Chapter 45 Β· Helper 1

Glossary

Key terms for denial-of-service attacks β€” from basic overloads to botnet-driven amplification campaigns.

Denial of Service (DoS)
An attack that forces a service to become unavailable to legitimate users. Achieved by either (1) resource exhaustion β€” flooding the target with traffic or requests until it runs out of bandwidth, CPU, memory, or connection capacity; or (2) vulnerability exploitation β€” triggering a software flaw or design weakness that crashes or destabilizes the service. DoS targets the availability pillar of the CIA triad. A DoS from a single attacker machine is limited by that machine's bandwidth; DDoS overcomes this by distributing the attack across many machines.
Availability (CIA Triad)
One of the three core properties of information security (alongside Confidentiality and Integrity). Availability means that systems and data are accessible to authorized users when needed. DoS and DDoS attacks specifically target availability β€” the goal is not to steal data or modify it, but to prevent legitimate access. Availability is the hardest property to guarantee absolutely because it requires more capacity or resilience than an attacker can overwhelm.
DoS as Smokescreen
A DoS attack used not as the primary goal but as a distraction β€” creating enough operational noise to redirect the security team's attention while a second, more targeted attack (DNS modification, data exfiltration, credential compromise) operates undetected elsewhere. The DoS generates dozens of alerts and consumes incident response capacity; the real attack exploits the resulting blind spot. One of the primary motivations for launching a DoS attack alongside a broader intrusion campaign.
Friendly DoS (Unintentional DoS)
A denial-of-service event caused by misconfiguration, user error, or infrastructure failure rather than malicious intent. Examples: (1) a Layer 2 loop without STP creates a broadcast storm that floods the network; (2) a large download over a limited connection saturates bandwidth intended for production traffic; (3) a burst water pipe above a data center ceiling causes physical infrastructure failure. Friendly DoS events cause the same service outage as intentional attacks but have no attacker β€” they are prevented by proper network design, capacity monitoring, and infrastructure planning.
Layer 2 Loop (Broadcast Storm)
A network misconfiguration in which two switches are connected to each other by multiple paths without Spanning Tree Protocol (STP) to block redundant paths. Without STP, broadcast frames circulate endlessly between switches, duplicating with each pass. The broadcast traffic grows exponentially until it consumes all available bandwidth on the connected network segment. Devices cannot communicate; the network segment experiences a complete denial of service. STP (or Rapid STP, RSTP) is the standard prevention mechanism β€” it detects and blocks redundant paths while maintaining one active path.
Spanning Tree Protocol (STP)
A Layer 2 network protocol that prevents loops in switched networks by detecting redundant paths and logically blocking all but one active path between any two points. When a connected switch fails, STP automatically unblocks a redundant path to restore connectivity. Without STP, connecting switches in a loop creates a broadcast storm (Layer 2 DoS). STP is the standard prevention mechanism against Layer 2 loops; modern networks commonly use Rapid STP (RSTP) or Multiple STP (MSTP) for faster convergence.
Distributed Denial of Service (DDoS)
A DoS attack launched simultaneously from many distributed sources β€” typically thousands to millions of compromised devices β€” to overwhelm a target that would easily withstand a single-source attack. The distributed nature makes source-based blocking impractical: traffic appears to come from millions of legitimate IPs worldwide. DDoS requires the attacker to control a large number of machines (via a botnet) or to use amplification techniques that generate massive traffic from a small number of requests. Exploits the asymmetric advantage of aggregating many small sources against one large target.
Botnet
A network of computers infected with malware that places them under the remote control of an attacker (the "bot herder"). Botnet devices β€” often called "bots" or "zombies" β€” may be home computers, servers, routers, or IoT devices whose owners are unaware of the infection. The attacker communicates with all bots via a command-and-control (C2) infrastructure and can direct the entire botnet to perform actions simultaneously β€” including DDoS attacks, spam campaigns, or credential stuffing. The Zeus botnet reached over 3.6 million infected devices at its peak.
Command-and-Control (C2)
The infrastructure through which an attacker issues commands to botnet-infected devices. Traditional C2 used centralized servers that bots checked in with periodically. Modern botnets often use peer-to-peer C2 channels to make the infrastructure harder to disrupt β€” there is no single server to take down. When the C2 sends an attack command, all bots execute it simultaneously. Disrupting the C2 infrastructure (by law enforcement action, DNS sinkholing, or IP blacklisting) is one method to neutralize a botnet without needing to clean each infected device.
Asymmetric Threat
A threat in which the attacker's resources are significantly smaller than the victim's, yet the attacker can still cause disproportionate damage. DDoS is the canonical asymmetric threat: an attacker with a laptop and control of a large botnet can overwhelm a target operating thousands of servers with multi-gigabit internet connections. The attacker's investment (botnet malware campaign, C2 infrastructure) is modest; the victim's loss (service outage, incident response cost, revenue loss) is large. The asymmetry is enabled by botnet scale and amplification techniques.
Reflection Attack
A DDoS technique in which the attacker sends requests to third-party servers (reflectors) with the victim's IP address spoofed as the source. The reflectors send their responses to the victim rather than to the attacker. This hides the true source of the attack (the botnet) and directs legitimate-looking traffic from distributed sources at the victim. The victim receives responses from real, legitimate servers β€” making the traffic harder to block than traffic directly from botnet IPs.
Amplification Attack
A DDoS technique that exploits protocols where the response is significantly larger than the request. By spoofing the victim's IP as the source of small queries sent to many reflectors, the attacker generates a flood of large responses directed at the victim β€” multiplying the traffic volume by the amplification factor. Common amplification factors: DNS (up to 86Γ—), NTP (up to 550Γ—), ICMP. The attacker sends a small amount of traffic; the victim receives a vastly larger amount. Amplification attacks target open, publicly accessible services with weak or no authentication.
DNS Amplification
An amplification attack using the Domain Name System. The attacker sends a small DNS query (e.g., 15 bytes) to open DNS resolvers with the victim's IP spoofed as the source. The resolver sends its response (e.g., 1,300 bytes) to the victim β€” an amplification factor of ~86Γ—. Open DNS resolvers (servers that respond to queries from any IP without authentication) are the required intermediary. Defense includes closing open resolvers on your own infrastructure and deploying ingress filtering (BCP38) to block spoofed source IPs from exiting your network.
NTP Amplification
An amplification attack using the Network Time Protocol. NTP's MONLIST command returns a list of the last 600 hosts that queried the NTP server β€” a response that can be up to 550Γ— larger than the request. Attackers send MONLIST requests with the victim's IP spoofed as the source, directing the massive responses to the victim. NTP amplification attacks were responsible for some of the largest recorded DDoS events before vendors disabled the MONLIST command in updated NTP software. Demonstrates that protocols designed for convenience (time synchronization) can become weapons when abused at scale.
Open DNS Resolver
A DNS server configured to answer queries from any IP address on the internet β€” not just from its own authorized clients. Open resolvers are a required component of DNS amplification attacks: the attacker needs DNS servers that will respond to queries from spoofed (victim's) IP addresses. Organizations that operate open resolvers inadvertently provide amplification infrastructure to attackers. Best practice: DNS resolvers should be configured to respond only to authorized clients (recursive queries restricted to internal networks or known IP ranges).
IP Spoofing (Source Address Spoofing)
Forging the source IP address in a network packet to make it appear to originate from a different address. In reflection and amplification attacks, the attacker spoofs the victim's IP as the source of queries sent to reflectors β€” causing the reflectors to send their responses to the victim. IP spoofing is possible because basic IP has no source authentication mechanism. BCP38 (Best Current Practice 38) calls for Internet Service Providers to implement ingress filtering β€” dropping packets from their customers with source addresses they could not legitimately send β€” to reduce the prevalence of spoofed traffic on the internet.
Zeus Botnet
One of the most significant botnets in internet history. At its peak, Zeus infected over 3.6 million computers globally, primarily through phishing emails and drive-by downloads. Beyond DDoS capability, Zeus was primarily designed for banking credential theft β€” intercepting banking sessions on infected machines. The scale of the Zeus botnet (3.6 million devices under a single operator's control) illustrates the realistic upper bound of botnet-based DDoS capacity and the asymmetric power this gives an attacker.