DDoS Dictionary

What is the meaning of DDoS? Please browse the activereach DDoS dictionary, containing the definitions of different types of denial of service attacks. Our dictionary lists the DDoS attacks that can be emulated using our DDoS Testing and Validation platform and provides some background to the mechanics of each attack.

We also offer the ability to use custom or canned patterns in our denial of service testing attacks.

Quick Jump: A B D E F G H I P Q R S T U

A

ACK Flood
This is an attack at Layer 4.

TCP connections use a three-way handshake and this attack abuses this to repeatedly send the final part of the handshake in an effort to consume CPU resources in the attack target. This occurs because the target has to do a lookup in its connection table to see whether it is a valid ACK, and when it finds it is not, it will respond with a RST (ReSeT) to tell each end to drop the connection.

So there are two consequences of the single inbound ACK packet – use of CPU to do the lookup and use of outbound bandwidth.

It can often be the case that DDoS mitigation equipment does not cater well to ACK attacks even where they are easily able to fend off SYN floods or UDP floods.

B

BroBot
This is an attack at Layer 7.

This is a name for the attack perpetrated by the itsoknoproblembro DDoS toolkit seeking to cause infection on web servers, which are then used as hosts for further attacks. With multiple signatures and attacks using SYN, UDP, ICMP, and SSL attacks, together with DNS attacks, this was a well thought out blended attack.

D

DNS ANY Query
This is an attack at Layer 7.

In the ‘wild’ this is both a reflection and an amplification attack, where a small number of inbound packets from a forged address(es) cause a greater volume of output to be directed against a third party. In this case the attackers use publicly accessible, often correctly configured, open DNS servers to send large volumes of DNS response traffic. The DNS ‘ANY’ query is akin to asking for all DNS zone information to be sent, so the focus is on large zone files (those for organisations with many thousands of hosts) so that the attacker can create a huge amount of traffic from the initial small request.

Note that the end target for the attack is not often a DNS server, but more usually a web server. The DNS server is merely used as the innocent middle-man in the attack.

We can simulate the initial pull of ANY records from a DNS server. As a legitimate testing service we cannot directly simulate the flood of responses (but we can craft this as a custom service with canned responses).

The US-CERT publishes more information on mitigating this sort of attack.

DNS Garbage Flood
This is an attack at Layer 3 and depending on the target and type of attack, Layer 7.

DNS replies padded with garbage data are directed at the target to fill the capacity of the inbound circuit. The target is normally not a DNS resolver or name server but perhaps the NATed address used by normal employees outbound from the target network.

It is also possible to combine/replace this with DNS requests directed at either an open DNS resolver or an authorative Name Server (which makes it rather like a DNS Query Flood as described below.

DNS NXDOMAIN Flood

This is an attack at Layer 3.

Unlike the favourite DNS reflection and/or amplification attacks, this uses a DNS server to look up domains, but it does so at speed and with domains that do not exist so the server is returning NXDOMAIN results. The volume of the requests has a secondary purpose – to fill the DNS server cache and exhaust the capability of the server to respond to legitimate clients.

This is considered a layer 3 attack since it uses UDP. This also means that the sending address can be easily spoofed since there is no handshake required.

DNS Query Flood
This is an attack at Layer 7.

Looking like expected traffic, this volumetric attack uses a DNS server to look up domain entries, but to fill the outgoing bandwidth, it may send requests using EDNS (see RFC 6891) or DNSSEC so that larger replies are sent. There is no need for sophistication and the attacker may simply elect to send ‘normal’ DNS Query requests from multiple sources at high volume.

Because the attack uses UDP it means that the sending address can be easily spoofed because there is no handshake required.

DNS Reflection Attack/DNS Reply Attack/DNS Response Attack
This is an attack at Layer 3.

This is one of the family of DrDOS attacks (Distributed reflection Denial of Service), which includes the DNS ANY attack. But strictly speaking a reflection attack does not need amplification to cause disruption. The act of reflection disguises the original address of the attacker and a moderate number of machines can still cause a significant amount of traffic if all are intent on attacking the same target.

Although it can be stopped by filtering request sources, DNS AXFR (zone transfers) can be abused to provide a reflected attack.

As a legitimate testing service we cannot directly simulate the flood of AXFR responses (but we can craft this as a custom service with canned responses).

But any form of DNS response can be sent in bulk to a target UDP port (or range of ports) to simulate valid DNS responses – it is not limited to just AXFRs. It will look to a mitigator like the request originated inside your network and that the ‘valid’ response should, probably, be permitted.

Dynamic HTTP Flood
This is an attack at Layer 7.

As with other Flood type attacks, this uses a large number of sudden connections to try and overwhelm the server. The ploy is to send many resource requests to overload mitigation services and equipment that fail to react quickly and try to ensure that leakage will cause the protected resources to fail. The attack uses randomised URLs and alters the UserAgent string to fool web server caching techniques.

The HTTP Flood uses static URLs which might be more appropriate to simulate DoS caused by specific heavy load events.

Dynamic HTTPS Flood
This is an attack at Layer 7.

A Dynamic HTTP Flood done with SSL.

The HTTPS Flood uses static URLs which might be more appropriate to simulate DoS caused by specific heavy load events.

E

Empty Connection Flood
This is an attack at Layer 4.

An Empty Connection Flood attack opens a legitimate looking TCP connection to the target but sends no data. The connection observes the normal TCP SYN, SYN/ACK, ACK, FIN conversation, so in that regard it is like a specialised version of a TCP Connection Flood. It is attempting just to overwhelm the inbound connection table in the target.

One can also delay or refuse to send the terminating FIN packet.

Like the TCP Connection Flood, it is more compute intensive for an attacker than a SYN Flood or a UDP floods because they have to retain the state of the connection and consider the RTT between the bot and the target.

ESP Flood
This is an attack at Layer 3.

ESP, Encapsulating Security Protocol, is neither TCP or UDP, it is a layer 3 protocol in its own right, with its own designation IP protocol number (50). It is used by many remote access and site to site access protocols, and of course has grown hugely in use during the COVID 19 lock downs. As a consequence, volumes have increased and the need to continue home working (especially) has resulted in many companies becoming totally dependant on their VPN Gateways and Head-Ends. It also means mitigation staff have turned down or tuned out their responses to ESP packets. This can be exploited therefore to overwhelm a target resource which doesn’t actually have to process the packets.

Like all Layer 3 protocols, aside from just normal ESP packets being sent as a flood, there are many options that can be turned on to make the attack just a little more unexpected.

Extreme Bot Attack
This is an attack at Layer 7.

This is a unique attack with multiple varying items (user agent, source address, etc) designed specifically to avoid detection by mitigation systems. In particular it is designed to pass through signature based systems.

F

Fragment TCP Attack
This is an attack at Layer 4 with an impact at Layer 7.

IP has the concept of being able to segment or fragment a large IP packet into a number of smaller packets. This can be misused to allow such packets to bypass router and firewall filters, though it has been well known for 20 years.

By overlapping the fragments, an attacker can bypass IDS systems so that an exploit only takes effect when the packet is reassembled by the target system. An example is the Teardrop Attack.

In some cases, and at higher volumes, tiny fragments (1 or 2 byte long payloads) may be used to cause table exhaustion in network devices though either multiple forged source addresses or through incomplete fragments being sent.

Wikipedia have a specific page on IP Fragmentation Attacks.

Fragment UDP Attack
This is an attack at Layer 4 with an impact at Layer 7.

As with the Fragment TCP Attack, this uses overlapping or tiny fragments to cause disruption but using the connectionless UDP protocol as the transport.

G

GRE Attack
This is an attack at Layer 3.

GRE (Generic Routing Encapsulation) is a way of tunnelling one protocol inside another. Specifically it is often used to carry IP subnets that are being privately used across the Internet to another site. In that way it can be thought of as a precursor to traditional site to site VPN technologies. Of course it can also be used to carry non-IP protocols between two sites or carry routing protocols that are used privately in a private WAN or indeed to carry IPv4 across IPv6 networks or IPv6 across IPv4 network.

It is not part of the TCP or UDP suite of IP protocols, and therein lies the potential risk because often access control lists forget that they should perhaps be blocking IP protocol 47.

It has been the protocol abused by the IoT DDoS attacks against the Krebs site for example.

(For the technically minded GRE is different to IPinIP, which is defined in RFC2003)

H

‘Hit and Run’
This is an attack at Layer 3, 4, 6, or 7.

As a child, you might have played a game where you knocked on a door and then ran away. A perplexed adult would look out to see who was calling, see no one and go back in. You would then approach the door again and so the sequence restarts…

A hit and run attack is no different, and can be done with many forms of attack. It is a slow (but not necessarily small) attack with gaps in between. It can be used at Layer 7 with HTTP(S) attacks to try and consume resources, and fool WAFs. It can be used at layer 3 to mimic burst like activity to confuse mitigation equipment.

So it is right to think of it as a technique applied within a type of test pattern to achieve a different outcome by varying the usual method or process of attack.

HTTP Flood
This is an attack at Layer 7.

As with other Flood type attacks, this uses a large number of sudden connections to try and overwhelm the server. The sheer number can overload mitigation services and equipment that fail to react quickly and the leakage can cause the protected resources to fail because the tool uses valid URLs.

We can use a Dynamic HTTP Flood that uses random URLs and useragent strings to prevent caching on the target web server

HTTP GET
This is an attack at Layer 7.

Whilst this uses HTTP, this type of attack is the opposite of a HTTP POST attack (like RUDY or Tor’s Hammer). Here the tool uses normal URLs to retrieve images or documents, or ideally (from the point of view of the attacker) database held information. The tactic is to use CPU and network resources which is most successfully when large items are returned as part of the GET command (such as marketing documents).

Such an attack can be volumetrically based and scripted to GET invalid or computed URLs to overwhelm a server.

HTTP Slow Post
This is an attack at Layer 7.

A modern day version of Slowloris, this attack sends either non-expected data or just HTTP verbs on a connection to an HTTP server port (though it could also be sent to an open HTTPS port). The data is sent, as the name suggests, slowly to keep a connection open but serving no real purpose. By doing this it seeks to deny real connections.

TCP rate limiting or detection of malformed HTTP protocol traffic should detect this form of attack.

HTTPS Flood

This is an attack at Layer 7.

An HTTP Flood done using SSL.

We can use a Dynamic HTTPS Flood that uses random URLs and useragent strings to prevent caching on the target web server

HULK
This is an attack at Layer 7.

This is an acronym of “HTTP Unbearable Load King”, originally meant as an educational tool (see the original notification posting from the author) uses an exhaustion approach to attack a web server but rather than doing it slowly to avoid detection, it seeks to make the connection attempts unique and to then quickly bring down the server by filling the connection slots.

I

ICMP Flood
This is an attack at Layer 3.

ICMP packets are normally used for diagnostic functions but attackers may send multiple packets in an attempt to overwhelm a system. Normally ICMP Echo packets would be sent that, under normal conditions, elicit and ICMP Reply. Clearly the source address is likely to be forged so that a man-in-the-middle attack ensues. This form of ICMP Echo attack directed at a LAN broadcast address has also been known as a Smurf attack.

Whilst ICMP Echo could be blocked from reaching a target server by use of ACLs on a router or firewall, this in itself will increase the CPU of that network device and may cause the device to crash (though many devices have ICMP rate limiting controls).

ICMP contains message types other than ECHO that can be used in attacks.

P

PHP Hash Collision
This is an attack at Layer 7.

Although this attack is specific to PHP, the issue of hash collision is not unique to only PHP (it can be seen in ASP.NET, Java, Python, and Ruby). This occurs when the web language stores POST data in a hash while it calculates which array data structure the entry belongs to. If an attack can send multiple inbound requests that hash to the same value (or that may be stored in the same array) then the language may occupy all of the CPU to compute the hash tables correctly, even when the hashes are actually only sent in a single HTTP connection.

PING Attack
See ICMP Flood

PSH+ACK Flood
This is an attack at Layer 4.

The PSH and ACK bits in the TCP header can be set to a value of ‘1’ to instruct the target system to discard the contents of the TCP buffer and to send back an acknowledgement. Whilst reportedly second in popularity to a SYN Flood, it is often combined with other attacks using forged source addresses.

Q

QUICkly
This is an attack at Layer 4.

Rather than use TCP as a protocol to transport HTTP/HTTPS requests, QUIC uses UDP and adopts many of the mechanisms of TCP as well as adding many techniques to limit abuse for DDoS. Sent generally from a subset of browsers to a subset of servers (primarily Google Chrome to Google servers), this protocol is actually available for more mainstream use where fast encrypted connections are required. It is possible to send QUIC connection requests to suitably enabled servers (through permitting network equipment) fashioned as floods.

R

Reflection Attack

This is a generic term for attacks at Layer 7

The Echo or Chargen service (which runs on TCP and UDP port 19 of some devices and UNIX based operating systems) can be easily (ab)used for a reflection attack, something known about since 1996.

The same technique can be used against other UDP based services (which are connection less and therefore susceptible to spoofed address attacks) such as NTP, SNMP, or SSDP, though these are usually chosen because they also amplify the attack.

We can simulate these with direct port based UDP traffic from a UDP Flood or UDP Garbage Flood

RST Flood

This is an attack at Layer 4.

A TCP RST packet is used to tell one party in a TCP conversation to drop the connection. A RST Flood is an attempt to use that purpose maliciously by sending forged source address packets in an effort to have a device drop valid connections.

Wikipedia have a specific page on RST Flood.

RUDY
This is an attack at Layer 7.

This is an acronym of “R-U-Dead-Yet?” and like Slowloris it is seeking to exhaust the resources on a target machine. The tool detects HTTP POST based forms on a web site and then slowly submits data to the form to maintain an open connection slot in the web server. It then repeats the exercise over and over again (and is capable of taking input from a text file for batch mode operation) until all the connection slots available at the target are used up. At this point no further external communication to that web server is available.

S

Slowloris
This is an attack at Layer 7.

A slowloris attack opens repeated connections to a web server and then continues to send a partial request on each connection in an attempt to use up all the available connection slots in the web server software and thereby deny any further requests being processed. The requests can be pipelined to the target which means that there is no repeated ‘expensive’ TCP connection open request.

Slowloris attacks are rarely successful on modern day web servers so we would usually recommend an HTTP Slow Post attack instead.

Wikipedia have a specific page on Slowloris.

Slow Post
This is an attack at Layer 7.

This is an HTTP attack of the type HTTP Slow Post with minimal data either with HTTP verbs or not.

SSL Exhaustion
This is an attack at Layer 7.

In its purest form, this is sending enough connections concurrently to overwhelm the ability of the target to handle further connection requests.

The SSL Regeneration attack is the most common form of SSL Exhaustion attack. All seek to fill SSL connection slots, ideally with a large CPU impact as well as memory exhaustion.

SSL Hit and Run
This is an attack at Layer 6.

This is a flood type of attack. SSL data decryption is costly in CPU time. In this variant the attacker connects and starts SSL handshaking but then disconnects (perhaps before handshaking has completed) and reconnects multiple times.

SSL Regeneration
This is an attack at Layer 6.

This is a flood type of attack, sometimes known as an SSL Handshake Attack. When data is sent in an SSL session, it must be decrypted by the target system (whether that be a web server or an SSL offloading device like a loadbalancer) and that costs CPU time. But an attacker need not even send data, they can simply request an SSL handshake multiple times – this is cheap for the attacker to send but costly for the target to process.

In a variant of this, rather than creating a new connection, it is possible to reuse an existing connection which allows a higher rate of SSL HELLOs to be sent.

SSL Slow Drip
This is an attack at Layer 6.

This is an exhaustion type of attack, but performed very slowly (depending on the particular parameters). Either one opens multiple SSL connections and then sends small amounts of data with gaps to maintain the open sessions, or one does the same but at a slower connection rate. The aim is the same, to exhaust the available slots that can process real connections.

SYN Flood
This is an attack at Layer 4.

TCP connections use a three-way handshake and this attack abuses this to repeatedly send the first part of the handshake in an effort to consume CPU and memory resources in the attack target. This occurs because the target believes it has a legitimate inbound connection starting so it creates an entry in its connection table and sends a SYN/ACK, and then waits for the final ACK to come in.

So there are three consequences of the single inbound SYN packet – consumption of memory with an entry in the connection table, use of outbound bandwidth with the SYN/ACK (which will usually be sent to innocent third parties because the original SYN was sent using forged source addresses), and the ‘desired’ eventual exhaustion of space in the connection table for these ‘half-open’ connections, at which point no further connections can be made to the target – whether malicious or good.

Traditionally this is based on a certain PPS (Packets Per Second) rate of inbound SYNs since each is a small packet, but an attacker may choose to deliberately fill the TCP packet so that a volumetric inbound volume attack is performed as well – this is often known as a Tsunami SYN Flood and is the same sort of logic used in the UDP Garbage Flood.

Wikipedia have a specific page on SYN Flood.

T

TCP Connection Flood
This is an attack at Layer 4.

A SYN Flood attack tries to fill up the connection table with apparent start of conversations but some mitigation devices proxy an answer to incoming SYNs to mitigate against this sort of attack. One trick in the arsenal of the attacker therefore is to hold open the connections as long as possible before sending the final ACK of the TCP three way handshake, and then further to hold open the TCP connection whilst sending minimal data. This confounds the SYN proxying and does eventually lead to connection table exhaustion in the target device.

One can also delay or refuse to send the terminating FIN packet.

The TCP connection flood is more compute intensive for an attacker than a SYN Flood or a UDP floods because they have to retain the state of the connection and consider the RTT between the bot and the target.

THC-SSL Attack
This is an attack at Layer 6.

SSL encryption is a compute-intensive activity and the THC-SSL tool takes advantage of this in two ways – firstly it makes multiple SSL connections to a server and then secondly it uses the Renegotiation function to recompute the hashes on the connection many hundreds or thousands of times in a single connection. The intention is that the web server (or the SSL offload portion of the load balancer) becones CPU bound and unable to answer any new incoming connection requests.

Tor’s Hammer
This is an attack at Layer 7.

Like RUDY, Tor’s Hammer is a slow HTTP POST based resource exhaustion DDoS tool. But this tool uses the Tor network to anonymise the source addresses by encrypting and passing the attack packets through multiple different relays between the original source and the target.

Tsunami SYN Flood
This is an attack at Layer 4.

A TCP SYN Flood with packets containing garbage data so that the vector is a volumetric attack rather than a pure packets per second based based TCP SYN Flood.

U

UDP Flood
This is an attack at Layer 4.

A volumetric attack that is often easier to launch than the equivalent TCP Connection Flood, since there is no source address checking built into the connectionless UDP protocol. Rather than sourcing the flood directly, in the wild amplification is often used. Unlike a SYN Flood for TCP, the UDP packets will normally have a payload (for example 1400 bytes) and therefore this makes it a volumetric attack rather than just a large number of packets.

UDP Garbage Flood
This is an attack at Layer 4.

Like a UDP Flood but sends maximum 1500 byte packets where the payload is not associated with the UDP port number destination but filled with garbage purely to fill the incoming Internet access link of the target. Unsophisticated but effective.