Application-Based Monitoring

Application-Based Monitoring is the practice of monitoring software applications using a dedicated set of algorithms, technologies and approaches to detect zero-day and application layer (Layer 7) DDoS attacks. Learn more about Application-Based Monitoring on

APT (Advanced Persistent Threat)

An APT refers to a sustained, Internet-enabled form of cyber espionage led by a powerful entity, such as a government, with the intent to gain access to a specific target, such as a political resistance group or another government. APTs often employ DDoS attacks.

Attack Signature

A DDoS attack signature is a block of code unique to a specific DDoS attack. Knowing the attack signature allows a DDoS protection specialist to identify and block the DDoS attack. A hacker may randomize a portion of the attack signature in an attempt to fool security experts, but other parts of the attack signature will stay the same. See 11 different DDoS attack signatures in the itsoknoproblembro Threat Advisory.

Attack Vector

An attack vector is an existing vulnerability that has been leveraged by a malicious actor to create an exploitable condition. The exploitable condition is used to gain unauthorized access to server resources. See a snapshot of global DDoS attack types by popularity, as witnessed by Akamai, among other security visualizations of DDoS attacks.


Backscatter is a side effect of a spoofed distributed reflection denial-of-service (DrDoS) attack. The intermediary victim machine cannot distinguish between incoming spoofed packets and legitimate packets, so the victim must respond to all of them. The flood of responses creates the condition called backscatter. DDoS mitigation service providers use the term backscatter to refer to the high rate of responses that can be generated by DDoS mitigation equipment. In some cases, malicious actors are able to make use of DDoS mitigation equipment to engage in reflection attacks. Akamai takes proactive steps to prevent its DDoS mitigation equipment from being used by malicious actors to produce backscatter. Learn more about backscatter and SYN reflection attacks in this white paper.


Bandwidth rate refers to the bits per second (bps) rate of network resources consumed during a DDoS attack. When the available bandwidth of a DDoS target is exhausted, availability is impaired and communication comes to a halt, resulting in a loss of access for legitimate users. Learn more about the bandwidth of typical DDoS attacks in the State of the Internet – Security Report.

BGP (Border Gateway Protocol)

The Border Gateway Protocol (BGP) is used to make core routing decisions on the Internet and is the protocol used by organizations to exchange routing information. Akamai’s Prolexic Connect DDoS protection solution uses BGP to enable organizations to redirect network traffic through its DDoS scrubbing centers.


Bitrate refers to the speed at which data flows in and out of a network, often measured in bits per second (bps). During a DDoS attack, the bitrate of the target network is significantly increased, which can cause problems with resource availability.


A booter is a tool used by malicious actors to launch denial of service attacks. This slang term describes a script that has been placed on a compromised server. Usually the scripts are written in PHP, but they have been observed in the wild using multiple programming languages. Some booters include BroDoS (itsoknoproblembro) and GreenShell. Lists of active booter scripts are circulated in the underground and used by fee-based DDoS-as-a-Service providers, which use compromised web servers in their botnets. Get the Booter Shell Script Threat Advisory to learn more.


A bot is a computer that is under control of a third party. Learn more about bots in the What is DDoS Denial of Service FAQ.


A botnet is a network of bots that can be commanded as a single group entity by a command and control system. Botnets receive instructions from command and control systems to launch DDoS attacks. Learn more about botnets in the What is DDoS Denial of Service FAQ.

Botnet Takedown

A botnet takedown is the process of identifying bots and then working with law enforcement and security experts to measure inbound and outbound traffic to and from the bots. The goal is to trace the traffic to find the location of the command and control server that controls the botnet. When the command and control server is brought down the botnet can no longer be used in a DDoS attack. Learn more about the FBI’s botnet takedown in the Blackshades Remote Access Trojan (RAT) infographic.

Botnet Takeover

A botnet takeover occurs when one hacker tries to take over another hacker’s command and control server. The intent of the rogue hacker is to subvert the control of the command and control server from its original owner by changing the passwords and locking down the server. Learn more about how to take over a botnet in the Dirt Jumper Vulnerability Disclosure Report.


A web server infected with itsoknoproblembro malicious PHP scripts. Learn more about the itsnoproblembro DDoS Toolkit and DDoS mitigation techniques to stop it.

CA (Certificate Authority)

A certificate authority is a trusted third party that issues digital certificates and is the ultimate keystone in building digital trust relationships.


Caching is the method in which a repetitive request for information is remembered in the server memory in order to serve up the same type of request faster. Modern systems employ extensive use of caching at almost every layer of application design. Web servers always try to cache repetitive static content from memory. Database servers also attempt to cache repetitive queries. Attackers exploit caching by making requests for items that would not likely be cached, forcing the applications to increase CPU and disk usage.


A CAPTCHA is a challenge-response test used to determine if a web application request is being made by a human, not an automated program. A CAPTCHA, which commonly appears as a series of wavy letters intended to confuse optical character recognition scripts, is useful for DDoS attack prevention. CAPTCHA processing takes less computing power to validate than a completed form. If the user does not pass the CAPTCHA test, the form is not processed. CAPTCHAs prevent attackers from using automated scripts to flood a web application form with excessive traffic from junk requests. The CAPTCHA acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Learn more about the value of CAPTCHA in the threat advisory, Data Breaches Fuel Login Attacks.

Checker Tool

A checker tool is used by malicious actors to automate the identification of stolen username:password pairs on targeted web applications, such as subscription services or e-payment services. Lists of username:password pairs often originate from major third-party breaches. The success and proliferation of custom checker development services are enabled by users who use the same username:password combination on more than one website and by webmasters who allow e-mail addresses to be used as usernames. Learn more about how public data dumps have fueled brute force attacks using automated checkers.

Command and Control, CnC, C&C, CC, C2

Command and control refers to the main server used by a DDoS attacker to control the botnets used in a DDoS attack. Learn more about botnet command and control (C&C or C2) in the Dirt Jumper Vulnerability Disclosure Report.


CSIRT researches attack techniques and tools used to target Akamai customers and develops the appropriate responses to protect customers from a wide variety of attacks – ranging from login abuse to scrapers to data breaches to DNS hijacking to distributed denial of service (DDoS). Its ultimate mission: keep customers safe. CSIRT maintains close contact with peer organizations around the world, trains Akamai’s Professional Services and Customer Care representatives to recognize and counter attacks from a wide range of adversaries, and keeps customers informed by issuing advisories, publishing threat intelligence and conducting briefings.


Cyberterrorism represents acts of Internet-based hacking that cause large-scale disruption to computer networks through the use of computer viruses and other malicious tools, such as worms and Trojan programs. The motivation for cyberterrorism attacks is to create widespread panic and disruption. Hacktivist groups may use cyberterrorism campaigns to protest or promote certain ideological or political beliefs. Learn more about cyberterrorism in the DDoS Attacks Against Global Markets white paper.

Data Breach

A data breach involves obtaining unauthorized access to confidential or sensitive information such as customers’ personal information, corporate financial records, credit card or bank account details. A data breach is often accompanied by the intentional public release of the confidential information obtained by hacktivists during the cyber-attack. Learn more in the white paper, Weighing Risk Against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack?

DDoS (Distributed Denial of Service)

DDoS is an acronym for distributed denial of service, as in a distributed denial of service (DDoS) cyber-attack. A DDoS attack uses many computers distributed across the Internet in an attempt to consume available resources on the target. Learn more about what is DDoS.

DDoS Attack Forensics

DDoS attack forensics, often provided in a post-attack report, are a comprehensive listing of all characteristics associated with a DDoS denial of service attack. Ideally, DDoS forensics should include attack type, attack duration, attack origin and all of the real IP addresses blocked in the attack, in a database that is instantly accessible through a secure online customer portal. Learn more about anti-DDoS intelligence.

DDoS Attacks

DoS and DDoS attacks are an attempt to make a computer resource (i.e., website, email, voice or a whole network) unavailable to its intended users. By overwhelming it with data and/or requests in a denial of service attack, the target system either responds so slowly as to be unusable or crashes completely. The data volumes required to do this are often achieved by a network of remotely controlled zombie or botnet [robot network] computers that have fallen under the control of an attacker, generally through the use of Trojan viruses. Alternately, DDoS attacks are also often conducted using Internet protocol reflection DDoS techniques that cause Internet-accessible servers to send unwanted data to the target. Learn more about DoS and DDoS attacks in the DDoS denial of service FAQ.

DDoS Blackholing

DDoS attack blackholing is a method typically used by ISPs to stop a DDoS denial of service attack on one of its customers. This approach to block denial of service attacks makes the attacked site completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic. Black holing is typically deployed by the ISP to protect other customers on its network from the adverse effects of DDoS attacks, such as slow network performance and disrupted service.

DDoS Mitigation Appliance

DDoS mitigation appliances are hardware modules for network protection that include purpose-built automated network devices for detecting and mitigating some levels of DDoS attacks. Sometimes perimeter security hardware such as firewalls and Intrusion Detection Systems (IDS) include features intended to address some types of small DDoS attacks.

DDoS Mitigation Service

A DDoS mitigation service is a service designed to detect, monitor, and mitigate DoS and DDoS attacks. A Distributed Denial of Service (DDoS) mitigation service provided by a pure play DDoS mitigation vendor consists of a combination of proprietary detection, monitoring, and mitigation tools and skilled anti-DDoS technicians who can react in real-time to changing DDoS attack characteristics. Add-on DDoS mitigation service providers such as Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) also offer DDoS mitigation services in the form of automated tools, but they have limited network capacity to absorb large DDoS denial of service attacks. Learn more about DDoS mitigation.

DDoS Protection

DDoS protection is an enterprise strategy for protecting the network against DoS or DDoS attacks. This can include a proxy or routed mitigation service from a DDoS monitoring and mitigation service provider, on-premise appliances for detecting DDoS attacks and DDoS monitoring appliances, and Intrusion Detection Systems (IDS) such as firewalls and other types of automated security appliances. Learn about best practices for DDoS protection.

DNS (Domain Name System)

The Domain Name System translates Internet domain names into Internet protocol addresses. DNS transforms a domain name such as and converts it into the actual IP address, much as a phone book takes a name and converts it to a phone number. It is possible for many domain names to have the same IP address because one server can support a huge number of domain names. One DNS name can also be configured to map to several IP addresses. For example, if a URL maps to five different addresses, a web browser will go to any one of them to access the site. Learn more about DNS security.

DoS (Denial of Service)

DoS is an acronym for denial of service, as in a denial of service attack. A DoS attack typically uses one or a few computers to cause an outage on the target. DoS attacks are usually from individual bots that did not receive a stop command from the command and control server in a DDoS attack, so they keep fighting a denial of service battle that has already concluded. Learn more about denial of service (DoS) in the denial of service FAQ.


An exploit is an application or system vulnerability. Exploits are used to obtain unauthorized access or privilege escalation. The IptabLes and IptabLex DDoS Bots Threat Advisory describes an exploit.


Firewalls examine each incoming and outgoing network packet and determine whether to forward it toward its destination, based on a set of predefined security rules. Firewalls can be hardware- or software-based and are designed to protect networks against hackers, viruses, worms and other malicious traffic. Learn more about Kona Web Application Firewall on

Flow-Based Monitoring

Flow-Based Monitoring is the practice of monitoring network traffic flow (netflow) for early DDoS detection and notification of network-layer DDoS attacks. Flow-Based Monitoring employs edge routers on the customer’s network to build a profile of normal network traffic and to generate alerts of any significant deviations which may indicate a denial of service attack. Learn more about Flow-Based Monitoring on


Fragmentation is the division of large packets into smaller ones. Fragmentation is primarily used to enable packets larger than an interface’s MTU (Maximum Transmission Unit) to be divided into two or more units that are smaller than the MTU. Some DDoS attacks use fragments in bulk floods to consume link bandwidth.


Malicious hackers are advanced computer users who use their IT skills to discover and exploit vulnerabilities in electronics, IT systems and computer networks


Hacktivism is a cyber-attack movement in which computer network hacking is motivated by social activism or political protest. Hacktivism often includes DoS and DDoS attacks against the websites of governments, law enforcement agencies, political parties, religious groups, or any website that expresses ideas, beliefs or policies that a hacktivist group opposes. In addition to denial of service attacks, hacktivism also manifests itself as website defacement and data breaches. In 1999, the Cult of the Dead Cow created the concept of hacktivism with Hactivism, an organization that touted freedom of information as a basic human right. Learn about hacktivism in the white paper DDoS Attacks Against Global Markets.


Hacktivists are organized groups of Internet hackers such as Anonymous who launch Internet denial of service, website defacement, data exfiltration and other attacks on the websites of global brands and organizations to protest political issues and promote their own ideology. Hacktivists often launch randomized attacks with complex signatures and then take credit for them through the news media.

Hacktivist groups are well-publicized collectives of sophisticated hackers who launch DoS and DDoS attacks primarily motivated by social activism or political protest. Learn about a situation where hacktivists compromised third-party content feeds on popular media websites in the State of the Internet – Security Report.

IDS (Intrusion Detection System)

An IDS is a system that can identify, log, and report malicious traffic activity, but is designed to report only on current security policies and existing threats. An IDS by itself does not perform DDoS attack mitigation.

IP Spoof

A spoofed IP address makes a DDoS attack appear to come from a different source than its actual source. As a result, the victim will not know who originated the attack. Learn about spoofing and distributed reflection denial of service (DrDoS) attacks.

IPS (Intrusion Prevention System)

An IPS is a security device designed to monitor and analyze activity at the client, server and network levels. An IPS may include firewalls and anti-virus software. It expands upon the functionality of an IDS to perform the dropping or blocking of malicious traffic. The combination of IDS/IPS may provide enough security to guard against malicious traffic penetration and exploitation. However, IPS are not designed to identify and stop an innovative or zero-day DDoS attack.


Latency refers to the time it takes for a server to respond to a user’s request. A long latency means the server is responding slowly to user requests, which could indicate potential availability issues due to misconfiguration or a DDoS attack. Learn more about how Akamai measures latency in website performance.


A loader is a type of malware that sits silently on an infected workstation and awaits a trigger, such as an additional binary payload, before being executed.

Local Privilege Escalation Exploit

This small piece of code when executed elevates a user to root permissions through the exploitation of various vulnerabilities. Learn more about web vulnerabilities that put organizations at risk of malicious privilege escalation in the IptabLes and IptabLex DDoS Bots Threat Advisory.

Malicious Actor

A malicious actor is an information security industry term for an individual or groups involved in cyber-attacks, including but not limited to DDoS attacks, breaches and fraud. The activities of malicious actors can be seen live on the global map of DDoS attacks.


Malware such as loader Trojans may be used to infect a device or server, and then push out a DDoS payload at a later date to cause the infected machine to become part of a DDoS botnet.

Network Availability

Network availability refers to the ability of a network to respond to legitimate users’ requests. Under a DDoS denial of service attack, a network may become unavailable. The resulting degradation of service and availability can cause a significant negative impact upon enterprises that rely on their web applications for business operations. Learn more about the cost to organizations of denial of service attacks in this Ponemon Institute report.


A packet is a unit of transmission on a network. Learn about Christmas tree DDoS attack packets in this blog.

Packet Rate

Packet rate is the speed at which packets traverse a network, measured in packets per second (pps). Packets are discrete blocks of information and may be large or small. DDoS attacks with larger packets and higher packet rates result in stronger attacks with higher bandwidth consumption of the intended target.

Packet Sniffer

A packet sniffer is a tool that allows traffic traveling over a network connection to be recorded and analyzed. Packet sniffers are passive in that they do not interfere with the flow of information over a network.


Packeting refers to a denial of service attack where excessive data packets are sent to a target IP address in an effort to impair its availability and cause services to slow significantly or to stop entirely.

Passive Inspection

Passive inspection is a method by which packet sniffers are plugged into network SPAN ports or network taps are deployed to tap into copper or fiber communication flows. Akamai’s Application-Based Monitoring service uses packet sniffing technology to facilitate passive network inspection diagnostics and early detection and notification of DDoS attacks. Learn more about Application-Based Monitoring on


A payload contains all of the information contained between the header and footer, including higher-level protocols (and their headers, footers and payloads) and the actual data that is being transferred in the communication. PLXsert analyzes payloads and shares its anti-DDoS intelligence with the public in these Threat Advisories.


Phishing is a form of social engineering that seeks to trick a user into divulging login credentials, clicking a malicious link or opening a malicious attachment. Learn more about stolen credentials in a white paper about DDoS attacks involving online multiplayer gaming communities. Learn more about phishing attacks targeting enterprise users in the State of the Internet – Security Report.


A DDoS mitigation playbook, also known as a runbook, is a proactive and streamlined response for all departments in an organization to practice and implement in the event of a DDoS attack. Preparation is essential for fast DDoS mitigation.


Prolexic Security Engineering & Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions. Akamai’s PLXsert research is shared with customers and the public through the State of the Internet – Security Report, Threat Advisories and blog posts.

Public Exploit

An exploit that has been released to the public via standard channels such as mailing lists, exploit archives, or forum posts. Learn more about exploits in the white paper Web Vulnerabilities: The foundation of the most sophisticated DDoS campaigns.


Resolver scripts exist for almost every software platform that directly connects users to each other, such as chat programs and video games.


A DDoS mitigation runbook, also known as a playbook, is a proactive and streamlined response for all departments in an organization to practice and implement in the event of a DDoS attack. Preparation and communication is essential for responding rapidly to a DDoS attack.

Scrubbing Centers

Scrubbing centers are technical facilities purpose-built for removing malicious DDoS traffic from inbound traffic streams when mitigating DDoS denial of service attacks.

Security Operations Center (SOC)

A security operations center (SOC) is a centralized location staffed with IT security experts who monitor and defend enterprise networks and their components. Akamai’s Prolexic SOC operates 24 hours a day, 7 days a week, 365 days a year. The SOC’s goal is to provide DDoS mitigation customers with the best DDoS protection from some of the most experienced information security professionals in the industry.


A sniffer, also called a network analyzer or packet analyzer, can help DDoS mitigation experts read and decode network traffic. Wireshark and tcpdump are sniffer technologies. Sniffers can also be used by attackers, who have successfully breached a network, to observe activity and capture proprietary data. For examples of legitimate use of Wireshark and tcpdump in DDoS mitigation and anti-DDoS intelligence, learn more in this white paper about DDoS attacks involving online gaming.


A SNORT rule is composed of syntax-based instructions that identify DDoS activity. A SNORT rule is used with application firewall techniques to block a DDoS attack. Learn more in Spike DDoS Toolkit Threat Advisory, which provides a SNORT rule to stop a GET flood attack.

Spear Phishing

Spear phishing is a social engineering attack technique where malicious actors research an organization and its personnel in order to target individuals with spam. The goal is to cause enterprise employees with high levels of access to install malware or divulge personal information such as login credentials that can be leveraged in a cyber-attack. Learn more about phishing attacks targeting enterprise users in this State of the Internet – Security Report.


A spoofed DDoS attack is one in which the source of the attack is faked by the attacker in an effort to get a third-party server or device to send unwanted information to the attacker’s target. Spoofing is only effective in Layer 3 (UDP) attacks, because UDP is a stateless protocol. Spoofing is a technique often used in reflection and amplification (DrDoS) attacks. Learn more about DrDoS reflection attacks.

Stressor, Stresser

A stressor (stresser) suite is a DDoS toolkit used by malicious actors to launch denial of service attacks. The toolkits usually consist of PHP/MySQL a graphical user interface (GUI), an application programming interface (API), and a list of booter shells. Stressors are so named because they are advertised as legitimate stress testing services for website administrators to check load balancing. However, the majority of stressor suites are made available by criminals making use of compromised server booter shells. These stressors are usually part of a fee-based DDoS-as-a-Service network. Learn about of stressors in the Storm Network Stress Tester Threat Advisory.


The popular tool tcpdump is an open-source, command-line packet analyzer software tool that lets a user intercept and display packets of data sent via the TCP/IP protocol. tcpdump is used by DDoS mitigation experts to understand DDoS attacks. It is often used as a command line (CLI) alternative to Wireshark. For an example, see a tcpdump screenshot in a white paper about DDoS attacks in online multiplayer gaming communities.

Three-Way Handshake

An abuse of the three-way handshake as the source of malicious traffic is described in this SYN Reflection Attacks white paper.


The malware classification known as a Trojan infects a computer while a user downloads legitimate-appearing software. The name originates from the Trojan horse story of Greek mythology of the Trojan Wars. These viruses can be used to infect the unsuspecting recipient with malware that turns the computer into a zombie under the control of attackers. A remote access Trojan (RAT) allows a malicious actor to control and remotely access files on the infected device. Learn more about this type of malware in the Blackshades RAT Threat Advisory.


The UDP protocol is a stateless transmission protocol with an emphasis on minimal latency rather than reliability in transmitting information and requests over the Internet. User Datagram Protocol (UDP) allows information and requests to be sent to a server without requiring a response or acknowledgement that the request was received. UDP is considered an unreliable protocol because information packets or requests may arrive out of order, may be delayed, or may appear to be duplicated. There is no guarantee that the information you transmit will be received. Learn about UDP flood DDoS attacks.

Web Application Firewall

A web application firewall controls access to a specific application or service, blocking network traffic that does not meet the required criteria. Learn more about web application security.

Website Defacement

Website defacement is a cyber-attack in which hackers obtain administrative access to a website for the purpose of altering its visual appearance, such as replacing existing content with content authored by the hacker with malicious intent. One method of defacement involves breaking into a web server and replacing the hosted site with the hacker’s website. Learn more in the State of the Internet – Security Report about how phishing attacks targeted third-party content providers for the purpose of website defacement.

Whale Phishing

Whale phishing is a variant on the technique of spear phishing where attackers specifically target the top tier in an organization, such as C-level executives. Compromised credentials from these individuals will typically have much greater access permissions than the login credentials of other employees.


Wireshark is open-source packet analyzer software with a graphical interface that lets a user intercept and display packets of data sent via the TCP/IP protocol. This tool can break down packets down to a visual hexadecimal level, which allows for quick identification of DDoS attack patterns and anomalies. Wireshark is used by DDoS mitigation experts to understand DDoS attacks. See screenshots of Wireshark in the multiplayer gaming communities white paper.


A zombie is created when a computer of an unsuspecting user is infected with malware that communicates with a hidden command and control (C&C) server. The C&C allows hackers to issue commands to a network of compromised zombie machines. This centrally controlled network of zombies is known as a botnet.