Chapter 45 Β· Flashcards

Denial of Service Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Denial of Service (DoS)
Tap to reveal
An attack that forces a service to fail by making it unavailable to legitimate users. Two methods: (1) resource exhaustion β€” flooding the target with traffic until bandwidth, CPU, memory, or connections are consumed; (2) vulnerability exploitation β€” triggering a software flaw that crashes or destabilizes the service. DoS targets the Availability pillar of the CIA triad. Motivations include competitive advantage, extortion, hacktivism, and β€” critically β€” acting as a smokescreen while a second attack occurs elsewhere.
Friendly DoS
Tap to reveal
An unintentional denial of service caused by misconfiguration, user error, or infrastructure failure β€” no attacker involved. Examples: (1) Layer 2 loop without STP β†’ broadcast storm floods the network; (2) large file download over a small pipe saturates bandwidth for all other traffic; (3) broken water line above the server room causes a physical outage. The service outage is identical to a malicious attack from the business perspective. Prevented by good network design, STP, bandwidth monitoring, and resilient infrastructure.
Layer 2 Loop / Broadcast Storm
Tap to reveal
A network DoS caused by switches connected in a loop without Spanning Tree Protocol (STP) to block redundant paths. Broadcast frames circulate endlessly between switches, duplicating at wire speed until they consume all bandwidth on the segment. Devices cannot communicate. Classic friendly DoS β€” a cabling error by a technician, not an attack. Fix: disconnect one loop-creating cable. Prevention: enable and properly configure STP on all switches before connecting redundant paths.
DDoS (Distributed Denial of Service)
Tap to reveal
A DoS attack launched simultaneously from thousands to millions of distributed sources (typically a botnet) to overwhelm a target that would easily withstand a single-source attack. Traffic comes from millions of different IP addresses worldwide β€” source-based blocking is impractical. Exploits the asymmetric advantage of aggregating many small sources against one large target. The Zeus botnet (3.6 million infected devices) illustrates the realistic scale: one command β†’ millions of devices attack simultaneously.
Botnet
Tap to reveal
A network of malware-infected devices under an attacker's remote control, used for DDoS attacks, spam, credential theft, and other malicious actions. Device owners are unaware of the infection. The attacker (bot herder) communicates via command-and-control (C2) infrastructure and can direct all bots simultaneously with a single command. Zeus botnet: 3.6 million infected PCs at peak. Botnets provide the distributed scale that makes DDoS asymmetric β€” the attacker's personal resources are minimal; the aggregate botnet resource is enormous.
Asymmetric Threat
Tap to reveal
A threat where the attacker's resources are far smaller than the victim's, yet the attacker can still cause disproportionate damage. DDoS is the canonical example: an attacker with a laptop controls a botnet of millions of compromised third-party devices and can overwhelm a target operating thousands of servers and multi-gigabit internet connections. The attacker leverages others' machines β€” they do not need their own bandwidth to exceed the victim's. Amplification further multiplies this asymmetry.
Reflection Attack
Tap to reveal
A DDoS technique where the attacker sends requests to third-party servers (reflectors) with the victim's IP spoofed as the source, causing the reflectors to send their responses to the victim. The victim receives traffic from legitimate, distributed servers β€” not from botnet IPs. Makes the attack harder to block (legitimate servers) and hides the true source (botnet devices). Reflection is the mechanism; amplification is the force multiplier when the response is larger than the request.
DNS Amplification
Tap to reveal
An amplification DDoS attack using open DNS resolvers. Small DNS query (~15 bytes) generates a large DNS response (~1,300 bytes) sent to the victim's spoofed IP β€” an ~86Γ— amplification factor. The attacker's botnet sends small queries; the victim receives massive response traffic from legitimate DNS servers it cannot block. Required conditions: open DNS resolvers (respond to any IP), IP spoofing capability, and a domain with large DNS records to query. Defense: close open resolvers; ISP-level BCP38 ingress filtering to block spoofed source IPs.
NTP Amplification
Tap to reveal
An amplification DDoS attack using the Network Time Protocol's MONLIST command. A small NTP status request generates a response listing the last 600 hosts that queried the server β€” up to ~550Γ— amplification, the highest commonly seen in practice. Attackers spoof the victim's IP as the source of MONLIST requests to open NTP servers; the victim receives the enormous response. NTP amplification drove some of the largest recorded DDoS events. Mitigation: disable MONLIST on NTP servers (done by default in modern NTP software).
DoS as Smokescreen
Tap to reveal
A DoS or DDoS attack used as a distraction while a second, more targeted attack proceeds undetected. The flood of traffic and alerts consumes the security team's full attention; while incident response manages the visible crisis, an attacker modifies DNS records, exfiltrates data, or compromises credentials elsewhere in the environment. The DoS was never the goal β€” it was the cover. One of the primary strategic motivations for DDoS attacks against organizations alongside the primary target being infrastructure or data, not availability itself.