Denial-of-service attack

DoS redirects here. For the computing pre-boot envi- 1 Types

ronment, see DOS. For other uses, see DoS (disambigua-
tion). Denial-of-service attacks are characterized by an explicit
In computing, a denial-of-service attack (DoS attack) attempt by attackers to prevent legitimate users of a ser-
vice from using that service. In a distributed denial-of-
service (DDoS) attack, the incoming trac ooding the
victim originates from many dierent sources poten-
tially hundreds of thousands or more. This eectively
makes it impossible to stop the attack simply by block-
ing a single IP address; plus, it is very dicult to dis-
tinguish legitimate user trac from attack trac when
spread across so many points of origin. There are two
general forms of DoS attacks: those that crash services
and those that ood services. The most serious attacks are
distributed.[6] Many attacks involve forging of IP sender
addresses (IP address spoong) so that the location of the
attacking machines cannot easily be identied and so that
the attack cannot be easily defeated using ingress lter-
ing.
Court testimony shows us the rst demostration of DoS
attack was made by Khan C. Smith in 1997 during a Def-
con event disrupting Internet access to the Las Vegas Strip
for over an hour and the release of sample code during the
event led to the online attack of Sprint, Earthlink, eTrade,
and other major corportations in the year to follow.[7]

1.1 Distributed DoS

See also: October 2016 Dyn cyberattack, IP address

spoong, and Hop (networking)
DDoS Stacheldraht attack diagram.

A distributed denial-of-service (DDoS) is a cyber-

is a cyber-attack where the perpetrator seeks to make a attack where the perpetrator uses more than one unique
machine or network resource unavailable to its intended IP address, often thousands of them. The scale of DDoS
users by temporarily or indenitely disrupting services of attacks has continued to rise over recent years, by 2016
a host connected to the Internet. Denial of service is typ- exceeding a terabit per second.[8] [9]
ically accomplished by ooding the targeted machine or
resource with superuous requests in an attempt to over-
load systems and prevent some or all legitimate requests 1.2 Advanced persistent DoS
from being fullled.[1] A DoS attack is analogous to a
group of people crowding the entry door or gate to a shop An advanced persistent DoS (APDoS) is more likely to
or business, and not letting legitimate parties enter into be perpetrated by an advanced persistent threat (APT):
the shop or business, disrupting normal operations. actors who are well resourced, exceptionally skilled and
Criminal perpetrators of DoS attacks often target sites have access to substantial commercial grade computer re-
or services hosted on high-prole web servers such sources and capacity. APDoS attacks represent a clear
as banks or credit card payment gateways. Revenge, and emerging threat needing specialised monitoring and
blackmail[2][3][4] and activism[5] can motivate these at- incident response services and the defensive capabilities
tacks. of specialised DDoS mitigation service providers.

1
2 3 ATTACK TECHNIQUES

This type of attack involves massive network layer DDoS service attack to include:[12]
attacks through to focused application layer (HTTP)
oods, followed by repeated (at varying intervals) SQLi unusually slow network performance (opening les
and XSS attacks. Typically, the perpetrators can simul- or accessing web sites)
taneously use from 2 to 5 attack vectors involving up to
several tens of millions of requests per second, often ac- unavailability of a particular web site
companied by large SYN oods that can not only attack
the victim but also any service provider implementing any inability to access any web site
sort of managed DDoS mitigation capability. These at-
dramatic increase in the number of spam emails re-
tacks can persist for several weeks- the longest continuous
ceived (this type of DoS attack is considered an e-
period noted so far lasted 38 days. This APDoS attack in-
mail bomb).
volved approximately 50+ petabits (100,000+ terabits) of
malicious trac.
Additional symptoms may include:
Attackers in this scenario may (or often will) tactically
switch between several targets to create a diversion to
evade defensive DDoS countermeasures but all the while disconnection of a wireless or wired internet con-
eventually concentrating the main thrust of the attack nection
onto a single victim. In this scenario, threat actors with
long-term denial of access to the web or any internet
continuous access to several very powerful network re-
services.
sources are capable of sustaining a prolonged campaign
generating enormous levels of un-amplied DDoS trac.
If the attack is conducted on a suciently large scale, en-
APDoS attacks are characterised by: tire geographical regions of Internet connectivity can be
compromised without the attackers knowledge or intent
advanced reconnaissance (pre-attack OSINT and
by incorrectly congured or imsy network infrastructure
extensive decoyed scanning crafted to evade detec-
equipment.
tion over long periods)
tactical execution (attack with a primary and sec-
ondary victims but focus is on primary) 3 Attack techniques
explicit motivation (a calculated end game/goal tar-
get) A wide array of programs are used to launch DoS-attacks.
large computing capacity (access to substantial com-
puter power and network bandwidth resources) 3.1 Attack tools
simultaneous multi-threaded OSI layer attacks (so-
phisticated tools operating at layers 3 through 7) In cases such as MyDoom the tools are embedded in mal-
ware, and launch their attacks without the knowledge of
persistence over extended periods (utilising all the the system owner. Stacheldraht is a classic example of
above into a concerted, well managed attack across a DDoS tool. It utilizes a layered structure where the
a range of targets[10] ). attacker uses a client program to connect to handlers,
which are compromised systems that issue commands to
1.3 Denial-of-service as a service the zombie agents, which in turn facilitate the DDoS at-
tack. Agents are compromised via the handlers by the
Some vendors provide so-called booter or stresser attacker, using automated routines to exploit vulnerabili-
services, which have simple web-based front ends, and ties in programs that accept remote connections running
accept payment over the web. Marketed and promoted on the targeted remote hosts. [13]
Each handler can control
as stress-testing tools, they can be used to perform unau- up to a thousand agents.
thorized denial-of-service attacks, and allow technically In other cases a machine may become part of a DDoS at-
unsophisticated attackers access to sophisticated attack tack with the owners consent, for example, in Operation
tools without the need for the attacker to understand their Payback, organized by the group Anonymous. The LOIC
use.[11] has typically been used in this way. Along with HOIC a
wide variety of DDoS tools are available today, including
paid and free versions, with dierent features available.
2 Symptoms There is an underground market for these in hacker re-
lated forums and IRC channels.
The United States Computer Emergency Readiness Team UKs GCHQ has tools built for DDoS, named PREDA-
(US-CERT) has identied symptoms of a denial-of- TORS FACE and ROLLING THUNDER.[14]
3.4 Denial-of-service Level II 3

3.2 Application-layer oods 3.4 Denial-of-service Level II

Various DoS-causing exploits such as buer overow can The goal of DoS L2 (possibly DDoS) attack is to cause a
cause server-running software to get confused and ll the launching of a defense mechanism which blocks the net-
disk space or consume all available memory or CPU time. work segment from which the attack originated. In case
of distributed attack or IP header modication (that de-
Other kinds of DoS rely primarily on brute force, ood-
pends on the kind of security behavior) it will fully block
ing the target with an overwhelming ux of packets, over-
the attacked network from the Internet, but without sys-
saturating its connection bandwidth or depleting the tar-
tem crash.
gets system resources. Bandwidth-saturating oods rely
on the attacker having higher bandwidth available than
the victim; a common way of achieving this today is via 3.5 Distributed DoS attack
distributed denial-of-service, employing a botnet. An-
other target of DDoS attacks may be to produce added A distributed denial-of-service (DDoS) attack occurs
costs for the application operator, when the latter uses re- when multiple systems ood the bandwidth or resources
sources based on Cloud Computing. In this case normally of a targeted system, usually one or more web servers.[6]
application used resources are tied to a needed Quality of Such an attack is often the result of multiple compro-
Service level (e.g. responses should be less than 200 ms) mised systems (for example, a botnet) ooding the tar-
and this rule is usually linked to automated software (e.g. geted system with trac. A botnet is a network of zom-
Amazon CloudWatch[15] ) to raise more virtual resources bie computers programmed to receive commands without
from the provider in order to meet the dened QoS lev- the owners knowledge.[19] When a server is overloaded
els for the increased requests.The main incentive behind with connections, new connections can no longer be ac-
such attacks may be to drive the application owner to raise cepted. The major advantages to an attacker of using a
the elasticity levels in order to handle the increased ap- distributed denial-of-service attack are that multiple ma-
plication trac, in order to cause nancial losses or force chines can generate more attack trac than one machine,
them to become less competitive. Other oods may use multiple attack machines are harder to turn o than one
specic packet types or connection requests to saturate - attack machine, and that the behavior of each attack ma-
nite resources by, for example, occupying the maximum chine can be stealthier, making it harder to track and shut
number of open connections or lling the victims disk down. These attacker advantages cause challenges for de-
space with logs. fense mechanisms. For example, merely purchasing more
A banana attack is another particular type of DoS. It in- incoming bandwidth than the current volume of the at-
volves redirecting outgoing messages from the client back tack might not help, because the attacker might be able
onto the client, preventing outside access, as well as ood- to simply add more attack machines. This, after all, will
ing the client with the sent packets. A LAND attack is of end up completely crashing a website for periods of time.
this type. Malware can carry DDoS attack mechanisms; one of the
An attacker with shell-level access to a victims computer better-known examples of this was MyDoom. Its DoS
may slow it until it is unusable or crash it by using a fork mechanism was triggered on a specic date and time.
bomb. This type of DDoS involved hardcoding the target IP ad-
dress prior to release of the malware and no further inter-
A kind of application-level DoS attack is XDoS (or XML action was necessary to launch the attack.
DoS) which can be controlled by modern web application
rewalls (WAFs). A system may also be compromised with a trojan, allow-
ing the attacker to download a zombie agent, or the trojan
may contain one. Attackers can also break into systems
using automated tools that exploit aws in programs that
3.3 Degradation-of-service attacks listen for connections from remote hosts. This scenario
primarily concerns systems acting as servers on the web.
Pulsing zombies are compromised computers that are Stacheldraht is a classic example of a DDoS tool. It uti-
directed to launch intermittent and short-lived oodings lizes a layered structure where the attacker uses a client
of victim websites with the intent of merely slowing it program to connect to handlers, which are compromised
rather than crashing it. This type of attack, referred to as systems that issue commands to the zombie agents, which
degradation-of-service rather than denial-of-service, in turn facilitate the DDoS attack. Agents are compro-
can be more dicult to detect than regular zombie inva- mised via the handlers by the attacker, using automated
sions and can disrupt and hamper connection to websites routines to exploit vulnerabilities in programs that accept
for prolonged periods of time, potentially causing more remote connections running on the targeted remote hosts.
disruption than concentrated oods.[16][17] Exposure of Each handler can control up to a thousand agents.[13] In
degradation-of-service attacks is complicated further by some cases a machine may become part of a DDoS attack
the matter of discerning whether the server is really being with the owners consent, for example, in Operation Pay-
attacked or under normal trac loads.[18] back, organized by the group Anonymous. These attacks
4 3 ATTACK TECHNIQUES

can use dierent types of internet packets such as: TCP, 3.7 HTTP POST DoS attack
UDP, ICMP etc.
These collections of systems compromisers are known as First discovered in 2009, the HTTP POST attack sends
botnets / rootservers. DDoS tools like Stacheldraht still a complete, legitimate HTTP POST header, which in-
use classic DoS attack methods centered on IP spoof- cludes a 'Content-Length' eld to specify the size of the
ing and amplication like smurf attacks and fraggle at- message body to follow. However, the attacker then pro-
tacks (these are also known as bandwidth consumption ceeds to send the actual message body at an extremely
attacks). SYN oods (also known as resource starva- slow rate (e.g. 1 byte/110 seconds). Due to the entire
tion attacks) may also be used. Newer tools can use message being correct and complete, the target server will
DNS servers for DoS purposes. Unlike MyDooms DDoS attempt to obey the 'Content-Length' eld in the header,
mechanism, botnets can be turned against any IP ad- and wait for the entire body of the message to be trans-
dress. Script kiddies use them to deny the availability mitted, which can take a very long time. The attacker
of well known websites to legitimate users.[20] More so- establishes hundreds or even thousands of such connec-
phisticated attackers use DDoS tools for the purposes of tions, until all resources for incoming connections on the
extortion even against their business rivals.[21] server (the victim) are used up, hence making any fur-
ther (including legitimate) connections impossible until
Simple attacks such as SYN oods may appear with a all data has been sent. It is notable that unlike many other
wide range of source IP addresses, giving the appearance (D)DoS attacks, which try to subdue the server by over-
of a well distributed DoS. These ood attacks do not re- loading its network or CPU, a HTTP POST attack tar-
quire completion of the TCP three way handshake and at- gets the logical resources of the victim, which means the
tempt to exhaust the destination SYN queue or the server victim would still have enough network bandwidth and
bandwidth. Because the source IP addresses can be triv- processing power to operate.[27] Further combined with
ially spoofed, an attack could come from a limited set of the fact that Apache will, by default, accept requests up
sources, or may even originate from a single host. Stack to 2GB in size, this attack can be particularly powerful.
enhancements such as syn cookies may be eective mit- HTTP POST attacks are dicult to dierentiate from
igation against SYN queue ooding, however complete legitimate connections, and are therefore able to bypass
bandwidth exhaustion may require involvement. some protection systems. OWASP, an open source web
If an attacker mounts an attack from a single host it would application security project, has released a testing tool to
be classied as a DoS attack. In fact, any attack against test the security of servers against this type of attacks.
availability would be classed as a denial-of-service attack.
On the other hand, if an attacker uses many systems to
simultaneously launch attacks against a remote host, this
would be classied as a DDoS attack. 3.8 Internet Control Message Protocol
(ICMP) ood
It has been reported that there are new attacks from
internet of things which have been involved in denial of
service attacks. [22] In one noted attack that was made A smurf attack relies on miscongured network devices
peaked at around 20,000 requests per second which came that allow packets to be sent to all computer hosts on a
from around 900 CCTV cameras. [23] particular network via the broadcast address of the net-
work, rather than a specic machine. The attacker will
UKs GCHQ has tools built for DDoS, named PREDA- send large numbers of IP packets with the source address
TORS FACE and ROLLING THUNDER.[14] faked to appear to be the address of the victim. The net-
See also: DDoS mitigation works bandwidth is quickly used up, preventing legiti-
mate packets from getting through to their destination.[28]
Ping ood is based on sending the victim an overwhelm-
ing number of ping packets, usually using the ping com-
mand from Unix-like hosts (the -t ag on Windows sys-
tems is much less capable of overwhelming a target, also
3.6 DDoS extortion the -l (size) ag does not allow sent packet size greater
than 65500 in Windows). It is very simple to launch, the
primary requirement being access to greater bandwidth
In 2015, DDoS botnets such as DD4BC grew in promi- than the victim.
nence, taking aim at nancial institutions.[24] Cyber-
extortionists typically begin with a low-level attack and a Ping of death is based on sending the victim a malformed
warning that a larger attack will be carried out if a ransom ping packet, which will lead to a system crash on a vul-
is not paid in Bitcoin.[25] Security experts recommend tar- nerable system.
geted websites to not pay the ransom. The attackers tend The BlackNurse attack is an example of an attack taking
to get into an extended extortion scheme once they rec- advantage of the required Destination Port Unreachable
ognize that the target is ready to pay.[26] ICMP packets.
3.12 Reected / spoofed attack 5

3.9 Nuke the 2008 EUSecWest Applied Security Conference in

London.[34]
A Nuke is an old denial-of-service attack against
computer networks consisting of fragmented or otherwise
invalid ICMP packets sent to the target, achieved by us- 3.12 Reected / spoofed attack
ing a modied ping utility to repeatedly send this cor-
rupt data, thus slowing down the aected computer until A distributed denial-of-service attack may involve send-
it comes to a complete stop. ing forged requests of some type to a very large number of
A specic example of a nuke attack that gained some computers that will reply to the requests. Using Internet
prominence is the WinNuke, which exploited the vulner- Protocol address spoong, the source address is set to that
ability in the NetBIOS handler in Windows 95. A string of the targeted victim, which means all the replies will go
of out-of-band data was sent to TCP port 139 of the vic- to (and ood) the target. (This[35]reected attack form is
tims machine, causing it to lock up and display a Blue sometimes called a DRDOS. )
Screen of Death (BSOD). ICMP Echo Request attacks (Smurf attack) can be con-
sidered one form of reected attack, as the ooding
host(s) send Echo Requests to the broadcast addresses of
3.10 Peer-to-peer attacks mis-congured networks, thereby enticing hosts to send
Echo Reply packets to the victim. Some early DDoS pro-
Main article: Direct Connect (protocol) Direct Connect grams implemented a distributed form of this attack.
used for DDoS attacks

3.12.1 Amplication
Attackers have found a way to exploit a number of bugs in
peer-to-peer servers to initiate DDoS attacks. The most
Amplication attacks are used to magnify the bandwidth
aggressive of these peer-to-peer-DDoS attacks exploits
that is sent to a victim. This is typically done through pub-
DC++. With peer-to-peer there is no botnet and the at-
licly accessible DNS servers that are used to cause con-
tacker does not have to communicate with the clients it
gestion on the target system using DNS response trac.
subverts. Instead, the attacker acts as a puppet master,
Many services can be exploited to act as reectors, some
instructing clients of large peer-to-peer le sharing hubs
harder to block than others.[36] US-CERT have observed
to disconnect from their peer-to-peer network and to con-
that dierent services implies in dierent amplication
nect to the victims website instead.[29][30][31]
factors, as you can see below:[37]
DNS amplication attacks involve a new mechanism that
3.11 Permanent denial-of-service attacks increased the amplication eect, using a much larger list
of DNS servers than seen earlier. The process typically
Permanent denial-of-service (PDoS), also known loosely involves an attacker sending a DNS name look up request
as phlashing,[32] is an attack that damages a system so to a public DNS server, spoong the source IP address
badly that it requires replacement or reinstallation of of the targeted victim. The attacker tries to request as
hardware.[33] Unlike the distributed denial-of-service at- much zone information as possible, thus amplifying the
tack, a PDoS attack exploits security aws which allow DNS record response that is sent to the targeted victim.
remote administration on the management interfaces of Since the size of the request is signicantly smaller than
the victims hardware, such as routers, printers, or other the response, the attacker is easily able to increase the
networking hardware. The attacker uses these vulnera- amount of trac directed at the target. [40][41] SNMP and
bilities to replace a devices rmware with a modied, NTP can also be exploited as reector in an amplication
corrupt, or defective rmware imagea process which attack.
when done legitimately is known as ashing. This there- An example of an amplied DDoS attack through NTP is
fore "bricks" the device, rendering it unusable for its orig- through a command called monlist, which sends the de-
inal purpose until it can be repaired or replaced. tails of the last 600 people who have requested the time
The PDoS is a pure hardware targeted attack which can from that computer back to the requester. A small request
be much faster and requires fewer resources than using to this time server can be sent using a spoofed source IP
a botnet or a root/vserver in a DDoS attack. Because of address of some victim, which results in 556.9 times the
these features, and the potential and high probability of amount of data that was requested back to the victim.
security exploits on Network Enabled Embedded Devices This becomes amplied when using botnets that all send
(NEEDs), this technique has come to the attention of nu- requests with the same spoofed IP source, which will send
merous hacking communities. a massive amount of data back to the victim.
PhlashDance is a tool created by Rich Smith (an It is very dicult to defend against these types of at-
employee of Hewlett-Packards Systems Security Lab) tacks because the response data is coming from legitimate
used to detect and demonstrate PDoS vulnerabilities at servers. These attack requests are also sent through UDP,
6 3 ATTACK TECHNIQUES

which does not require a connection to the server. This Each of these packets are handled like a connection re-
means that the source IP is not veried when a request quest, causing the server to spawn a half-open connec-
is received by the server. In order to bring awareness of tion, by sending back a TCP/SYN-ACK packet (Ac-
these vulnerabilities, campaigns have been started that are knowledge), and waiting for a packet in response from the
dedicated to nding amplication vectors which has led sender address (response to the ACK Packet). However,
to people xing their resolvers or having the resolvers shut because the sender address is forged, the response never
down completely. comes. These half-open connections saturate the number
of available connections the server can make, keeping it
from responding to legitimate requests until after the at-
3.13 R-U-Dead-Yet? (RUDY) tack ends.[45]

RUDY attack targets web applications by starvation of

available sessions on the web server. Much like Slowloris, 3.18 Teardrop attacks
RUDY keeps sessions at halt using never-ending POST
transmissions and sending an arbitrarily large content- A teardrop attack involves sending mangled IP fragments
length header value. with overlapping, oversized payloads to the target ma-
chine. This can crash various operating systems be-
cause of a bug in their TCP/IP fragmentation re-assembly
3.14 Shrew attack code.[46] Windows 3.1x, Windows 95 and Windows NT
operating systems, as well as versions of Linux prior to
The shrew attack is a denial-of-service attack on the versions 2.0.32 and 2.1.63 are vulnerable to this attack.
Transmission Control Protocol. It uses short synchro-
(Although in September 2009, a vulnerability in
nized bursts of trac to disrupt TCP connections on the
Windows Vista was referred to as a teardrop attack,
same link, by exploiting a weakness in TCPs retransmis-
this targeted SMB2 which is a higher layer than the TCP
sion timeout mechanism.[42]
packets that teardrop used).[47][48]
One of the elds in an IP header is the fragment o-
3.15 Slow Read attack set eld, indicating the starting position, or oset, of the
data contained in a fragmented packet relative to the data
Slow Read attack sends legitimate application layer re- in the original packet. If the sum of the oset and size
quests but reads responses very slowly, thus trying to of one fragmented packet diers from that of the next
exhaust the servers connection pool. Slow reading is fragmented packet, the packets overlap. When this hap-
achieved by advertising a very small number for the TCP pens, a server vulnerable to teardrop attacks is unable to
Receive Window size and at the same time by emptying reassemble the packets - resulting in a denial-of-service
clients TCP receive buer slowly. That naturally ensures condition.
a very low data ow rate.

3.19 Telephony denial-of-service (TDoS)

3.16 Sophisticated low-bandwidth Dis-
tributed Denial-of-Service Attack Voice over IP has made abusive origination of large num-
bers of telephone voice calls inexpensive and readily auto-
A sophisticated low-bandwidth DDoS attack is a form of mated while permitting call origins to be misrepresented
DoS that uses less trac and increases their eective- through caller ID spoong.
ness by aiming at a weak point in the victims system de- According to the US Federal Bureau of Investigation,
sign, i.e., the attacker sends trac consisting of compli- telephony denial-of-service (TDoS) has appeared as part
cated requests to the system.[43] Essentially, a sophisti- of various fraudulent schemes:
cated DDoS attack is lower in cost due to its use of less
trac, is smaller in size making it more dicult to iden-
A scammer contacts the victims banker or broker,
tify, and it has the ability to hurt systems which are pro-
[43][44] impersonating the victim to request a funds trans-
tected by ow control mechanisms.
fer. The bankers attempt to contact the victim for
verication of the transfer fails as the victims tele-
phone lines are being ooded with thousands of bo-
3.17 (S)SYN ood
gus calls, rendering the victim unreachable.[49]
See also: SYN ood A scammer contacts consumers with a bogus claim
to collect an outstanding payday loan for thousands
A SYN ood occurs when a host sends a ood of of dollars. When the consumer objects, the scam-
TCP/SYN packets, often with a forged sender address. mer retaliates by ooding the victims employer with
4.3 Blackholing and sinkholing 7

thousands of automated calls. In some cases, dis- be based on an application layer analysis, to indicate
played caller ID is spoofed to impersonate police or whether an incoming trac bulk is legitimate or not and
law enforcement agencies.[50] thus enable the triggering of elasticity decisions with-
out the economical implications of a DDoS attack.[52]
A scammer contacts consumers with a bogus debt These approaches mainly rely on an identied path of
collection demand and threatens to send police; value inside the application and monitor the macroscopic
when the victim balks, the scammer oods local po- progress of the requests in this path, towards the nal gen-
lice numbers with calls on which caller ID is spoofed eration of prot, through markers denoted as Key Com-
to display the victims number. Police soon arrive at pletion Indicators.[53]
the victims residence attempting to nd the origin
of the calls.
4.3 Blackholing and sinkholing
Telephony denial-of-service can exist even without
Internet telephony. In the 2002 New Hampshire Senate With blackhole routing, all the trac to the attacked DNS
election phone jamming scandal, telemarketers were used or IP address is sent to a black hole (null interface or
to ood political opponents with spurious calls to jam a non-existent server). To be more ecient and avoid
phone banks on election day. Widespread publication of aecting network connectivity, it can be managed by the
a number can also ood it with enough calls to render it ISP.[54]
unusable, as happened with multiple +1-area code867- A DNS sinkhole routes trac to a valid IP address which
5309 subscribers inundated by hundreds of misdialed analyzes trac and rejects bad packets. Sinkholing is not
calls daily in response to the song 867-5309/Jenny. ecient for most severe attacks.
TDoS diers from other telephone harassment (such as
prank calls and obscene phone calls) by the number of
calls originated; by occupying lines continuously with 4.4 IPS based prevention
repeated automated calls, the victim is prevented from
making or receiving both routine and emergency tele- Intrusion prevention systems (IPS) are eective if the at-
phone calls. tacks have signatures associated with them. However, the
Related exploits include SMS ooding attacks and black trend among the attacks is to have legitimate content but
fax or fax loop transmission. bad intent. Intrusion-prevention systems which work on
content recognition cannot block behavior-based DoS at-
tacks.

4 Defense techniques An ASIC based IPS may detect and block denial-of-
service attacks because they have the processing power
and the granularity to analyze the attacks and act like a
Defensive responses to denial-of-service attacks typically
circuit breaker in an automated way.
involve the use of a combination of attack detection, traf-
c classication and response tools, aiming to block traf- A rate-based IPS (RBIPS) must analyze trac granularly
c that they identify as illegitimate and allow trac that and continuously monitor the trac pattern and deter-
they identify as legitimate.[51] A list of prevention and re- mine if there is trac anomaly. It must let the legitimate
sponse tools is provided below: trac ow while blocking the DoS attack trac.[55]

4.1 Application front end hardware 4.5 DDS based defense

Application front-end hardware is intelligent hardware More focused on the problem than IPS, a DoS defense
placed on the network before trac reaches the servers. system (DDS) can block connection-based DoS attacks
It can be used on networks in conjunction with routers and those with legitimate content but bad intent. A DDS
and switches. Application front end hardware analyzes can also address both protocol attacks (such as teardrop
data packets as they enter the system, and then identies and ping of death) and rate-based attacks (such as ICMP
them as priority, regular, or dangerous. There are more oods and SYN oods).
than 25 bandwidth management vendors.

4.6 Firewalls
4.2 Application level Key Completion Indi-
cators In the case of a simple attack, a rewall could have a sim-
ple rule added to deny all incoming trac from the at-
In order to meet the case of application level DDoS at- tackers, based on protocols, ports or the originating IP
tacks against cloud-based applications, approaches may addresses.
8 5 UNINTENTIONAL DENIAL-OF-SERVICE

More complex attacks will however be hard to block with Arbor Networks[62]
simple rules: for example, if there is an ongoing attack
on port 80 (web service), it is not possible to drop all in- AT&T[63]
coming trac on this port because doing so will prevent
the server from serving legitimate trac.[56] Additionally, F5 Networks[64]
rewalls may be too deep in the network hierarchy, with
routers being adversely aected before the trac gets to Incapsula[65]
the rewall.
Neustar Inc[66]

Akamai Technologies[67]
4.7 Routers
Tata Communications[68]
Similar to switches, routers have some rate-limiting and
ACL capability. They, too, are manually set. Most Verisign[69]
routers can be easily overwhelmed under a DoS attack.
Cisco IOS has optional features that can reduce the im- Verizon[70][71]
pact of ooding.[57]

4.8 Switches 5 Unintentional denial-of-service

Most switches have some rate-limiting and ACL capa- An unintentional denial-of-service can occur when a sys-
bility. Some switches provide automatic and/or system- tem ends up denied, not due to a deliberate attack by a
wide rate limiting, trac shaping, delayed binding (TCP single individual or group of individuals, but simply due
splicing), deep packet inspection and Bogon ltering (bo- to a sudden enormous spike in popularity. This can hap-
gus IP ltering) to detect and remediate DoS attacks pen when an extremely popular website posts a prominent
through automatic rate ltering and WAN Link failover link to a second, less well-prepared site, for example, as
and balancing. part of a news story. The result is that a signicant pro-
These schemes will work as long as the DoS attacks can portion of the primary sites regular users potentially
be prevented by using them. For example, SYN ood hundreds of thousands of people click that link in the
can be prevented using delayed binding or TCP splic- space of a few hours, having the same eect on the target
ing. Similarly content based DoS may be prevented using website as a DDoS attack. A VIPDoS is the same, but
deep packet inspection. Attacks originating from dark ad- specically when the link was posted by a celebrity.
dresses or going to dark addresses can be prevented using When Michael Jackson died in 2009, websites such as
bogon ltering. Automatic rate ltering can work as long Google and Twitter slowed down or even crashed.[72]
as set rate-thresholds have been set correctly. Wan-link Many sites servers thought the requests were from a
failover will work as long as both links have DoS/DDoS virus or spyware trying to cause a denial-of-service at-
prevention mechanism. tack, warning users that their queries looked like au-
tomated requests from a computer virus or spyware
application.[73]
4.9 Upstream ltering News sites and link sites sites whose primary function
is to provide links to interesting content elsewhere on the
All trac is passed through a cleaning center or a
Internet are most likely to cause this phenomenon. The
scrubbing center via various methods such as prox-
canonical example is the Slashdot eect when receiving
ies, tunnels, digital cross connects, or even direct cir-
trac from Slashdot. It is also known as the Reddit hug
cuits, which separates bad trac (DDoS and also other
of death and the Digg eect.
common internet attacks) and only sends good trac be-
yond to the server. The provider needs central connectiv- Routers have also been known to create unintentional
ity to the Internet to manage this kind of service unless DoS attacks, as both D-Link and Netgear routers have
they happen to be located within the same facility as the overloaded NTP servers by ooding NTP servers without
cleaning center or scrubbing center.[58] respecting the restrictions of client types or geographical
limitations.
Examples of providers of this service:
Similar unintentional denials-of-service can also occur
via other media, e.g. when a URL is mentioned on tele-
CloudFlare [59]
vision. If a server is being indexed by Google or another
Level 3 Communications[60] search engine during peak periods of activity, or does not
have a lot of available bandwidth while being indexed, it
Radware[61] can also experience the eects of a DoS attack.
 9

Legal action has been taken in at least one such case. In the US, denial-of-service attacks may be con-
In 2006, Universal Tube & Rollform Equipment Cor- sidered a federal crime under the Computer Fraud
poration sued YouTube: massive numbers of would-be and Abuse Act with penalties that include years of
youtube.com users accidentally typed the tube companys imprisonment.[77] The Computer Crime and Intel-
URL, utube.com. As a result, the tube company ended lectual Property Section of the US Department of
up having to spend large amounts of money on upgrading Justice handles cases of (D)DoS.
their bandwidth.[74] The company appears to have taken
advantage of the situation, with utube.com now contain- In European countries, committing criminal denial-
ing ads for advertisement revenue. of-service attacks may, as a minimum, lead to
arrest.[78] The United Kingdom is unusual in that it
In March 2014, after Malaysia Airlines Flight 370 went specically outlawed denial-of-service attacks and
missing, DigitalGlobe launched a crowdsourcing service set a maximum penalty of 10 years in prison with the
on which users could help search for the missing jet in Police and Justice Act 2006, which amended Sec-
satellite images. The response overwhelmed the com- tion 3 of the Computer Misuse Act 1990.[79]
panys servers.[75]
An unintentional denial-of-service may also result from On January 7, 2013, Anonymous posted a petition on the
a prescheduled event created by the website itself, as was whitehouse.gov site asking that DDoS be recognized as
the case of the Census in Australia in 2016. This could be a legal form of protest similar to the Occupy protests,
caused when a server provides some service at a specic the claim being that the similarity in purpose of both are
time. This might be a university website setting the grades same.[80][81]
to be available where it will result in many more login
requests at that time than any other.
8 See also
6 Side eects of attacks Application layer DDoS attack
BASHLITE
6.1 Backscatter
Billion laughs
See also: Backscatter (email) and Internet background Botnet
noise
Command and control (malware)
In computer network security, backscatter is a side-eect DDoS mitigation
of a spoofed denial-of-service attack. In this kind of at-
tack, the attacker spoofs (or forges) the source address in Dendroid (malware)
IP packets sent to the victim. In general, the victim ma-
Fork bomb
chine cannot distinguish between the spoofed packets and
legitimate packets, so the victim responds to the spoofed High Orbit Ion Cannon (HOIC)
packets as it normally would. These response packets are
known as backscatter.[76] Hit-and-run DDoS
If the attacker is spoong source addresses randomly, the Industrial espionage
backscatter response packets from the victim will be sent
back to random destinations. This eect can be used by Innite loop
network telescopes as indirect evidence of such attacks.
Intrusion detection system
The term backscatter analysis refers to observing
backscatter packets arriving at a statistically signicant Low Orbit Ion Cannon (LOIC)
portion of the IP address space to determine characteris- Network intrusion detection system
tics of DoS attacks and victims.
October 2016 Dyn cyberattack
Project Shield
7 Legality
ReDoS
See also: Computer crime SlowDroid
Slowloris (computer security)
Many jurisdictions have laws under which denial-of-
service attacks are illegal. UDP Unicorn
10 9 REFERENCES

Virtual sit-in [13] Dittrich, David (December 31, 1999). The stachel-
draht distributed denial of service attack tool. Univer-
Warzapping sity of Washington. Retrieved 2013-12-11.

Wireless signal jammer [14] Glenn Greenwald (2014-07-15). HACKING ONLINE

POLLS AND OTHER WAYS BRITISH SPIES SEEK
XML denial-of-service attack TO CONTROL THE INTERNET. The Intercept_. Re-
trieved 2015-12-25.
Xor DDoS
[15] Amazon CloudWatch. Amazon Web Services, Inc.
Zemra
[16] Encyclopaedia Of Information Technology. Atlantic Pub-
Zombie (computer science)
lishers & Distributors. 2007. p. 397. ISBN 81-269-
0752-5.

9 References [17] Schwabach, Aaron (2006). Internet and the Law. ABC-
CLIO. p. 325. ISBN 1-85109-731-7.
[1] denial of service attack. Retrieved 26 May 2016. [18] Lu, Xicheng; Wei Zhao (2005). Networking and Mobile
Computing. Birkhuser. p. 424. ISBN 3-540-28102-9.
[2] Prince, Matthew (25 April 2016). Empty DDoS Threats:
Meet the Armada Collective. CloudFlare. Retrieved 18 [19] Has Your Website Been Bitten By a Zombie?". Cloud-
May 2016. bric. 3 August 2015. Retrieved 15 September 2015.
[3] Brand.com President Mike Zammuto Reveals Blackmail
[20] Boyle, Phillip (2000). SANS Institute Intrusion De-
Attempt. 5 March 2014. Archived from the original on
tection FAQ: Distributed Denial of Service Attack Tools:
11 March 2014.
n/a. SANS Institute. Retrieved 2008-05-02.
[4] Brand.coms Mike Zammuto Discusses Meetup.com Ex-
[21] Leyden, John (2004-09-23). US credit card rm ghts
tortion. 5 March 2014. Archived from the original on 13
DDoS attack. The Register. Retrieved 2011-12-02.
May 2014.

[5] The Philosophy of Anonymous. Radicalphiloso- [22] Swati Khandelwal (23 October 2015). Hacking CCTV
phy.com. 2010-12-17. Retrieved 2013-09-10. Cameras to Launch DDoS Attacks. The Hacker News.

[6] Taghavi Zargar, Saman (November 2013). A Survey of [23] https://www.incapsula.com/blog/

Defense Mechanisms Against Distributed Denial of Ser- cctv-ddos-botnet-back-yard.html
vice (DDoS) Flooding Attacks (PDF). IEEE COMMU-
[24] Whos Behind DDoS Attacks and How Can You Protect
NICATIONS SURVEYS & TUTORIALS. pp. 2046
Your Website?". Cloudbric. 10 September 2015. Re-
2069. Retrieved 2014-03-07.
trieved 15 September 2015.
[7] Smith, Steve. 5 Famous Botnets that held the internet
hostage. tqaweekly. tqaweekly. Retrieved Nov 20 2014. [25] Solon, Olivia (9 September 2015). Cyber-Extortionists
Check date values in: |access-date= (help) Targeting the Financial Sector Are Demanding Bitcoin
Ransoms. Bloomberg. Retrieved 15 September 2015.
[8] Goodin, Dan (28 September 2016). Record-breaking
DDoS reportedly delivered by >145k hacked cameras. [26] Greenberg, Adam (14 September 2015). Akamai warns
Ars Technica. Archived from the original on 2 October of increased activity from DDoS extortion group. SC
2016. Magazine. Retrieved 15 September 2015.

[9] Khandelwal, Swati (26 September 2016). Worlds largest [27] OWASP Plan - Strawman - Layer_7_DDOS.pdf
1 Tbps DDoS Attack launched from 152,000 hacked (PDF). Open Web Application Security Project. 18 March
Smart Devices. The Hacker News. Archived from the 2014. Retrieved 18 March 2014.
original on 30 September 2016.
[28] Types of DDoS Attacks. Distributed Denial of Service
[10] Gold, Steve (21 August 2014). Video games company Attacks(DDoS) Resources, Pervasive Technology Labs at
hit by 38-day DDoS attack. SC Magazine UK. Retrieved Indiana University. Advanced Networking Management
4 February 2016. Lab (ANML). December 3, 2009. Archived from the
original on 2010-09-14. Retrieved December 11, 2013.
[11] Krebs, Brian (August 15, 2015). Stress-Testing the
Booter Services, Financially. Krebs on Security. Re- [29] Paul Sop (May 2007). Prolexic Distributed Denial of
trieved 2016-09-09. Service Attack Alert. Prolexic Technologies Inc. Prolexic
Technologies Inc. Archived from the original on 2007-08-
[12] McDowell, Mindi (November 4, 2009). Cyber Secu- 03. Retrieved 2007-08-22.
rity Tip ST04-015 - Understanding Denial-of-Service At-
tacks. United States Computer Emergency Readiness [30] Robert Lemos (May 2007). Peer-to-peer networks co-
Team. Archived from the original on 2013-11-04. Re- opted for DOS attacks. SecurityFocus. Retrieved 2007-
trieved December 11, 2013. 08-22.
 11

[31] Fredrik Ullner (May 2007). Denying distributed at- [49] FBI Phony Phone Calls Distract Consumers from
tacks. DC++: Just These Guys, Ya Know?. Retrieved Genuine Theft. FBI.gov. 2010-05-11. Retrieved 2013-
2007-08-22. 09-10.

[32] Leyden, John (2008-05-21). Phlashing attack thrashes [50] Internet Crime Complaint Centers (IC3) Scam Alerts
embedded systems. The Register. Retrieved 2009-03-07. January 7, 2013. IC3.gov. 2013-01-07. Retrieved 2013-
09-10.
[33] Jackson Higgins, Kelly (May 19, 2008). Permanent
Denial-of-Service Attack Sabotages Hardware. Dark [51] Loukas, G.; Oke, G. (September 2010) [August 2009].
Reading. Archived from the original on December 8, Protection Against Denial of Service Attacks: A
2008. Survey (PDF). Comput. J. 53 (7): 10201037.
doi:10.1093/comjnl/bxp078.
[34] EUSecWest Applied Security Conference: London,
U.K.. EUSecWest. 2008. Archived from the original [52] Alqahtani, S.; Gamble, R. F. (1 January 2015). DDoS
on 2009-02-01. Attacks in Service Clouds. 2015 48th Hawaii Inter-
national Conference on System Sciences (HICSS): 5331
[35] Rossow, Christian (February 2014). Amplication Hell: 5340. doi:10.1109/HICSS.2015.627.
Revisiting Network Protocols for DDoS Abuse (PDF).
Internet Society. Retrieved 4 February 2016. [53] Kousiouris, George (2014). KEY COMPLETION
INDICATORS:minimizing the eect of DoS attacks on
[36] Paxson, Vern (2001). An Analysis of Using Reectors elastic Cloud-based applications based on application-
for Distributed Denial-of-Service Attacks. ICIR.org. level markov chain checkpoints. CLOSER Conference.
Retrieved 2015-05-24.
[37] Alert (TA14-017A) UDP-based Amplication Attacks.
US-CERT. July 8, 2014. Retrieved 2014-07-08. [54] Patrikakis, C.; Masikos, M.; Zouraraki, O. (December
2004). Distributed Denial of Service Attacks. The In-
[38] van Rijswijk-Deij, Roland (2014). DNSSEC and its po- ternet Protocol Journal. 7 (4): 1335.
tential for DDoS attacks - a comprehensive measurement
study. ACM Press. [55] Abante, Carl (March 2, 2013). Relationship between
Firewalls and Protection against DDoS. Ecommerce Wis-
[39] Adamsky, Florian (2015). P2P File-Sharing in Hell: Ex- dom. Retrieved 2013-05-24.
ploiting BitTorrent Vulnerabilities to Launch Distributed
Reective DoS Attacks. [56] Froutan, Paul (June 24, 2004). How to defend against
DDoS attacks. Computerworld. Retrieved May 15,
[40] Vaughn, Randal; Evron, Gadi (2006). DNS Amplica- 2010.
tion Attacks (PDF). ISOTF. Archived from the original
(PDF) on 2010-12-14. [57] Suzen, Mehmet. Some IoS tips for Internet Service
(Providers)" (PDF). Archived from the original (PDF) on
[41] Alert (TA13-088A) DNS Amplication Attacks. US- 2008-09-10.
CERT. July 8, 2013. Retrieved 2013-07-17.
[58] DDoS Mitigation via Regional Cleaning Centers (Jan
[42] Yu Chen; Kai Hwang; Yu-Kwong Kwok (2005). 2004)" (PDF). SprintLabs.com. Sprint ATL Research.
Filtering of shrew DDoS attacks in frequency do- Archived from the original (PDF) on 2008-09-21. Re-
main. The IEEE Conference on Local Computer trieved 2011-12-02.
Networks 30th Anniversary (LCN'05)l. pp. 8 pp.
[59] Gallagher, Sean. Biggest DDoS ever aimed at Cloud-
doi:10.1109/LCN.2005.70. ISBN 0-7695-2421-4.
ares content delivery network. Ars Technica. Retrieved
[43] Ben-Porat, U.; Bremler-Barr, A.; Levy, H. (2013-05-01). 18 May 2016.
Vulnerability of Network Mechanisms to Sophisticated [60] Level 3 DDoS Mitigation. level3.com. Retrieved 9 May
DDoS Attacks. IEEE Transactions on Computers. 62 (5): 2016.
10311043. doi:10.1109/TC.2012.49. ISSN 0018-9340.
[61] Defensepipe. radware.com. Retrieved November 2015.
[44] orbitalsatelite. Slow HTTP Test. SourceForge. Check date values in: |access-date= (help)
[45] RFC 4987 TCP SYN Flooding Attacks and Common [62] Clean Pipes DDoS Protection and Mitigation from Arbor
Mitigations. Tools.ietf.org. August 2007. Retrieved Networks & Cisco. ArborNetworks.com. 8 August 2013.
2011-12-02.
[63] AT&T Internet Protect Distributed Denial of Service
[46] CERT Advisory CA-1997-28 IP Denial-of-Service At- Defense (PDF). ATT.com (Product brief). 16 October
tacks. CERT. 1998. Retrieved July 18, 2014. 2012.

[47] Windows 7, Vista exposed to 'teardrop attack'". ZDNet. [64] Silverline DDoS Protection service. f5.com. Retrieved
September 8, 2009. Retrieved 2013-12-11. March 2015. Check date values in: |access-date= (help)

[48] Microsoft Security Advisory (975497): Vulnerabilities [65] Infrastructure DDos Protection. incapsula.com. Re-
in SMB Could Allow Remote Code Execution. Mi- trieved June 2015. Check date values in: |access-date=
crosoft.com. September 8, 2009. Retrieved 2011-12-02. (help)
12 11 EXTERNAL LINKS

[66] DDoS Protection. Neustar.biz. Retrieved November The Berkman Center for Internet & Society at Har-
2014. Check date values in: |access-date= (help) vard University. Archived from the original (PDF)
on 2011-03-02. Retrieved 2011-03-02.
[67] Lunden, Ingrid (December 2, 2013). Akamai Buys
DDoS Prevention Specialist Prolexic For $370M DDOS Public Media Reports. Harvard. Archived
To Ramp Up Security Oerings For Enterprises. from the original on 2011-03-02.
TechCrunch. Retrieved September 23, 2014.

[68] DDoS Protection with Network Agnostic Option. Tat-

acommunications.com. 7 September 2011. 11 External links
[69] VeriSign Rolls Out DDoS Monitoring Service. Dark-
reading.com. 11 September 2009. Retrieved 2 December RFC 4732 Internet Denial-of-Service Considera-
2011. tions
[70] Security: Enforcement and Protection. Verizon.com. Akamai State of the Internet Security Report -
Retrieved January 2015. Check date values in: |access- Quarterly Security and Internet trend statistics
date= (help)
W3C The World Wide Web Security FAQ
[71] Verizon Digital Media Services Launches Cloud-Based
Web Application Firewall That Increases Defenses cert.org CERTs Guide to DoS attacks. (historic
Against Cyberattacks. Verizon.com. Retrieved January document)
2015. Check date values in: |access-date= (help)
ATLAS Summary Report Real-time global report
[72] Shiels, Maggie (2009-06-26). Web slows after Jacksons of DDoS attacks.
death. BBC News.
Low Orbit Ion Cannon - The Well Known Network
[73] We're Sorry. Automated Query error. Google Product
Forums Google Search Forum. Google.com. October 20, Stress Testing Tool
2009. Retrieved 2012-02-11.
High Orbit Ion Cannon - A Simple HTTP Flooder
[74] YouTube sued by sound-alike site. BBC News. 2006-
LOIC SLOW An Attempt to Bring SlowLoris and
11-02.
Slow Network Tools on LOIC
[75] Bill Chappell (12 March 2014). People Overload Web-
site, Hoping To Help Search For Missing Jet. NPR. Re-
trieved 4 February 2016.

[76] Backscatter Analysis (2001)". Animations (video).

Cooperative Association for Internet Data Analysis. Re-
trieved December 11, 2013.

[77] United States Code: Title 18,1030. Fraud and related ac-
tivity in connection with computers | Government Printing
Oce. www.gpo.gov. 2002-10-25. Retrieved 2014-01-
15.

[78] International Action Against DD4BC Cybercriminal

Group. EUROPOL. 12 January 2016.

[79] Computer Misuse Act 1990. legislation.gov.uk The

National Archives, of UK. 10 January 2008.

[80] Anonymous DDoS Petition: Group Calls On White

House To Recognize Distributed Denial Of Service As
Protest.. HungtonPost.com. 2013-01-12.

[81] DDOS Attack: crime or virtual sit-in?". RT.com.

YouTube.com. October 6, 2011.

10 Further reading
Ethan Zuckerman; Hal Roberts; Ryan McGrady;
Jillian York; John Palfrey (December 2011).
Distributed Denial of Service Attacks Against In-
dependent Media and Human Rights Sites (PDF).
 13

12 Text and image sources, contributors, and licenses

12.1 Text
Denial-of-service attack Source: https://en.wikipedia.org/wiki/Denial-of-service_attack?oldid=769107249 Contributors: Magnus
Manske, Derek Ross, Mav, The Anome, RobLa, Mark, Rjstott, Ed Poor, Yooden, PierreAbbat, Edward, Oystein, Michael Hardy, Mdupont,
Ixfd64, Zanimum, Delirium, Looxix~enwiki, Ahoerstemeier, Baylink, Jebba, DropDeadGorgias, Julesd, Marco Krohn, Cyan, Evercat,
Ghewgill, Agtx, Charles Matthews, Timwi, Pablo Mayrgundter, Kbk, Jwrosenzweig, Fuzheado, WhisperToMe, Pedant17, Maximus Rex,
Furrykef, Taxman, Tempshill, Vedge, Thue, Bloodshedder, Mtcv, Olathe, Lothar Kimmeringer~enwiki, Carlossuarez46, Robbot, Fredrik,
Korath, R3m0t, RedWolf, Nurg, Rfc1394, Wikibot, Victor, Lupo, Alanyst, Pengo, Tea2min, David Gerard, Ancheta Wis, Alerante,
Centrx, Ryanrs, Wolfkeeper, HangingCurve, No Guru, Niteowlneils, Carlo.Ierna, Mboverload, Gracefool, Cloud200, Rchandra, Mck-
aysalisbury, SonicAD, Wmahan, Chowbok, Gdm, Antandrus, Beland, Mako098765, Piotrus, Wikimol, Rdsmith4, Gauss, Kigoe, Sam
Hocevar, SamSim, Neutrality, Bluefoxicy, Stereo, Danc, Millisits, Wesha, Johan Elisson, Discospinster, Rich Farmbrough, Oliver Line-
ham, Mani1, Bender235, Andrejj, Violetriga, CanisRufus, Goto, Crukis, Smalljim, Mpeg4codec, Thewrite1, Giraedata, Deryck Chan,
Physicistjedi, Wrs1864, Krellis, Pearle, Alansohn, Godzig, Csabo, CyberSkull, Corporal, Andrewpmk, Echuck215, Lightdarkness, Cia-
ran H, Sligocki, Gblaz, Hu, Snowolf, Wtmitchell, Velella, BanyanTree, Xee, Bsdlogical, Redvers, Ceyockey, Walshga, Kenyon, DarTar,
Gmaxwell, Woohookitty, Mindmatrix, Blackeagle, Peng~enwiki, Pol098, WadeSimMiser, Ocker3, Tckma, Scootey, Rchamberlain, Way-
ward, Prashanthns, Burfdl, Amechad, Graham87, Deltabeignet, Clapaucius, Kakaopor, Kbdank71, Kane5187, Josh Parris, Ketiltrout, Sj,
Rjwilmsi, Friejose, Nneonneo, ElKevbo, Goncalopp, Everton137, Scartol, Bhadani, Andrzej P. Wozniak, Drrngrvy, Alliekins619, Wragge,
FlaBot, VKokielov, Vegardw, Spaceman85, Who, Nivix, RexNL, Revolving Bugbear, RobyWayne, Intgr, Alphachimp, Malhonen, Gr-
eyCat, Chobot, Bwoodring, DVdm, Gwernol, Gimere, Kakurady, Mann Ltd~enwiki, Shaggyjacobs, YurikBot, Splintercellguy, Phantom-
steve, RussBot, Sparky132, RedPen, Gardar Rurak, Hellbus, , Gaius Cornelius, Shaddack, Rsrikanth05, The Cute Philosopher,
NawlinWiki, Robertvan1, RattleMan, Escheel, DavidH, Janarius, Gareth Jones, Catamorphism, Expensivehat, Irishguy, Anetode, Peter
Delmonte, Rmky87, Mikeblas, Juanpdp, Bucketsofg, Nethgirb, BOT-Superzerocool, DeadEyeArrow, Darkfred, Yudiweb, Black Falcon,
Romal, Sierra 1, WAS 4.250, Frankgerlach~enwiki, Delirium of disorder, Wikibert~enwiki, Msuzen, Raistolo, Closedmouth, Arthur Ru-
bin, Fang Aili, Abune, Josh3580, Matt Casey, Sean Whitton, GraemeL, JoanneB, Vicarious, RenamedUser jaskldjslak904, Huds, Viper-
Snake151, SoulSkorpion, GrinBot~enwiki, One, SmackBot, Fireman bi, Unschool, McGeddon, Raven 1959, Freekee, KVDP, Eskimbot,
Edgar181, David Fuchs, Buck O'Nollege, Eiler7, Yamaguchi , Aldor, Gilliam, Brianski, Gorman, Chris the speller, Fintler, Apankrat,
Jcc1, Persian Poet Gal, Thumperward, Snori, Tree Biting Conspiracy, Elecnix, Nbarth, Sunholm, Emurphy42, Zsinj, Rogermw, Frap, Oscar
Bravo, Kaishen~enwiki, OrphanBot, JonHarder, Wiredsoul, Rrburke, Midnightcomm, Artephius, XtAzY, Joemadeus, Shadow1, PPBlais,
Paroxysm, SaintedLegion, Acdx, ElizabethFong, Vina-iwbot~enwiki, Bejnar, Mdavids, Rosarinjroy, Nishkid64, JzG, Kuru, Shadowlynk,
Mgiganteus1, IronGargoyle, Berrick, Slakr, Ro, Dicklyon, Larrymcp, , Romeu, Tuspm, NeoDeGenero, Manifestation, Vashti-
horvat, Kvng, Xionbox, Hu12, Gevron, White Ash, JoeBot, Wjejskenewr, Andrew Hampe, Blehfu, Courcelles, Tawkerbot2, SkyWalker,
Ddcc, CmdrObot, Boborok, Alan Taylor, KyraVixen, N3X15, TheMightyOrb, GHe, Lemmio, WeggeBot, Pgr94, MeekMark, T23c, Dan
Fuhry, Equendil, Cydebot, W.F.Galway, Yehaah~enwiki, Galassi, MC10, Gogo Dodo, Carl Turner, Daenney, Tawkerbot4, Christian75,
Pchachten, Zzsql, Ryanmshea, Omicronpersei8, Click23, Thijs!bot, Edman274, Kubanczyk, Dschrader, Ultimus, Mbell, Loudsox, RLE64,
Marek69, Woody, Bgaurav, JustAGal, Soma mishra, Dawnseeker2000, CTZMSC3, Escarbot, I already forgot, KrakatoaKatie, AntiVan-
dalBot, Yonatan, Widefox, Darklord 205, Oducado, Ross cameron, QuiteUnusual, KP Botany, BenTremblay, DarkAudit, Jayron32, Cin-
namon42, Davken1102, Oddity-, Mightywayne, Asmeurer, Ivan Velikii (2006-2008), MER-C, CosineKitty, Gmd1722, Blackmo, Live-
fastdieold, Hut 8.5, A.hawrylyshen, Geniac, Orpenn, Io Katai, Magioladitis, Ariel@compucall, Trigguh, Bongwarrior, VoABot II, Bradcis,
Sarahj2107, Nyttend, Brusegadi, Fedevela, Bobkeyes, Web-Crawling Stickler, MetsBot, DarkMrFrank, A3nm, DerHexer, Shuini, Gwern,
Stephenchou0722, Mmoneypenny, CliC, Jeannealcid, Rhlitonjua, Anaxial, Keith D, Bemsor, Krimanilo, R'n'B, Joelee.org, RockMFR,
J.delanoy, Skiidoo, Herbythyme, StewE17, Uncle Dick, Jesant13, Eliz81, Duzzyman, Cadence-, Andy5421, Ncmvocalist, Clerks, Crakkpot,
Zedmelon, Silas S. Brown, Naniwako, Goarany, Mysterysociety, Zhouf12, Bushcarrot, Danr2k6, Liveste, JonNiola, Mufka, Cmichael,
KylieTastic, DorganBot, Useight, Steel1943, Signalhead, Lights, Jhalkompwdr, CWii, Butwhatdoiknow, Lexein, Fences and windows,
J-Baptiste, Philip Trueman, Oshwah, Vipinhari, Rei-bot, Anonymous Dissident, Liko81, Warrush, Anna Lincoln, Lradrama, TheJae,
Broadbot, Canaima, LeaveSleaves, UnitedStatesian, Da31989, Haseo9999, Dark Tea, Spartytime, Plreiher, Monty845, Dsarma, Shree
theultimate, DeanC81, Red, Hmwith, Lsi john, Drake144, SieBot, Madman, K. Annoyomous, Klaslop, ToePeu.bot, Dawn Bard, Sephi-
roth storm, Yintan, Alex9788, Softwaredude, Flyer22 Reborn, Xavier6984~enwiki, Bananastalktome, Drennick, Gopher23, Tmaufer, Joey
Eads, Harry the Dirty Dog, La Parka Your Car, Remocrevo, Chri$topher, Rjc34, Raoravikiran, Kortaggio, Denisarona, Atif.t2, Martarius,
Beeblebrox, ClueBot, LAX, NicDumZ, The Thing That Should Not Be, B1atv, Starkiller88, Antisoft, Terryr rodery, Lawrence Cohen,
Keraunoscopia, Jotag14, R000t, Pwitham, SuperHamster, Melgomac, Boing! said Zebedee, PentiumMMX, Trivialist, William Ortiz,
Cwagmire, Swearwolf666, Kitsunegami, Excirial, Jeayman, Filovirus, Wilsone9, Zac439, Rhododendrites, Usbdriver, Mikaey, Muro
Bot, DanielPharos, Jcmcc450, MelonBot, SoxBot III, Egmontaz, Darkicebot, Bearsona, XLinkBot, Arnoldgibson, Rror, Xawieri~enwiki,
WikHead, Findepi, SilvonenBot, Alexius08, Dnvrfantj, Brento1499, IsmaelLuceno, Addbot, Chakkalokesh, Viperdeck PyTh0n, Ramu50,
Mortense, WeatherFug, AlexandrDmitri, Stphnm, Astt100, Msick33, Tothwolf, Totakeke423, Ronhjones, Scientus, CanadianLinuxUser,
Mjsa, Atif0321, O.neill.kid, MrOllie, Mcnaryxc, Ld100, Favonian, ChenzwBot, Getmoreatp, Chicken Quiet, Jasper Deng, Tide rolls, Jar-
ble, Bartledan, Peter AUDEMG, Titi 3bood, Luckas-bot, Yobot, Hagoleshet, Ptbotgourou, Fraggle81, Donfbreed, Ojay123, Becky Sayles,
THEN WHO WAS PHONE?, GateKeeper, MrBlueSky, Echtner, Eric-Wester, Magog the Ogre, Synchronism, AnomieBOT, BlackCatN,
Thexelt, Kristen Eriksen, Deathwiki, Killiondude, Jim1138, IRP, Gascreed, AdjustShift, Ulric1313, Flewis, Materialscientist, Ffrrrr,
Nosperantos, Citation bot, Aneah, Armoraid, ArthurBot, LilHelpa, Xqbot, Addihockey10, Jerey Mall, Melkori, Tad Lincoln, Shulini,
Silversam, Mechanic1c, Karlos77, Life Now, GrouchoBot, Frosted14, Monaarora84, Omnipaedista, MugabeeX, Sophus Bie, TakaGA,
Smallman12q, Shadowjams, SchnitzelMannGreek, Teknopup, Samwb123, Shyish, GliderMaven, FrescoBot, Sandgem Addict, Balth3465,
Galorr, JMS Old Al, Adnan Suomi, Zhangyongmei, Jamesrules90, Fiddler on the green, Drogonov, HamburgerRadio, I dream of horses,
Haneef503, Modamoda, Tom.Reding, Anders K Berggren, Yaltaplace, Fat&Happy, RedBot, BrianHoef, Anonauthor, le ottante, Liber-
atorG, Lineslarge, Blstormo, Randomn1c, Cnwilliams, JackHenryDyson, FoxBot, Trappist the monk, Mwikieditor, Jrmurad, DixonDBot,
Xiphiidae, Demonkill101, Lotje, Lionaneesh, Gazzat5, N-david-l, Dinamik-bot, Toobulkeh, JOptionPane, Allen4names, Adarw, Xitrax,
Merlinsorca, Fastilysock, Gomangoman, Mean as custard, RjwilmsiBot, Ripchip Bot, Bossanoven, Enrico.cambiaso, VernoWhitney, Mch-
copl, J36miles, EmausBot, Mjdtjm, Dewritech, Racerx11, GoingBatty, RA0808, RenamedUser01302013, NotAnonymous0, Qrsdogg,
L235, Solarra, Wikipelli, Dcirovic, K6ka, Euclidthalis, Mz7, OmidPLuS, QuentinUK, John Cline, Daonguyen95, Bongoramsey, Josve05a,
DannyFratella, Finnish Metal, Msamae83, Access Denied, EneMsty12, Wikfr, Whsazdfhnbfxgnh, FinalRapture, Beatles2233, Ivhtbr, Eri-
anna, Maccoat, EricWesBrown, Demiurge1000, TyA, Anne-Caroline~enwiki, Schnoatbrax, Donner60, Ryancarpenter, Jak32797, Pastore
Italy, Zabanio, Teapeat, Kellyk99, Paddingtonbaer, Petrb, ClueBot NG, TT-97976, Gareth Grith-Jones, Manubot, Keegen123, Mel-
14 12 TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

bourneStar, Satellizer, Permalinks, Joefromrandb, Cogware, Stultiwikia, Lawandtech, Lasoraf, Sunndil, Tejasrnbr, Jormund, 123Hedge-
hog456, O.Koslowski, Vlhsrp, Popo41~enwiki, Widr, Soulcedric, Helpful Pixie Bot, Strike Eagle, BG19bot, Murler, Rpk74 lb, Tragic8,
Vagobot, Fahmedch, Streakydjl, Juro2351, Mleoking, MadHaTTer666, Mfordtln, Lloydus98, Adsf1234, MusikAnimal, Stogers, Kevo1cat,
Mark Arsten, Op47, Rm1271, GGShinobi, Eduart.steiner, Writ Keeper, Jarrodmaddy, Junganghansik, Gtaguy235, Minhal Mehdi, World-
newsinformant, Comfr, Skunk44, BattyBot, Abgelcartel, David.moreno72, AllenZh, RichardMills65, Mdann52, Cathairawr, Tonyxc600,
Cyberbot II, Vinsanity123, Run4health, Chengshuotian, Eb1511, Dwnd4, Superkc, Team Blitz, Iciciliser, Kikue26, Dexbot, K7L, Soledad-
Kabocha, 331dot, TonyJunak, Broadcasterxp, Lugia2453, Spicyitalianmeatball, UNOwenNYC, Ascom99, Jmoss57, Leemon2010, Me,
Myself, and I are Here, Palmbeachguy, Rogr101, JoshuaHall155065, Sid Shadeslayer, Epicgenius, Ashikali1607, Renoldsmartin, Ex-
tremeRobot, HMGamerr, FrigidNinja, Melonkelon, Mbmexpress, JamesMoose, Tentinator, Sngs87, Marchino61, Webhostingtips, John-
hax, Ogh4x, Nodove, DavidLeighEllis, Dwgould, NiuWang, Reacher1989, Ginsuloft, ArmitageAmy, Henrychan123, Jianhui67, Fock-
eWulf FW 190, UY Scuti, Quitesavvy, YellowLawnChair, Akashksunny13, Meteor sandwich yum, Jeremyb-phone, PJone, Dodi 8238, Pvp-
masters, XxWoLfxX115, JNKL, Lordangel101, Kazkade, Monkbot, Noahp15, Lucyloo10, Vieque, Jakupian, Jacobdunn82, Web20DOS,
Muhammadabubakar92, Cph12345, 365adventure, Frogteam, Orthogonal1, MRD2014, Bammie73, BlackCat1978, ApolloLV, Jjsantanna,
Thetechgirl, Sam-the-droid, Cirow, KH-1, Tommate789, ChamithN, Koen2014 7, Matiia, V1n1 paresh, HoustonMade, Flated, Probin-
crux, ThatOneGuyGaming, Lizard Squadrant, JohnZLegand, Delcooper11, Chiranjeev242, Restart32, Jokingrotten, Eslam Yosef, In-
nite Guru, Haroly, Yasuo Miyakawa, Test, Murph9000, Risc64, Hazim116, Tom29739, Lemondoge, Kurousagi, UpsandDowns1234,
Pandamaury, WannaBeEditor, Positronon, Misfoundings, Sharanyanaveen, Doulph88, Gmuenglishclass, JennishFernandis, Harmon758,
InternetArchiveBot, DBZFan30, , For the lols haha, GayAlienZ, DevinP6576, GreenC bot, John Hannibal Smith, Kainweir, Glu-
ons12, Unkown934, Sarraalqahtani, DNS1999, , Franckc2, Dboylolz, Woolw0w, Bender the Bot, Bullaful, FL3SH, Max berlings,
Necabi, Canijustgo, Mdikici4001, Clover100, Jamesede, Djcruz94, Dmtschida, JasonJson, Laurdecl, Nutinmyfactsmydude, Wikiguruman,
Gogogirl77, Shakilbhuiyan.bd, Shreesudhu, Kiernaoneill and Anonymous: 1329

12.2 Images
File:Edit-clear.svg Source: https://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The
Tango! Desktop Project. Original artist:
The people from the Tango! project. And according to the meta-data in the le, specically: Andreas Nilsson, and Jakub Steiner (although
minimally).
File:Stachledraht_DDos_Attack.svg Source: https://upload.wikimedia.org/wikipedia/commons/3/3f/Stachledraht_DDos_Attack.svg
License: LGPL Contributors: All Crystal icons were posted by the author as LGPL on kde-look Original artist: Everaldo Coelho and
YellowIcon

12.3 Content license

Creative Commons Attribution-Share Alike 3.0