media Access Control) address or physical address
A unique identifier of an individual network equipment unit, such as a NIC or Ethernet port, designating a sender or a recipient of an OSI network-level packet (frame). Usually MAC addresses are assigned by a manufacturer while producing equipment or components.
TCP window sizeThe size of a buffer used when receiving a packet. Essentially, this is the amount of data sent in one TCP packet. By default, TCP window size can be no more than 65535 bytes. With the window scale option, however, the window size value can be up to 1Gb.
A piece of data locally stored by a Web client, characterizing a user from the viewpoint of a server accessed by the user. Possible attributes that can be stored in a cookie include e-mail address, personal preferences and settings, session state data, stats, etc. When data is exchanged with a Web server without encryption, cookies could be intercepted and tampered with.
CVE (Common Vulnerabilities and Exposures)A database containing information about known vulnerabilities, including their descriptions and links to websites with additional info. The project is sponsored by the United States Computer Emergency Readiness Team (US CERT) and maintained by MITRE Corp. nonprofit
ExploitA piece of software code or module used for attacking vulnerable nodes in order to gain command and control over them, carry out a destructive action, or cause a denial of service (in DoS attacks).
HacktivismUsing illegal ways of affecting computer networks or individual nodes in order to promote political causes. Hacktivists usually participate in protest movements and try to attract as much attention as possible to the ideas they stand for.
IP fragmentation attackDoS attacks based on fragmentation of IP packets. A typical attack of this kind involves sending datagrams formed in such a way that a victim node would not be able to reassemble them while wasting a lot of resources, which would lead to a severe drop in node performance.
ProxyingThe use of a software intermediary (proxy) that processes traffic in a certain way for subsequent sending to another software program. Specifically, security proxies process traffic in such a way so as to prevent unauthorized traffic access and minimize the threat of network attacks.
Content Delivery Network, CDN
A service that allows to deliver data of various nature and formats (images, videos, web pages, software distributions/patches, etc.) to a large number of users as fast as possible. CDNs help lower costs by freeing customers from the need to create resilient (including to DDoS attacks), reliable, and highly available IT infrastructure necessary for mass delivery of content to consumers.
Attack amplificationA way to implement a DoS attack providing a manifold increase in impact on a victim server: a small number of bots initiate sending a huge amount of forged packets or requests, which severely slow down or paralyze the attacked server that tries to process them. The approach is used, e.g., in attacks based on the DNS and NTP protocols.
BotA software robot designed for executing certain actions determined by algorithms or rules. Bots and bot networks installed on vulnerable nodes are often used for executing DoS and DDoS attacks.
SYN/ACK floodA type of DoS attack targeting TCP servers that involves sending a huge flood of spoofed packets with both SYN and ACK flags set, which causes a server overload.
RST/FIN floodDoS attacks against TCP servers that exploit vulnerabilities in TCP-SYN session closure: a server overload is achieved by sending a flood of forged RST or FIN packets.
Slowloris, or session attacksA type of DoS attacks targeting streaming web servers – the attacker tries to establish many HTTP connections with the targeted server and keep them open as long as possible by sending partial requests and HTTP headers, with the requests never completing. With the server keeping the connections open, its pool of simultaneous connections eventually maxes out, so the server begins to refuse further connections to clients.
HTTP floodA kind of DoS attack targeting web servers that uses bots to send multiple HTTP GET requests for accessing the largest site elements, which causes a great load on the server, leading to it being unable to process other requests. Aside from GET requests, similar results could be achieved by POST requests or some other HTTP-based actions. Attacks of this kind can often be very efficient as they do not require to use a large number of bots.
Recursive HTTP GET floodA type of DoS attack, a variant of HTTP flood where the attacker requests a number of pages from a web site, analyzes the responses and then recursively requests every object available at the site. As long as recursive requests created this way look legitimate, using the approach significantly lowers the probability of detecting the attack.
VoIP floodA DoS attack, a variant of UDP flood implemented by sending large amounts of forged VoIP packets from a wide range of IP addresses to a VoIP server, usually used by a call center. As a result, the server wastes too much of its resources trying to handle the bogus requests. Due to some aspects of UDP protocol, a VoIP flood attack can be very hard to detect.
NTP floodA variant of UDP flood, a DoS attack targeting servers that use NTP (Network Time Protocol), a protocol for synchronizing computers’ internal clocks. An NTP server overload is achieved by sending multiple spoofed NTP requests from a large number of IP addresses.
This type of amplified DoS attacks exploit the way DNS services operate – a forged domain request is sent to a vulnerable DNS server, and its response, being of a significant size, is forwarded to a victim server, resulting in its link getting overwhelmed with the responses. This type of attack is distinctive in that it is almost impossible to detect where the forged requests come from.
IP Null AttackA kind of DoS attack that uses IP protocol features – a victim server is sent a large stream of packets with their Protocol field value set to zero (usually, the field contains the code of transport level protocol, except for IPv6 packets). This results in server wasting its resources trying to process the packets in a correct way.
DoS attacks involving the use of UDP packets – large amounts of such packets with the source IP set to a victim server address are sent to ports of an amplification network. As a result, the victim server is forced to focus on processing the vast counts of spoofed packets.
MITM (man-in-the-middle) attackA class of attacks involving an intermediary acting for its own benefit: after inserting itself between two parties exchanging data, a third participant receives unauthorized access to their traffic with the ability to do virtually anything with it. The intermediary makes effort to hide itself in order not to evoke any legitimate parties’ suspicions of breaching the privacy and integrity of their traffic.
SYN flood, or SYN attackA variant of DoS attack implemented at the TCP protocol level – during the attack, a victim node is overloaded by sending a large amount of SYN TCP segments to it (usually, a node is unable to handle more than several thousands of the segments at once). Attacks of this kind are highly efficient.
SIP malformed attackA type of DoS attack exploiting vulnerabilities of Session Initiation Protocol (SIP) used in VoIP services and applications: a SIP server overload is achieved by sending it a flood of messages containing deliberately malformed data. Attacks of this kind generally result in disrupting normal operation of VoIP services.
SNMP reflection attackA DDoS attack variant that exploits vulnerabilities of the SNMP network management protocol and resembles DNS amplification attacks: using a spoofed victim IP address, the attacker sends a large amount of SNMP GetBulk requests with MaxRepetitions parameter set to the highest possible value (2250) to multiple connected devices, which in turn send streams of responses to the attacked network until it gets down. The streams can come at rates of up to hundreds of gigabits per second. Attacks of this type have a very high destructive capacity.
CharGEN floodA type of transport level amplification DDoS attack, similar to NTP amplification. The attack exploits vulnerabilities of the very old CharGEN character generator protocol, sending small packets with a spoofed victim IP address to devices supporting the protocol (such as printers, copying machines, etc.). The devices’ responses are sent as UDP packets to Port 19 of the victim server, causing it to waste too much resources trying to handle them.
MS SQL reflection DDoS attackAn attack type that exploits vulnerabilities of the MC-SQLR protocol used for sending queries to Microsoft SQL Server. An overload of a victim’s link is achieved as a result of getting lists of all database instances stored on multiple public SQL servers (including those hosted by service and cloud providers), along with the information on how to connect to those instances. The data is provided in response to a stream of spoofed scripted requests containing the attacked node’s IP address, sent to those SQL servers.
Memcached DDoS attackA type of amplification attack exploiting features of Memcached system, which is widely used for in-memory caching of data in order to accelerate websites’ operation. The attacks involve making large amounts of spoofed requests to a victim Memcached server, which results in its overloading and getting down.
Attacks against websites
Malicious actions impacting web resources on the Internet. Attacks of this kind are usually classified into mass and targeted types. Attacks of the first type target a site as a whole and are usually automated. In mass attacks, attackers use their knowledge of popular tools and widespread vulnerabilities. Targeted attacks, on the other hand, are usually carried out by manually searching for vulnerabilities and exploiting them. The damage inflicted by an attack of this type can be fatal.
The 95th percentile
A widely used method to increase available bandwidth by 5% while staying within the selected payment plan, based on the way bandwidth is measured: first, during a month-long period, data transfer stats are collected, then 5% of the highest values are removed from further analysis, while the highest value from the rest is used as the basis for payment calculation.