DDoS Glossary

TCP ACK flood, or ‘ACK Flood’ for short, is a network DDoS attack comprising TCP ACK packets. The packets will not contain a payload but may have the PSH flag enabled.

‘Always-on’ and ‘On-demand’ are two opposite terms referring to the DDoS mitigation cloud service. In an Always-on deployment, the service or network is constantly being protected by the DDoS mitigation service, while in On-demand there is no protection most of the time, and the DDoS mitigation layer is inserted only under a DDoS attack or…

BGP Diversion, also known as Infrastructure Protection, is a type of Cloud Protection in which the customer is able to divert its traffic to the DDoS provider using a BGP announcement. This method is applicable only to organizations that possess a C Class network and that can advertise it via BGP. To divert the traffic,…

Blacklist and whitelist are two different yet very similar technologies that often come in tandem. Blacklist is the ability to block an entity such as a user-based IP or an entire network range or geographical location. Whitelist is the opposite – it allows a certain entity to pass even if the other technologies have decided…

CAPTCHA or CAPTCHA Challenge is a type of Web Challenge.  CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. It is challenge intended to differentiate between computers and humans. Computers generally are unable to solve the CAPTCHA and state the word and letters, while humans are. CAPTCHA is used to…

CDN Debug Information, or in short “Debug Info” is a technique used and supported by CDNs in order to debug the CDN behavior. The debug info allows a client to gain information from the CDN such as: Debug Type Debug Info Caching Information about the caching status of the resource: was the resource received from…

DDoS mitigation can arrive in two main forms: Cloud-based and On-premises. On-premises protection is when the DDoS mitigation technology is located inside the customer premises, typically as an appliance or a virtual appliance. A protection outside the customer premises is called Cloud Protection. Oganziations use cloud-based protection by diverting their traffic to the cloud data…

Cookie Validation is a type of Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients. The challenge is to send every client, attacker and legitimate user a web cookie and to request that the client send it back (typically using the HTTP 302 Redirect command). A virtually legitimate browser…

The DDoS cloud mitigation pricing model is largely similar, but it is important to understand the differences between them. From a customer point of view, a pricing model should be simple and not contain too many moving parts. It should also be agile so that the customer will not pay for services that are not…

DDoS Emergency Response is a team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. Under attack this team will validate that your site is fully protected. If not, it will enable additional protection or fine-tune existing protection until the attack is mitigated. ARE YOU READY? Answer…

DDoS Forensics is the digital forensic process to better understand a DDoS attack. Forensics can be done for past attacks but also for ongoing attacks. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. The goal of DDoS forensics is to gain visibility that will…

Each year brings with it new DDoS attack trends. 2015 was characterized by multi-vectors attacks (Radware). 2016 introduced major disruptions in terms of technology and attack scale (SecureList). And Q1 2017 saw a decrease in amplification-type attacks and an increase in encryption-based attacks (SecureList). These are all interesting trends, but how can you use such…

A DDoS test, also called a ‘DDoS penetration test’ or ‘DDoS simulation’, is an activity in which an organization launches various DDoS attacks against its own assets to check its actual resiliency. The test allows for the identification of weak points, provides proof of them and increases the protection level. The attacks are usually conducted…

Date Event Sep 8th VDOS proprietors arrest Set 13th Kerbs on Security website attack by a 620 Gbps DDoS attack October 7~ Mirai botnet code released October 21st Dyn DDoS Attack ARE YOU READY? Answer seven online questions and get a free report assessing your protection status with recommendations for improvement Free DDoS Assesment

A DDoS appliance, also referred to as a dedicated DDoS appliance, maintains as its primary function DDoS mitigation. A DDoS appliance can be either virtual or physical. IPS and WAF often also have DDoS mitigation capabilities; however, it is not their main function and generally they are not as complete as DDoS appliances. Related entries:…

DDoS mitigation often uses an architecture in which a CDN or large reverse proxies are placed in front of the web services as a protection layer. However, sophisticated attackers will attempt to reveal the origin network or IP address and attack directly, making the mitigation layer completely useless. This attack technique challenges organizations to either…

DNS Diversion is a type of DDoS cloud protection technique in which an organization is able to divert its traffic to the DDoS provider using a DNS change. The change is as simple as modifying the relevant DNS record so that they will eventually direct traffic to the provider’s IPs. DNS Diversion can be always-on…

DNS Protection refers to the ability of a DDoS mitigation provider to mitigate DDoS attacks. This can be done using DDoS mitigation technologies or by moving the organization’s DNS records to the provider DNS server that is strong enough for DNS floods. ARE YOU READY? Answer seven online questions and get a free report assessing…

DNS Query Flood is a type of DDoS attack that belongs to the application attacks family. During the attack, the attacker sends a succession of UDP packets to a DNS server in attempt to exhaust server-side assets such as CPU or memory. By that. the attack prevent the server from direct legitimate requests to zone resources. Not like…

DNS Reflected Amplification Flood is a type of DDoS attack that belongs to the application attacks family. During the attack, the attacker exploites a vulnerability in publically-accessible domain name systems (DNS) to flood the target with large number of UDP packets. This attack has two main features: Amplification: Using those DNS servers and various amplification techniques the attacker can…

A DDoS entry-level plan is intended for SMBs or enterprises . CloudFlare Business and Incapsula Business are both entry level, as they are lower than that bar. Entry level will typically give you protection based on DNS diversion, which is sufficient to protect your web site. Entry level typically does not include BGP diversion, rewith…

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY? Answer seven online questions and get a free report assessing your protection status with recommendations for improvement Free…

A product or service function is referred to as Full Service if the customer cannot use or change this function on his own and must request it from the service provider. Full service is in contrast to Self-Service, and generally is a negative trait, as we prefer to give direct control to customers via self-service.…

Hping is a free packet generator and analyzer for the distributed IP protocol. It is one of the de facto tools for security auditing and the testing of services and networks. It is a “Swiss Army knife” that generates virtually any IP, TCP or UPD packet. Hping can transmit a single packet, or multiple packets…

HTTP Flood is a type of DDoS attack that belongs to the application attacks family. During the attack, the attacker sends an HTTP GET or POST requests to an application or a web server. The requests sent seems legitimate containing a valide header and entire message correct and complete. However, the message body sent in an…

Hybrid Protection is DDoS protection that includes both cloud protection and on-premises protection, commonly, but not necessarily, from the same vendor. The advantage of this DDoS architecture is that it enables you to mitigate each attack vector in its optimal location. Related entries: Cloud protection vs on-premises protection. ARE YOU READY? Answer seven online questions…

What is the problem? Despite the fact that DNS diversion is easier than BGP, BGP is the more complete one because DNS is not good for non-web services. It also does not protect against an attack directly on the IPs or network. The problem is that many organizations do not own a Class-C network that…

JavaScript Challenge is a type of Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients. The challenge is to send every client, attacker and legitimate user a JavaScript code that includes some kind of challenge. Virtually any legitimate browser support has a JavaScript stack and will easily understand and…

Modern CAPTCHA is a type of challenge intended to differentiate between computers and humans. Modern CAPTCHA address the shortcoming of the traditional CAPTCHA ,namely thathumans are also having trouble to pass them successfully. NOCAPTCHA ReCAPTCHA is the most prominent example of modern CAPTCHA. Related entreis: CAPTCHA, Web Challenges, Web Challenge Spectrum ARE YOU READY? Answer…

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not posess a Class C network. An organization that posesses a Class C network can divert the traffic to the provider using BGP. Otherwise, in most cases it is not possible because many vendors allow…

In DDoS, ‘Peacetime’ refers to the period during which your organization is not under attack and your DDoS mitigation service is expected to be quiet, causing no false alarms and being stable. Peacetime is in contrast to ‘Wartime’. Related entries: Wartime ARE YOU READY? Answer seven online questions and get a free report assessing your…

Rate limit is a technology used in DDoS mitigation. The rate limit technology ensures that each individual asset will not make too many transactions to the protected server or network. For example, each IP cannot make more than five HTTP requests per second. Rate limit is effective in keeping the service safe from many variations…

Reverse Proxy (Web Reverse Proxy) and Caching are two different technologies that often come in tandem, especially in DDoS. The reverse proxy acts as an effective DDoS layer, as it is located between the attacker and the targeted server. Virtually all the network attacks directed at the server will hit a wall when they reach…

A product or service function is referred to as Self-Service if the customer can use or change it on his own and does not necessarily need to request it from the service provider. Self-Service is in contrast to Full Service, and generally is a positive feature, as we prefer to give direct control to the…

Signatures—or ‘DDoS Signature’ or ‘IPS DDoS Signatures’—refers to a significant DDoS mitigation technology in which DDoS attacks are detected and blocked based on their known patterns. For example, the famous Anonymous tool LOIC (Low Orbit Ion Canon) carries a certain pattern that a signature can block. Signatures are divided into two types: vendor and user.…

Silent bot detection is an advanced web challenge technology to detect bots by sending JavaScript code that does passive and proactive checks to validate if the client is a human or a bot. This can include checking for the existence of mouse and keyboard, checking if the browsers features resembles a browser used by real…

SMB plans refer to plans that are defined here as including DDoS protection and that are lower than $5,000 annually. Those plans are much cheaper than enterprise plans; however, respectively, they include only a subset of the offerings. You will get DDoS mitigation, Web Protection and security logs, but you will not get Infrastructure Protection…

Family Network Attacks Attack Vector SYN Flood Variants Tsunami SYN Flood DRS ID 11001 Supports spoofing Yes Capture file example Description TCP SYN Flood is a network DDoS attack comprising numerous TCP SYN packets that are sent to the victim. It is one of the oldest attacks in DDoS history, yet is still very common…

Family Network Attacks Attack Vector UDP Flood Variants Reflective Amplified FloodsDNS Garbage FloodUDP Port 80 Garbage Flood DRS ID 22003 Supports spoofing Yes Capture file example Description A UDP Flood is a network DDoS attack involving the sending of numerous UDP packets toward the victim. This attack can arrive from a spoofed source IP address;…

The Web Appliaction Firewall (WAF) appliance is a security appliance that protects web servers from many types of attacks. A WAF can be either physical or virtual. Many WAFs today come with a DDos mitigation feature. Related entries: DDoS Appliance ARE YOU READY? Answer seven online questions and get a free report assessing your protection…

In DDoS, ‘Wartime’ refers to the period during which your organization is under attack and your DDoS mitigation service is expected to mitigate the attack successfully. Wartime is in contrast to ‘Peacetime’. Related Entries: Peacetime ARE YOU READY? Answer seven online questions and get a free report assessing your protection status with recommendations for improvement…

A web cache (or HTTP cache) is technology for the temporary storage (hence, caching) of web content.  The technology is used to reduce the load from web servers, reduce bandwidth usage and improve acceleration. Web Caching, when used in tandem with web reverse proxy, is an effective layer against DDoS because many attack vectors will…

Web challenges are one of the most effective ways to stop web-based DDoS attacks. There  are different types of challenges, which will be explained below. Some challenges are transparent to users, yet block significant types of attackers. Others are very strong and do not allow any bot to pass, yet do so at the cost…

Web Challenges are several technologies used to distinguish between real humans and bots in general, or DDoS bots in our context. There are several types of challenges. The best-known one is the CAPTCHA, which is very intrusive, but there are other, less-intrusive transparent challenges such as Cookie Validation or the JavaScript Challenge. Web Challenges are…

Cloud-based DDoS mitigation services offers two primary protection types: web protection and infrastructure protection. Web protection is the ability to protect web sites and web based services typically by means of DNS diversion. Infrastructure Protection is the ability to protect the direct attack on the organization IP or Network, typically by means of BGP diversion.…

‘Web reverse proxy’  or, in short, ‘reverse proxy’, is a server that receives the client’s request, and then requests it indirectly from the web server. When the proxy is strong enough, it acts as an effective DDoS layer, as it reduces the attack surface and, specifically, mitigates virtually all the network attacks that never reach…