DDoS Dictionary

This is a DDoS dictionary. This page lists the DDoS attacks that can be emulated using our DDoS Testing and Validation platform and provides some background to the mechanics of each attack.

We also offer the ability to use custom or canned patterns in the testing attacks.

Quick Jump: A B D E F G H I P R S T U


A

ACK Flood
This is an attack at Layer 4.

TCP connections use a three-way handshake and this attack abuses this to repeatedly send the final part of the handshake in an effort to consume CPU resources in the attack target. This occurs because the target has to do a lookup in its connection table to see whether it is a valid ACK, and when it finds it is not, it will respond with a RST (ReSeT) to tell each end to drop the connection.

So there are two consequences of the single inbound ACK packet – use of CPU to do the lookup and use of outbound bandwidth.


B

BroBot
This is an attack at Layer 7.

This is a name for the attack perpetrated by the itsoknoproblembro DDoS toolkit seeking to cause infection on web servers, which are then used as hosts for further attacks. With multiple signatures and attacks using SYN, UDP, ICMP, and SSL attacks, together with DNS attacks, this was a well thought out blended attack.


D

DNS ANY Query
This is an attack at Layer 7.

In the ‘wild’ this is both a reflection and an amplification attack, where a small number of inbound packets from a forged address(es) cause a greater volume of output to be directed against a third party. In this case the attackers use publicly accessible, often correctly configured, open DNS servers to send large volumes of DNS response traffic. The DNS ‘ANY’ query is akin to asking for all DNS zone information to be sent, so the focus is on large zone files (those for organisations with many thousands of hosts) so that the attacker can create a huge amount of traffic from the initial small request.

Note that the end target for the attack is not often a DNS server, but more usually a web server. The DNS server is merely used as the innocent middle-man in the attack.

We can simulate the initial pull of ANY records from a DNS server. As a legitimate testing service we cannot directly simulate the flood of responses (but we can craft this as a custom service with canned responses).

The US-CERT publishes more information on mitigating this sort of attack.

DNS NXDOMAIN Flood

This is an attack at Layer 3.

Unlike the favourite DNS reflection and/or amplification attacks, this uses a DNS server to look up domains, but it does so at speed and with domains that do not exist so the server is returning NXDOMAIN results. The volume of the requests has a secondary purpose – to fill the DNS server cache and exhaust the capability of the server to respond to legitimate clients.

This is considered a layer 3 attack since it uses UDP. This also means that the sending address can be easily spoofed since there is no handshake required.

DNS Query Flood
This is an attack at Layer 3.

Looking like expected traffic, this volumetric attack uses a DNS server to look up domain entries, but to fill the outgoing bandwidth, it may send requests using EDNS (see RFC 6891) or DNSSEC so that larger replies are sent. There is no need for sophistication and the attacker may simply elect to send ‘normal’ DNS Query requests from multiple sources at high volume.

Because the attack uses UDP it means that the sending address can be easily spoofed because there is no handshake required.

DNS Reflection Attack
This is an attack at Layer 7.

This is one of the family of DrDOS attacks (Distributed reflection Denial of Service), which includes the DNS ANY attack. But strictly speaking a reflection attack does not need amplification to cause disruption. The act of reflection disguises the original address of the attacker and a moderate number of machines can still cause a significant amount of traffic if all are intent on attacking the same target.

Although it can be stopped by filtering request sources, DNS AXFR (zone transfers) can be abused to provide a reflected attack.

As a legitimate testing service we cannot directly simulate the flood of AXFR responses (but we can craft this as a custom service with canned responses).

Dynamic HTTP Flood
This is an attack at Layer 7.

As with other Flood type attacks, this uses a large number of sudden connections to try and overwhelm the server. The ploy is to send many resource requests to overload mitigation services and equipment that fail to react quickly and try to ensure that leakage will cause the protected resources to fail. The attack uses randomised URLs and alters the UserAgent string to fool web server caching techniques.

The HTTP Flood uses static URLs which might be more appropriate to simulate DoS caused by specific heavy load events.

Dynamic HTTPS Flood
This is an attack at Layer 7.

A Dynamic HTTP Flood done with SSL.

The HTTPS Flood uses static URLs which might be more appropriate to simulate DoS caused by specific heavy load events.


E

Extreme Bot Attack
This is an attack at Layer 7.

This is a unique attack with multiple varying items (user agent, source address, etc) designed specifically to avoid detection by mitigation systems. In particular it is designed to pass through signature based systems.


F

Fragment TCP Attack
This is an attack at Layer 4 with an impact at Layer 7.

IP has the concept of being able to segment or fragment a large IP packet into a number of smaller packets. This can be misused to allow such packets to bypass router and firewall filters, though it has been well known for 20 years.

By overlapping the fragments, an attacker can bypass IDS systems so that an exploit only takes effect when the packet is reassembled by the target system. An example is the Teardrop Attack.

In some cases, and at higher volumes, tiny fragments (1 or 2 byte long payloads) may be used to cause table exhaustion in network devices though either multiple forged source addresses or through incomplete fragments being sent.

Wikipedia have a specific page on IP Fragmentation Attacks.

Fragment UDP Attack
This is an attack at Layer 4 with an impact at Layer 7.

As with the Fragment TCP Attack, this uses overlapping or tiny fragments to cause disruption but using the connectionless UDP protocol as the transport.

 


G

GRE Attack
This is an attack at Layer 3.

GRE (Generic Routing Encapsulation) is a way of tunnelling one protocol inside another. Specifically it is often used to carry IP subnets that are being privately used across the Internet to another site. In that way it can be thought of as a precursor to traditional site to site VPN technologies. Of course it can also be used to carry non-IP protocols between two sites or carry routing protocols that are used privately in a private WAN or indeed to carry IPv4 across IPv6 networks or IPv6 across IPv4 network.

It is not part of the TCP or UDP suite of IP protocols, and therein lies the potential risk because often access control lists forget that they should perhaps be blocking IP protocol 47.

It has been the protocol abused by the IoT DDoS attacks against the Krebs site for example.

(For the technically minded GRE is different to IPinIP, which is defined in RFC2003)


H

HTTP Flood
This is an attack at Layer 7.

As with other Flood type attacks, this uses a large number of sudden connections to try and overwhelm the server. The sheer number can overload mitigation services and equipment that fail to react quickly and the leakage can cause the protected resources to fail because the tool uses valid URLs.

We can use a Dynamic HTTP Flood that uses random URLs and useragent strings to prevent caching on the target web server

HTTP GET
This is an attack at Layer 7.

Whilst this uses HTTP, this type of attack is the opposite of a HTTP POST attack (like RUDY or Tor’s Hammer). Here the tool uses normal URLs to retrieve images or documents, or ideally (from the point of view of the attacker) database held information. The tactic is to use CPU and network resources which is most successfully when large items are returned as part of the GET command (such as marketing documents).

Such an attack can be volumetrically based and scripted to GET invalid or computed URLs to overwhelm a server.

HTTPS Flood

This is an attack at Layer 7.

An HTTP Flood done using SSL.

We can use a Dynamic HTTPS Flood that uses random URLs and useragent strings to prevent caching on the target web server

HULK
This is an attack at Layer 7.

This is an acronym of “HTTP Unbearable Load King”, originally meant as an educational tool (see the original notification posting from the author) uses an exhaustion approach to attack a web server but rather than doing it slowly to avoid detection, it seeks to make the connection attempts unique and to then quickly bring down the server by filling the connection slots.


I

ICMP Flood
This is an attack at Layer 3.

ICMP packets are normally used for diagnostic functions but attackers may send multiple packets in an attempt to overwhelm a system. Normally ICMP Echo packets would be sent that, under normal conditions, elicit and ICMP Reply. Clearly the source address is likely to be forged so that a man-in-the-middle attack ensues. This form of ICMP Echo attack directed at a LAN broadcast address has also been known as a Smurf attack.

Whilst ICMP Echo could be blocked from reaching a target server by use of ACLs on a router or firewall, this in itself will increase the CPU of that network device and may cause the device to crash (though many devices have ICMP rate limiting controls).

ICMP contains message types other than ECHO that can be used in attacks.


P

PHP Hash Collision
This is an attack at Layer 7.

Although this attack is specific to PHP, the issue of hash collision is not unique to only PHP (it can be seen in ASP.NET, Java, Python, and Ruby). This occurs when the web language stores POST data in a hash while it calculates which array data structure the entry belongs to. If an attack can send multiple inbound requests that hash to the same value (or that may be stored in the same array) then the language may occupy all of the CPU to compute the hash tables correctly, even when the hashes are actually only sent in a single HTTP connection.

PING Attack
See ICMP Flood

PSH+ACK Flood
This is an attack at Layer 4.

The PSH and ACK bits in the TCP header can be set to a value of ‘1’ to instruct the target system to discard the contents of the TCP buffer and to send back an acknowledgement. Whilst reportedly second in popularity to a SYN Flood, it is often combined with other attacks using forged source addresses.


R

Reflection Attack
The Echo or Chargen service (which runs on TCP and UDP port 19 of some devices and UNIX based operating systems) can be easily (ab)used for a reflection attack, something known about since 1996.

The same technique can be used against other UDP based services (which are connection less and therefore susceptible to spoofed address attacks) such as NTP, SNMP, or SSDP, though these are usually chosen because they also amplify the attack.

We can simulate these with direct port based UDP traffic from a UDP Flood or UDP Garbage Flood

RST Flood

This is an attack at Layer 4.

A TCP RST packet is used to tell one party in a TCP conversation to drop the connection. A RST Flood is an attempt to use that purpose maliciously by sending forged source address packets in an effort to have a device drop valid connections.

Wikipedia have a specific page on RST Flood.

RUDY
This is an attack at Layer 7.

This is an acronym of “R-U-Dead-Yet?” and like Slowloris it is seeking to exhaust the resources on a target machine. The tool detects HTTP POST based forms on a web site and then slowly submits data to the form to maintain an open connection slot in the web server. It then repeats the exercise over and over again (and is capable of taking input from a text file for batch mode operation) until all the connection slots available at the target are used up. At this point no further external communication to that web server is available.


S

Slowloris
This is an attack at Layer 7.

A slowloris attack opens repeated connections to a web server and then continues to send a partial request on each connection in an attempt to use up all the available connection slots in the web server software and thereby deny any further requests being processed.

Wikipedia have a specific page on Slowloris.

SSL Exhaustion
This is an attack at Layer 7.

The SSL Regeneration attack is the most common form of SSL Exhaustion attack. All seek to fill SSL connection slots, ideally with a large CPU impact as well as memory exhaustion.

SSL Hit and Run
This is an attack at Layer 7.

This is a flood type of attack. SSL data decryption is costly in CPU time. In this variant the attacker connects and starts SSL handshaking but then disconnects (perhaps before handshaking has completed) and reconnects multiple times.

SSL Regeneration
This is an attack at Layer 7.

This is a flood type of attack, sometimes known as an SSL Handshake Attack. When data is sent in an SSL session, it must be decrypted by the target system (whether that be a web server or an SSL offloading device like a loadbalancer) and that costs CPU time. But an attacker need not even send data, they can simply request an SSL handshake multiple times – this is cheap for the attacker to send but costly for the target to process.

SYN Flood
This is an attack at Layer 4.

TCP connections use a three-way handshake and this attack abuses this to repeatedly send the first part of the handshake in an effort to consume CPU and memory resources in the attack target. This occurs because the target believes it has a legitimate inbound connection starting so it creates an entry in its connection table and sends a SYN/ACK, and then waits for the final ACK to come in.

So there are three consequences of the single inbound SYN packet – consumption of memory with an entry in the connection table, use of outbound bandwidth with the SYN/ACK (which will usually be sent to innocent third parties because the original SYN was sent using forged source addresses), and the ‘desired’ eventual exhaustion of space in the connection table for these ‘half-open’ connections, at which point no further connections can be made to the target – whether malicious or good.

Traditionally this is based on a certain PPS (Packets Per Second) rate of inbound SYNs since each is a small packet, but an attacker may choose to deliberately fill the TCP packet so that a volumetric inbound volume attack is performed as well – this is often known as a Tsunami SYN Flood and is the same sort of logic used in the UDP Garbage Flood.

Wikipedia have a specific page on SYN Flood.


T

TCP Connection Flood
This is an attack at Layer 4.

A SYN Flood attack tries to fill up the connection table with apparent start of conversations but some mitigation devices proxy an answer to incoming SYNs to mitigate against this sort of attack. One trick in the arsenal of the attacker therefore is to hold open the connections as long as possible before sending the final ACK of the TCP three way handshake, and then further to hold open the TCP connection whilst sending minimal data. This confounds the SYN proxying and does eventually lead to connection table exhaustion in the target device.

THC-SSL Attack
This is an attack at Layer 7.

SSL encryption is a compute-intensive activity and the THC-SSL tool takes advantage of this in two ways – firstly it makes multiple SSL connections to a server and then secondly it uses the Renegotiation function to recompute the hashes on the connection many hundreds or thousands of times in a single connection. The intention is that the web server (or the SSL offload portion of the load balancer) becones CPU bound and unable to answer any new incoming connection requests.

Wikipedia has a generic page about the group that developed the tool.

Tor’s Hammer
This is an attack at Layer 7.

Like RUDY, Tor’s Hammer is a slow HTTP POST based resource exhaustion DDoS tool. But this tool uses the Tor network to anonymise the source addresses by encrypting and passing the attack packets through multiple different relays between the original source and the target.

Tsunami SYN Flood
This is an attack at Layer 4.

A TCP SYN Flood with packets containing garbage data so that the vector is a volumetric attack rather than a pure packets per second based based TCP SYN Flood.


U

UDP Flood
This is an attack at Layer 4.

A volumetric attack that is often easier to launch than the equivalent TCP Connection Flood, since there is no source address checking built into the connectionless UDP protocol. Rather than sourcing the flood directly, amplification is often used.

UDP Garbage Flood
This is an attack at Layer 4.

Like a UDP Flood but sends maximum 1500 byte packets where the payload is not associated with the UDP port number destination but filled with garbage purely to fill the incoming Internet access link of the target. Unsophisticated but effective.