Some language and math that come in handy when you talk about or fight Distributed Denial of Service…
Distributed Denial of Service: an attack that uses a number of attacking nodes that overwhelm the target with network, web, or application traffic. DDoS implies 100 or more nodes attacking the same target, although just about everybody has their own threshold for what consitutes “distributed”.
Command and Control (C2): how the attackers get instructions to the attacking nodes. This could be automated in the case of a botnet (and probably what defines a botnet if you think about it too hard) or done manually as in the case of some booter scripts, or, as in the case of hacktivists, done with IRC, flyers, manifestos, and forums. Different C2 has different strengths and weaknesses.
Node: a unique IP address that is participating in a DDoS. Not to be confused with node.js. =)
Lethality: The lethality of a DDoS is a function of the number of attacking nodes times the average bandwidth per node with efficiency multipliers for how high in the technology stack that the attack goes (layer 3/4 versus 5-7) and if the nodes all attack at the same time (determined by the quality of the attacker’s command and control (C2) ). It really is a brute force numbers game for the most part.
- Home users in US: 1-2 Mbps
- Home users in South America, Africa, South Asia: .5 Mbps
- Home users in South Korea, Japan: 5Mbps
- Virtual Private Server: 100Mbps
- Core Routers: 1000Mbps and up
Number of Nodes: divide the total bandwidth of attack traffic received by the average node bandwidth to determine how many attacking nodes there are. So, for example, a hacktivist army attacking a site and bringing 2Gbps of attack traffic has around 2,000-4,000 participants.
Recruitment: how fast the attackers (botnet via malware, hacktivists, homebrew botnet, etc) can add nodes to the attack. This could also be correlated with rates of infection for botnets consisting of home PC users, rates of exploits for servers, number of hacktivists joining in the campaign, etc.
Attrition: how fast the attackers lose nodes. This could be due to ISPs blocking node access due to detection of attack traffic or bandwidth caps, hacktivists headed off to work during the week, the end of a significant campaign, or the general lack of interest in the attack.
Rate of Growth or Decay of an Attack: total size of attacking nodes plus recruitment minus attrition.
Cute Bot Couple photo by Jenn and Tony Bot