Improve your site with free and paid apps:

Cloudflare Developer Fund

Cloudflare and world class investment firms invest $100 Million to deliver powerful tools for the Internet. The Cloudflare Developer Fund is looking for companies that are building apps on Cloudflare’s platform.

DDoS Glossary

This glossary proves context around distributed denial-of-service (DDoS) attacks. Explore the context surrounding DDoS attacks and learn about related networking and internet infrastructure terminology.

DDoS Attack

DDoS Attack

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam preventing clogging up with highway, preventing regular traffic from arriving at its desired destination.

DDoS Blackhole Routing (Null Routing)

DDoS Blackhole Routing (Null Routing)

DDoS blackhole routing/filtering (sometimes called blackholing), is a countermeasure to mitigate a DDoS attack in which network traffic is routed into a “black hole,” and is lost. When blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network. When using protocols that are connectionless such as UDP, no notification of the dropped data will be returned to the source. With connection oriented protocols like TCP, which require a handshake to connect with the target system, a notification will be returned if the data is dropped.

For organizations that have no other means of blocking an attack, blackholing is a widely available option. This method of mitigation may have undesired consequences, potentially making it an undesirable option to mitigate a DDoS attack. Similar to the way antibiotics will kill both good and bad bacteria, when implemented improperly this type of DDoS mitigation may indiscriminately disrupt sources of traffic to the network or service. Sophisticated attacks will also use variable IP addresses and attack vectors, which can limit the effectiveness of this type of mitigation as a sole means of disrupting the attack. A key consequence of using black-hole routing when good traffic is also affected, is that the attacker has essentially accomplished their goal of disrupting traffic to the target network or service.

DNS

DNS

Domain Name System (DNS) servers are the “phonebooks” of the Internet; they are the path through which Internet devices are able to lookup other devices in order to access internet content. These servers maintain a directory of easy to remember domain names (www.example.com) and transfer those names into the machine-friendly internet protocol (IP) addresses (192.168.1.1) that computers use to connect to each other.

For example, when a domain name is entered into a web browser, a DNS server is contacted, starting a process which ultimately returns the IP address of the target website to the browser.

Denial of Service (DoS)

Denial of Service (DoS)

A denial-of-service (DoS) cyber-attack is a malicious attempt to disrupt the normal function of an online service or network by rendering it unavailable to its intended users. Typically, a DoS attack works by flooding the target resource with meaningless or malicious data with the goal of overloading the system’s resources. When a request is made of a server, a certain amount of server resources must be dedicated to the response. In order to overload a targeted server, an attacker makes more requests than the server can process, resulting in a denial-of-service to normal traffic.

Hypertext Transfer Protocol (HTTP)

Hypertext Transfer Protocol (HTTP)

The Hypertext Transfer Protocol is the foundation of the World Wide Web, and is used to load web pages using hypertext links. The hypertext transfer protocol is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. A typical flow over HTTP involves a client machine making a request to a server, which then sends a response message.

HTTP is a stateless protocol, which means that each command runs independent of any other command. In the original spec, when a HTTP request was made in order to load a webpage the TCP connection used to make the request was not maintained. In newer versions of the HTTP protocol (HTTP 1.1 and above), persistent connection allows for multiple HTTP requests to pass over a persistent TCP connection, improving resource consumption. In the context of DoS or DDoS attacks, HTTP requests in large quantities can be used to mount an attack on a target device, and are considered part of application layer attacks or layer 7 attacks.

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)

The Internet Control Message Protocol is an internet layer protocol used by network devices to communicate. The network diagnostic tools traceroute and ping both operate using ICMP. Commonly, ICMP echo-request and echo-reply messages are used to ping a network device for the purpose of diagnosing the health and connectivity of the device and the connection between the sender and the device. Network attacks using ICMP as a means of disruption include the ICMP Flood Attack and The Ping of Death attack.

Ping Flood (ICMP Flood)

Ping Flood (ICMP Flood)

A ping flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. An ICMP request requires some server resources to process the request and send a response, and also requires bandwidth on both the incoming message (echo-request) and outgoing response (echo-reply). This attack aims to overwhelm the server’s ability to respond to the number of requests and/or overload the network connection with bogus traffic.

Internet Protocol (IP) & Transmission Control Protocol (TCP)

Internet Protocol (IP) & Transmission Control Protocol (TCP)

The Internet Protocol (IP) is the address system of the internet and has the core function of delivering packets of information from a source device to a target device. IP is the primary way in which network connections are made, and it establishes the basis of the internet. IP does not handle packet ordering or error checking. Such functionality requires another protocol, typically TCP.

The TCP/IP relationship is similar to sending someone a message written on a puzzle through the mail. The message is written down and the puzzle is broken into pieces. Each piece then can travel through a different postal route, some of which take longer than others. When the puzzle pieces arrive after traversing their different paths, the pieces may be out of order. The Internet Protocol makes sure the pieces arrive at their destination address. The TCP protocol can be thought of as the puzzle assembler on the other side who puts the pieces together in the right order, asks for missing pieces to be resent, and lets the sender know the puzzle has been received. TCP maintains the connection with the sender from before the first puzzle piece is sent to after the final piece is sent.

IP is a connectionless protocol, which means that each unit of data is individually addressed and routed from the source device to the target device, and the target does not send an acknowledgement back to the source. That’s where protocols such as the Transmission Control Protocol (TCP) come in. TCP is used in conjunction with IP in order to maintain a connection between the sender and the target and to ensure packet order.

For example, when an email is sent over TCP, a connection is established and a 3-way handshake is made. First, the source send an SYN “initial request” packet to the target server in order to start the dialogue. Then the target server then sends a SYN-ACK packet to agree to the process. Lastly, the source sends an ACK packet to the target to confirm the process, after which the message contents can be sent. The email message is ultimately broken down into packets before each packet is sent out into the internet, where it traverses a series of gateways before arriving at the target device where the group of packets are reassembled by TCP into the original contents of the email.

The primary version of IP used on the internet today is Internet Protocol Version 4 (IPv4). Due to size constraints with the total number of possible addresses in IPv4, a newer protocol was developed. The newer protocol is called IPv6 and it makes many more addresses available and is increasing in adoption.

IP Spoofing

IP Spoofing

IP spoofing is the creation of IP packets which have a modified source address. It is a technique often used by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure. In a normal packet, the source IP address is the address of the sender of the packet.

IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed. If the person receiving the package wants to stop the sender from sending packages, blocking all packages from the bogus address will do little good, as the address is easily changed. Also, if the receiver wants to respond to the return address, their response package will go somewhere other than to the real sender. The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks.

Spoofing is frequently used in DDoS attacks when the goal is to overwhelm a target with traffic. Spoofing can be used to mask the identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified and continuously randomized, blocking malicious requests is difficult. Because the source of the attack can be spoofed, it is hard to filter out all the bad traffic.

Spoofing can also be used to spoof the identity of another device so that responses are sent to that targeted device instead. Volumetric attacks such as NTP Amplification and DNS amplification make use of this vulnerability. The ability to modify the source IP is inherent to the design of TCP/IP, making it an ongoing vulnerability. It can be mitigated by network administrators not allowing spoofed packets to be created inside their network by following BCP38.

Tangential to DDoS attacks, spoofing can also be done with the aim of masquerading as another device in order to sidestep authentication and gain access to or “hijack” a user’s session.

Malware

Malware

Malware, a portmanteau from the words malicious and software, is a general term which can refer to viruses, worms, Trojans, ransomware, spyware, adware and other types of intentionally malicious software.

The purpose of malware is to disrupt the normal operations of a device. This disruption can range in purpose from displaying ads on a device without consent to gaining root access of a computer. Malware may attempt to obfuscate itself from the user in order to collect information quietly or it may lock the system and hold data for ransom. In DDoS attacks, malware such as Mirai affects vulnerable devices, turning them into bots under the control of the attacker. Once modified these devices can then be used to carry out DDoS attacks as part of a botnet.

OSI model

OSI model

The Open Systems Interconnection Model (OSI model) defines the components of a network connection in seven protocol layers. It is a conceptual framework which can be used to understand the components behind a network connection and is useful in understanding the types of DDoS attacks.

Each layer handle a specific job and communicates with the layers above and below itself. DDoS attacks target specific layers of a network connection; application layer attacks target layer 7 and protocol layer attacks target layers 3 and 4.

User Datagram Protocol (UPD), UPD/IP

User Datagram Protocol (UPD), UPD/IP

UDP is a communication protocol operating at the transport layer of the protocol stack. Like TCP, the UDP protocol also runs on top of the IP protocol, and may be referred to as UDP/IP. UDP is a connectionless transmission model and does not require a stateful connection between the source and the target device. As a result, UDP doesn’t have the error checking and ordering functionality of TCP and is best utilized when error checking is not needed and speed is important. UDP is commonly used in time-sensitive communications where dropping packets is better than waiting. Voice and video traffic are sent using this protocol because they are both time sensitive and designed to handle some level of loss. Similarly, because DNS and NTP servers both need to be fast and efficient, they operate though UDP. Volumetric DDoS attacks including DNS amplification and NTP amplification make use of these servers with the aim of flooding a target with UDP traffic.

Web Application Firewall (WAF)

Web Application Firewall (WAF)

A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

By deploying a WAF in front of a web application, a shield is placed between the web application and the internet. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors. In a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies. Application Firewalls can be implemented as a physical piece of hardware or can be a software solution such as the solution we provide at Cloudflare