Monday, May 26, 2014

New features in Java 1.8

  •     Lambda expressions
    Remove the Permanent Generation
    Small VM
    Parallel Array Sorting
    Bulk Data Operations for Collections
    Define a standard API for Base64 encoding and decoding
    New Date & Time API
    Provide stronger Password-Based-Encryption (PBE) algorithm implementations in the SunJCE provider

   
    http://ttux.net/post/java-8-new-features-release-performance-code/

Wednesday, May 21, 2014

SOLID

  • SOLID
In computer programming, SOLID (Single responsibility, Open-closed, Liskov substitution, Interface segregation and Dependency inversion) is a mnemonic acronym
The principles when applied together intend to make it more likely that a programmer will create a system that is easy to maintain and extend over time


Single responsibility principle
a class should have only a single responsibility (i.e. only one potential change in the software's specification should be able to affect the specification of the class)
Open/closed principle
“software entities … should be open for extension, but closed for modification.”
Liskov substitution principle
“objects in a program should be replaceable with instances of their subtypes without altering the correctness of that program.
Interface segregation principle
“many client-specific interfaces are better than one general-purpose interface
Dependency inversion principle
one should “Depend upon Abstractions. Do not depend upon concretions.


http://en.wikipedia.org/wiki/SOLID_(object-oriented_design)

Friday, May 9, 2014

IPv5

  • What Happened to IPv5?
IPv5 never became an official protocol.
Internet Stream Protocol (ST) was considered IP version five by industry researchers, but ST was abandoned before ever becoming a standard or widely known as
IPv5
http://stackoverflow.com/questions/4880182/where-did-ipv5-go

  • The Internet Stream Protocol (ST and later ST-II) is a family of experimental protocols first defined in Internet Experiment Note IEN-119
Its second version, known variously as ST-II or ST2, was drafted by Claudio Topolcic and others in 1987 and specified in 1990
ST2 distinguishes its own packets with an Internet Protocol version number 5, although it was never known as IPv5
http://en.wikipedia.org/wiki/Internet_Stream_Protocol

Monday, May 5, 2014

Cost-Benefit Analysis


  • Performing a Cost-Benefit Analysis
Cost-benefit analyses help you to

    Decide whether to undertake a project or decide which of several projects to undertake.

    Frame appropriate project objectives.

    Develop appropriate before and after measures of project success.

    Prepare estimates of the resources required to perform the project work.

Everything gets a dollar value in a cost-benefit analysis
Whenever possible, express benefits and costs in monetary terms to facilitate the assessment of a project’s net value.
Consider costs for all phases of the project. Such costs may be nonrecurring (such as labor, capital investment, and certain operations and services) or recurring (such as changes in personnel, supplies, and materials or maintenance and repair). I


Cost-benefit analysis: Weighing future values today
For example, you may expect to reap benefits for years from a new computer system, but changing technology may make your new system obsolete after only one year.
http://www.dummies.com/how-to/content/performing-a-costbenefit-analysis.html


  • How to Do a Cost Analysis
A cost analysis (also called cost-benefit analysis, or CBA) is a detailed outline of the potential risks and gains of a projected venture.

1 Define your CBA's unit of cost  benefit
CBA measures literal cost in terms of money, but, in cases where money is not an issue, CBAs can measure cost in terms of time, energy usage, and more.

2 Itemize the tangible costs of the intended project.
Costs can be one-time events or ongoing expenses

3 Itemize any and all intangible costs.
Usually, CBAs also take into account a project's intangible demands - things like the time and energy required to complete the project.

4 Itemize the projected benefits.

5 Add up and compare the project's costs and benefits
we determine whether the benefits of our project outweigh the costs

6 Calculate a payback time for the venture

7 Use your CBA to inform your decision about whether to pursue your project
if it's not clear that a project can generate additional profit in the long run or pay for itself in a reasonable amount of time, you will probably want to reconsider the project or even scrap it all together.

Server Form Factors

  • Server Form Factors

form factor refers to the size, shape, and packaging of a hardware device. Server computers typically come in one of three form factors:

Tower case: Most servers are housed in a traditional tower case, similar to the tower cases used for desktop computers.

Rack-mount servers are designed to save space when you need more than a few servers in a confined area. A rack-mount server is housed in a small chassis that’s designed to fit into a standard 19-inch equipment rack. The rack allows you to vertically stack servers in order to save space.

Blade servers: Blade servers are designed to save even more space than rack-mount servers
A blade server is a server on a single card that can be mounted alongside other blade servers in a blade chassis, which itself fits into a standard 19-inch equipment rack. A typical blade chassis holds six or more servers, depending on the manufacturer.
One of the key benefits of blade servers is that you don’t need a separate power supply for each server.
the blade enclosure provides KVM switching so that you don’t have to use a separate KVM switch.
With rack-mount servers, each server requires its own power cable, keyboard cable, video cable, mouse cable, and network cables. With blade servers, a single set of cables can service all the servers in a blade enclosure.v

http://www.dummies.com/how-to/content/network-basics-server-form-factors.html

Total Cost of Ownership

  • Total Cost of Ownership (TCO) is an analysis meant to uncover all the lifetime costs that follow from owning certain kinds of assets. Ownership brings purchase costs, of course, but ownership can also bring costs for installing, deploying, operating, upgrading, and maintaining the same assets. For this reason, TCO is sometimes called life cycle cost analysis. For many kinds of acquisitions, TCO analysis finds a very large difference between purchase price and total long term cost, especially when viewed across a long ownership period.

1. Obvious costs in TCO analysis
Obvious costs in TCO are the costs familiar to everyone involved during planning and vendor selection, such as:

    Purchase cost:  The actual price paid.
    Maintenance costs: warranty costs, maintenance labor, contracted maintenance services or other service contracts
  
2. Hidden costs in TCO analysis

The so-called hidden costs are the less obvious cost consequences that are easy to overlook or omit from acquisition decisions

    Acquisition costs: the costs of identifying, selecting, ordering, receiving, inventorying, or paying for something.
    Upgrade / Enhancement / Refurbishing costs.
    Reconfiguration costs.
    Set up / Deployment costs: costs of configuring space, transporting, installing, setting up, integrating with other assets, outside services.
    Operating costs: for example, human (operator) labor, or energy/fuel costs.
    Change management: costs:  for example, costs of user orientation, user training, workflow/process change design and implementation.
    Infrastructure support costs:  for example, costs brought by the acquisition for heating/cooling, lighting,  or IT support.
    Environmental impact costs: for example, costs of waste disposal/clean up, or pollution control, or the costs of environmental impact compliance reporting.
    Insurance costs.
    Security costs:
        Physical security, for example, security additions for a building, including new locks, secure entry doors, closed circuit television, and security guard services.
        Electronic security, for example, security software applications or systems, offsite data backup, disaster recovery services, etc.
    Financing costs: for example, loan interest and loan origination fees.
    Disposal / Decommission costs.
    Depreciation expense tax savings (a negative cost).
http://www.business-case-analysis.com/total-cost-of-ownership.html

open hardware

  • The servers themselves are 1.5U high, half again as high as the normal 1-U rack, Facebook executives said. That allows Facebook to build more space in the racks for cooling; the company used 60-mm fans to move more air with less power, they said. The racks are built on shelves, so they can be easily serviced.
Richard Fichera, an analyst at Forrester, claimed that the servers are divide into two categories: the Web tier, a high-power server that uses dual-socket, 8-core Xeon X5650 chips; and the Memcache tier, which uses less CPU, and more memory, and incorporates 8-core "Magny Cours" AMD processors, he said in a blog post. Each server can have up to 6 local disks.
The power supplies are more than 93 percent efficient, almost heard of in an industry where 90 percent efficiency is considered outstanding. For backup power, they use a modular 48V DC battery backup unit that supplies up to six servers through a DC-DC converter in each server. Each battery is connected via the network, so that the Facebook IT managers can monitor the health of the system.
http://www.pcmag.com/article2/0,2817,2383283,00.asp

  • Why Open Hardware?
By releasing Open Compute Project technologies as open hardware, our goal is to develop servers and data centers following the model traditionally associated with open source software projects.
http://www.opencompute.org/

blade servers

  • A server architecture that houses multiple server modules ("blades") in a single chassis.
It is widely used in datacenters to save space and improve system management
Either self-standing or rack mounted, the chassis provides the power supply, and each blade has its own CPU, memory and hard disk

Diskless Blades
With enterprise-class blade servers, disk storage is external, and the blades are diskless.
This approach allows for more efficient failover because applications are not tied to specific hardware and a particular instance of the operating system.
The blades are anonymous and interchangeable
http://www.answers.com/topic/blade-server

  • The Next Evolution of the Blade Server – External I/O Expansion




  • Blade System Series Part-1
Chassis:- Consider this as a empty box with 8 to 10 unit in height which is the building block of the entire system.
BackPlane :- This component is assembled inside the chassis to provide high speed IO (input/output) path to Blade Server via I/O Bays.
Bays :- Consider this as a slot  where you can install blades. Bays can be customized to allow full/Half height blades installation or Mixture of both.
I/O Interconnect Bays :- These are again empty slots where you can install switches (Fiber or Ethernet) to connect Blade Servers with external Fiber or Ethernet networks. unlike rack servers which connects directly to Fiber or Ethernet network. Blade servers connects with High speed BackPlanes  which further connects with I/O Bays - and the switches installed inside I/O bays would allow further connectivity.
Blades:- Well, its the actual compute power which you install in bays. The reason they are called blades is because its highly dense in form factor and takes very less space

Having Management Module and I/O switches in every chassis increases Management as well as cabling that's why Cisco splits Management Module & I/O switches from the chassis
This design increases efficiency by sharing I/O switches with multiple chassis , which is not possible when switches are mounted inside the chassis. so lets understand this design with examples.
http://panksthought.blogspot.com.tr/2012/09/blade-system-series-part-1.html


  • Blade System Series Part-2
Cisco UCS (Unified Computing System)
Having Management Module and I/O switches in every chassis increases Management as well as cabling that's why Cisco splits Management Module & I/O switches from the chassis

http://panksthought.blogspot.com.tr/2012/09/blade-system-series-part-2.html

Sunday, May 4, 2014

Bitcoin

  • Bitcoin
Bitcoin is a peer-to-peer payment system introduced as open source software in 2009 by developer Satoshi Nakamoto
The digital currency created and used in the system is also called bitcoin and is alternatively referred to as a virtual currency, electronic money, or cryptocurrency

Bitcoins are created as a reward for payment processing work in which users who offer their computing power verify and record payments into a public ledger
Called mining, individuals engage in this activity in exchange for transaction fees and newly minted bitcoins
Besides mining, bitcoins can be obtained in exchange for other currencies, products, and services.
Users can buy, send, and receive bitcoins electronically for a nominal fee using wallet software on a personal computer, mobile device, or a web application.
http://en.wikipedia.org/wiki/Bitcoin


  • Bitcoin
Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network.
Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part
https://bitcoin.org/en/

  • Bitcoin network
The Bitcoin network is a peer-to-peer payment network that operates on a cryptographic protocol. Users send bitcoins, the unit of currency, by broadcasting digitally signed messages to the network using Bitcoin wallet software.
Transactions are recorded into a distributed public database known as the block chain, with consensus achieved by a proof-of-work system called "mining".
The block chain is distributed internationally using peer-to-peer filesharing technology similar to BitTorrent
The protocol was designed in 2008 and released in 2009 as open source software by "Satoshi Nakamoto", the pseudonym of the original developer or group of developers.
The network timestamps transactions by including them in blocks that form an ongoing chain called the block chain
Such blocks cannot be changed without redoing the work that was required to create each block since the modified block.    
The longest chain serves not only as proof of the sequence of events but also records that this sequence of events was verified by a majority of the Bitcoin network's computing power

Bitcoin mining
To form a distributed timestamp server as a peer-to-peer network, Bitcoin uses a proof-of-work system similar to Adam Back's Hashcash and the internet rather than newspaper or Usenet posts.
The work in this system is what is often referred to as Bitcoin mining.
The mining process involves scanning for a value that when hashed twice with SHA-256, begins with a number of zero bits. While the average work required increases exponentially with the number of leading zero bits required, a hash can always be verified by executing a single round of double SHA-256

Timestamps
The Bitcoin specification starts with the concept of a distributed timestamp server
A timestamp server works by taking a SHA256 hash function of some data and widely publishing the hash
The timestamp proves that the data must have existed at the time, in order to produce the hash
For Bitcoin, each timestamp includes the previous timestamp hash as input for its own hash
This dependency of one hash on another is what forms a chain, with each additional timestamp providing evidence that each of the previous timestamp hashes existed.

http://en.wikipedia.org/wiki/Bitcoin_mining#Bitcoin_mining

  • Namecoin
Namecoin is a cryptocurrency which also acts as an alternative, decentralized DNS, which would avoid domain name censorship by making a new top level domain outside of ICANN control, and in turn, make internet censorship much more difficult, as well as reduce outages.
http://en.wikipedia.org/wiki/Namecoin


  • fiat money
Fiat money is money that derives its value from government regulation or law

fiat currency
The term fiat currency is used when a fiat money is used as the main currency of the country.

The Nixon Shock of 1971 ended the convertibility of the United States dollar to gold. Since then, all reserve currencies have been fiat currencies, including the U.S. dollar and the Euro

A central bank typically introduces new money into circulation in the economy by purchasing financial assets or lending money to financial institutions
Commercial banks then multiply this base money by credit creation through fractional reserve banking, which expands the total supply of broad money (cash plus demand deposits). The amount of money in circulation is reduced by the opposite process. The value of fiat currencies is influenced by monetary policy

Fractional reserve banking
Fractional-reserve banking is the practice whereby a bank holds reserves in an amount equal to only a portion of the amount of its customers' deposits to satisfy potential demands for withdrawals. Reserves are held at the bank as currency, or as deposits reflected in the bank's accounts at the central bank.

Demand deposit
Demand deposits, bank money or scriptural money are funds held in demand deposit accounts in commercial banks.
These account balances are usually considered money and form the greater part of the narrowly defined money supply of a country

Exorbitant privilege
The term exorbitant privilege refers to the alleged benefit the United States has due to its own currency (i.e., the US dollar) being the international reserve currency.
Accordingly, the US would not face a balance of payments crisis, because it purchased imports in its own currency

Reserve currency
A reserve currency (or anchor currency) is a currency that is held in significant quantities by governments and institutions as part of their foreign exchange reserves, and that is commonly used in international transactions.
Persons who live in a country that issues a reserve currency can purchase imports and borrow across borders more cheaply than persons in other nations because they need not exchange their currency to do so.
As of 2014 the United States dollar is the world's reserve currency, and the world's need for dollars has allowed the United States government as well as Americans to borrow at lower costs, granting them an advantage in excess of $100 billion per year

hyperinflation
hyperinflation occurs when a country experiences very high and usually accelerating rates of monetary and price inflation, causing the population to minimize their holdings of money.
Hyperinflation is often associated with wars, their aftermath, sociopolitical upheavals, or other crises that make it difficult for the government to tax the population, as a sudden and sharp decrease in tax revenue coupled with a strong effort to maintain the status quo can be a direct trigger of hyperinflation.
http://en.wikipedia.org/wiki/Fiat_money

ICANN

  • ICANN
The Internet Corporation for Assigned Names and Numbers  is a nonprofit organization that coordinates the Internet's global domain name system.
The Internet Assigned Numbers Authority (IANA) is a department of ICANN responsible for managing the DNS Root and the numbering system for IP addresses.
http://en.wikipedia.org/wiki/ICANN

Proof-of-work

  • Proof-of-work
A proof-of-work (POW) system (or protocol, or function) is an economic measure to deter denial of service attacks and other service abuses such as spam on a network by requiring some work from the service requester, usually meaning processing time by a computer

A key feature of these schemes is their asymmetry: the work must be moderately hard (but feasible) on the requester side but easy to check for the service provider. This idea is also known as a CPU cost function, client puzzle, computational puzzle or CPU pricing function. It is distinct from a CAPTCHA, which is intended for a human to solve quickly, rather than a computer

http://en.wikipedia.org/wiki/Proof-of-work
  • Hashcash
Hashcash is a proof-of-work system designed to limit email spam and denial-of-service attacks.
Hashcash is a method of adding a textual stamp to the header of an email to prove the sender has expended a modest amount of CPU time calculating the stamp prior to sending the email
In other words, as the sender has taken a certain amount of time to generate the stamp and send the email, it is unlikely that they are a spammer
The receiver can, at negligible computational cost, verify that the stamp is valid

The theory is that spammers, whose business model relies on their ability to send large numbers of emails with very little cost per message, cannot afford this investment into each individual piece of spam they send. Receivers can verify whether a sender made such an investment and use the results to help filter email.

http://en.wikipedia.org/wiki/Hashcash

Denial of Service attack

  • Layer 7 DDoS attack (L7 DDoS attack)
  • Layer 7 DDoS attacks are some of the most difficult attacks to mitigate against because they mimic human behavior as they interact with the user interface. For example, some types of Layer 7 DDoS attacks will target website elements, like your logo or a button, and repeatedly download resources hoping to exhaust the server.

    Here are some of the ways to stop a DDoS attack:
        Block spoofed TCP attacks before they enter your network.
        Don’t let dark address packets pass your perimeter.
        Block unused protocols and ports.
        Limit the number of access per second per source IP.
        Limit numbers of concurrent connections per source IP.
        Filter foreign TCP packets.
        Do not forward packets with header anomalies.
        Monitor self-similarity in traffic.
        Keep unwanted guests away.
        Use specialized DDoS mitigation equipment.


    http://ddosattackprotection.org/blog/layer-7-ddos-attack/

    • To understand what a layer 7 DDoS attack is you must first understand what is meant by the application layer.
    There are seven layers in total, each fulfilling its own purpose in a connected networking framework called the Open System Interconnection Model. The short version being referred to as the OSI Model.
    http://ddosattackprotection.org/blog/wp-content/uploads/2013/12/OSI-Model.jpg

    the breakdown of the function of each layer
    http://ddosattackprotection.org/blog/wp-content/uploads/2013/12/OSI-Layer-Functions.jpg


    • There are three types of DDoS attacks
    Layer 3 / 4 DDoS attacks
    The majority of DDoS attacks focus on targeting the transport and network layers. These types of attacks are usually comprised of volumetric attacks that aim to overwhelm the target machine, denying or consuming resources until the server goes offline. In these types of DDoS attacks, malicious traffic (TCP / UDP) is used to flood the victim. Taking it one step further, these attacks also drive to saturate the entire network with malicious traffic until it is rendered temporarily obsolete. While these types of attacks can be a disruptive force for businesses, once the attack ceases or has been mitigated, there is no lasting damage.
    http://ddosattackprotection.org/blog/layer-7-ddos-attack/

    • Types of DDoS Attacks
    Websites are vulnerable to DDoS because of the way machines communicate online.

    SYN Flood
    UDP Flood
    Reflected Attack
    Nuke
    Slowloris
    Peer-to-Peer Attacks
    Unintentional DDoS
    Degradation of Service Attacks
    Application Level Attacks
    Multi-Vector Attacks
    Zero Day DDoS

    http://ddosattackprotection.org/blog/types-of-ddos-attacks/



    • Layer 4 vs Layer 7 DoS Attack

    A Layer 7 DoS attack is often perpetrated through the use of HTTP GET. This means that the 3-way TCP handshake has been completed, thus fooling devices and solutions which are only examining layer 4 and TCP communications. The attacker looks like a legitimate connection and is therefore passed on to the web or application server. At that point, the attacker begins requesting large numbers of files/objects using HTTP GET.


    When rate-limiting was used to stop this type of attack, the bad guys moved to use a distributed system of bots (zombies) to ensure that the requests (attack) was coming from myriad IP addresses and was therefore not only more difficult to detect, but more difficult to stop. The attacker uses malware and trojans to deposit a bot on servers and clients, and then remotely includes them in his attack by instructing the bots to request a list of objects from a specific site or server. The attacker might not use bots but instead might gather enough evil friends to launch an attack against a site that has annoyed them for some reason.

    Layer 7 DoS attacks are more difficult to detect because the TCP connection is valid and so are the requests. The trick is to realize when there are multiple clients requesting large numbers of objects at the same time and to recognize that it is, in fact, an attack.

    Defending against Layer 7 DoS attacks usually involves some sort of rate-shaping algorithm that watches clients and ensures that they request no more than a configurable number of objects per time period, usually measured in seconds or minutes. If the client requests more than the configurable number, the client's IP address is blacklisted for a specified time period and subsequent requests are denied until the address has been freed from the blacklist.
    https://devcentral.f5.com/articles/layer-4-vs-layer-7-dos-attack


    • these types of DDoS attacks require less bandwidth to take the site down and are harder to detect and block.
    To be more exact, he was getting 5,233 HTTP requests every single second. From different IP addresses around the world. The client’s website was built on WordPress. The uniqueness of the requests was bypassing the caching system, forcing the system to render and respond to every request.
    here is a quick geographic distribution of the IP’s hitting the site. This is for 1 second in the attack. Yes, every second these IP’s were changing.

    By default, they were not passing our anomaly check, causing the requests to get blocked at the firewall. One of the many anomalies we look for are valid user agents, and if you look carefully you see that the requests didn’t have one. Hopefully, you’ll also notice that the referrers were dynamic and the packets were the same size, another very interesting signature. This triggered one of our rules, and within minutes his site was back and the attack blocked.

    After we blocked the original requests and banned the IP addresses involved, everything went quiet, at least for a day. In less than 24 hours though, the attacks resumed with a higher intensity. Remember the caching bypass discussion above? Well, it happened again, and this time it wasn’t blocked automatically as it was operating as a wolf in sheep’s skin.

    What the logs show us is that the attack was doing random searches for dictionary keywords (eg: news, gov, faith, etc ). This time they were using a valid browser (Firefox, Chrome, Safari, etc), user agents, and a valid referrer.

    You see, they were leveraging normal user search habits. How do you block valid search requests without blocking valid users?
    we noticed another anomaly, or what we’d classify as a signature in the new DDoS pattern. The attacker was rotating IP’s within a few seconds of each other, rotating referrers and user agents, all the while performing search requests. Finally, something we could build a rule for, thanks for that. Now each time we see the same IP with a different user agent/referrer within a small period of time, we’re able to block access. Within minutes, the attack was contained.

    How we’re able to do this comes down to the technology around our Website Firewall. Just in the block list created by our log correlation tool, we banned 9,673 IP Addresses in the first few hours. During the following days, the list grew to almost 40,000 different IP addresses. That’s quite a respectable botnet.

    https://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html


    • DDoS  Quick Guide
    Attack Possibilities by OSI Layer
    possible DDoS Traffic Types

    Some DDoS Mitigation Actions and Hardware

    Stateful inspection firewalls
    Stateful SYN Proxy Mechanisms
    Limiting the number of SYNs per second per IP
    Limiting the number of SYNs per second per destination IP
    Set ICMP flood SCREEN settings (thresholds) in the firewall
    Set UDP flood SCREEN settings (thresholds) in the firewall
    Rate limit routers adjacent to the firewall and network
    https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf


    • a valuable part of a DDoS attack mitigation solution. These features address a DDoS attack both by regulating the incoming traffic and by controlling the traffic as it is proxied to backend servers. It’s important not to assume that this traffic pattern always represents a DDoS attack. The use of forwarding proxies can also create this pattern because the forward proxy server’s IP address is used as the client address for requests from all the real clients it serves. However, the number of connections and requests from a forward proxy is typically much lower than in a DDoS attack


        Because the traffic is generated by bots and is meant to overwhelm the server, the rate of traffic is much higher than a human user can generate.
        The User‑Agent header is sometimes set to a non‑standard value.
        The Referer header is sometimes set to a value you can associate with the attack.

    https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/


    • Layer 7 HTTP/HTTPS attacks. Hoping to exhaust the server, the attackers flooded the target organization with a large number of HTTPS GET/POST requests using the following methods, amongst others:

        Basic HTTP Floods: Requests for URLs with an old version of HTTP no longer used by the latest browsers or proxies
        WordPress Floods: WordPress pingback attacks where the requests bypassed all caching by including a random number in the URL to make each request appear unique
        Randomized HTTP Floods: Requests for random URLs that do not exist – for example, if example.com is the valid URL, the attackers were abusing this by requesting pages like www.example.com/loc id=12345, etc.

    https://blog.verisign.com/security/defending-against-layer-7-ddos-attacks/

    • The challenge with a Layer 7 DDoS attack lies in the ability to distinguish human traffic from bot traffic. Layer 7 attacks continue to grow in complexity with ever-changing attack signatures and patterns, organizations and DDoS mitigation providers will need to have a dynamic mitigation strategy in place. Layer 7 visibility along with proactive monitoring and advanced alerting are critical to effectively defend against increasing Layer 7 threats.
    https://blog.verisign.com/security/defending-against-layer-7-ddos-attacks/



    • a stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. 

    The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall.
    • https://en.wikipedia.org/wiki/Stateful_firewall


    • How a Stateful Firewall Works


    The stateful firewall spends most of its cycles examining packet information in Layer 4 (transport) and lower. However, it also offers more advanced inspection capabilities by targeting vital packets for Layer 7 (application) examination, such as the packet that initializes a connection. If the inspected packet matches an existing firewall rule that permits it, the packet is passed and an entry is added to the state table. From that point forward, because the packets in that particular communication session match an existing state table entry, they are allowed access without a call for further application layer inspection. Those packets only need to have their Layer 3 and 4 information (IP address and TCP/UDP port number) verified against the information stored in the state table to confirm that they are indeed part of the current exchange. This method increases overall firewall performance (versus proxy-type systems, which examine all packets) because only initiating packets need to be unencapsulated the whole way to the application layer.

    Conversely, because these firewalls use such filtering techniques, they don't consider the application layer commands for the entire communications session, as a proxy firewall would. This equates to an inability to really control sessions based on application-level traffic, making it a less secure alternative to a proxy.
    http://www.informit.com/articles/article.aspx?p=373120


  • Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.

DDoS attacks can be broadly divided into three types:

Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).

Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

Application Layer Attacks
Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.


Specific DDoS Attacks Types

Some specific and particularly popular and dangerous types of DDoS attacks include:
UDP Flood

This DDoS attack leverages the User Datagram Protocol (UDP), a sessionless networking protocol. This type of attack floods random ports on a remote host with numerous UDP packets, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process saps host resources, and can ultimately lead to inaccessibility.
ICMP (Ping) Flood

Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting in a significant overall system slowdown.
SYN Flood

A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for an acknowledgment for each of the requests, binding resources until no new connections can be made, and ultimately resulting in a denial of service.
Ping of Death

A ping of death ("POD") attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size - for example, 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing a denial of service for legitimate packets.
Slowloris

Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool and leads to a denial of additional connections from legitimate clients.
Zero-day DDoS

“Zero-day” are simply unknown or new attacks, exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading Zero-day vulnerabilities has become a popular activity.


http://www.incapsula.com/ddos/ddos-attacks/



  • Denial-of-service attack

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.
It generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Methods of attack
There are two general forms of DoS attacks: those that crash services and those that flood services.


A DoS attack can be perpetrated in a number of ways. The five basic types of attack are:
    Consumption of computational resources, such as bandwidth, disk space, or processor time.
    Disruption of configuration information, such as routing information.
    Disruption of state information, such as unsolicited resetting of TCP sessions.
    Disruption of physical network components.
    Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:
    Max out the processor's usage, preventing any work from occurring.
    Trigger errors in the microcode of the machine.
    Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.
    Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished or it can crash the system itself
    Crash the operating system itself.


Methods of attack of Denial-of-service attack

ICMP flood
A smurf attack is one particular variant of a flooding DoS attack on the public Internet
Ping of death is based on sending the victim a malformed ping packet, which might lead to a system crash.
Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from unix-like hosts

(S)SYN flood
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address

Teardrop attacks
A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine.

Low-rate Denial-of-Service attacks
The Low-rate DoS (LDoS) attack exploits TCP’s slow-time-scale dynamics of retransmission time-out (RTO) mechanisms to reduce TCP throughput

Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks.

Asymmetry of resource utilization in starvation attacks
An attack which is successful in consuming resources on the victim computer

Permanent denial-of-service attacks
A permanent denial-of-service (PDoS), also known loosely as flashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware

Application-level floods
Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time.

Nuke
A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.

R-U-Dead-Yet? (RUDY)
This attack is one of many web application DoS tools available to directly attack web applications by starvation of available sessions on the web server.

Slow Read attack
Slow Read attack sends legitimate application layer requests but reads responses very slowly, thus trying to exhaust server's connection pool

Distributed attack
A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. This is the result of multiple compromised systems (for example a botnet) flooding the targeted system(s) with traffic. When a server is overloaded with connections, new connections can no longer be accepted

Reflected / Spoofed attack
A distributed reflected denial of service attack (DRDoS) involves sending forged requests of some type to a very large number of computers that will reply to the requests.

Unintentional denial of service
This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story

Denial-of-Service Level II
In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from the Internet, but without system crash.
https://en.wikipedia.org/wiki/Denial-of-service_attack

  • DDoS mitigation
DDoS mitigation is a set of techniques for resisting distributed denial of service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks
This is done by passing network traffic addressed to the attacked network through high-capacity networks with "traffic scrubbing" filters
DDoS mitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked browsers
The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, http headers, and Javascript footprints
http://en.wikipedia.org/wiki/DDoS_mitigation

  • DDoS mitigation techniques

dark address prevention
white/black list
granular rate limiting
anomaly recognition
active verification
dynamic filtering
source rate limiting
aggressive aging
connection limiting
syn proxy


  • LOIC (Low Orbit Ion Cannon)
Low Orbit Ion Cannon (LOIC) was originally developed by Praetox Technologies as an open-source network stress testing tool. It allowed developers to subject their servers to heavy network traffic loads for diagnostic purposes, but it has since been modified in the public domain through various updates and been widely used by Anonymous as a DDoS tool.
The IRC-based “Hive Mind” mode enables a LOIC user to connect his or her copy of LOIC to an IRC channel in order to receive a target and other attack parameters via an IRC topic message. Using many copies of LOIC running in Hive Mind mode across many computers, a third party such as the “hacktivist” group Anonymous can take control of each copy of LOIC simultaneously.
http://security.radware.com/knowledge-center/DDoSPedia/loic-low-orbit-ion-cannon/





  • IP Flood
IP flooding occurs when a computer hacker floods your computer with information through your network connection and IP address. This uses up your network bandwidth and disables you from your online activities. To recover from being IP flooded, request a new IP address from your Internet Service Provider and manually configure your network connection.

  • The above scan by nmap is highly reliable, but its drawback is that it's also easily detectable. Nearly every system admin will know that you're scanning their network as it creates a full TCP connection, and this is logged with your IP address in the log files.
Nmap can also be an excellent denial of service (DOS) tool. If several individuals all send packets from nmap at a target simultaneously at high speed (nmap "insane" speed or -T5), they're likely to overwhelm the target and it will be unable to process new website requests effectively, rendering it useless.
https://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-active-reconnaissance-and-dos-attacks-with-nmap-0146950


  • How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address.
Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server
For attackers the monlist query is a great reconnaissance tool
For a localized NTP server it can help to build a network profile.
as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic
Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module.

[root@server ~]# ntpdc -c monlist [hostname]
https://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks


  • Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
http://tools.kali.org/web-applications/skipfish

  • What’s a DoS attack, what’s a DDoS attack and what’s the difference?
A DoS attack is a denial of service attack where a computer is used to flood a server with TCP and UDP packets. A DDoS attack is where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations.
https://www.comparitech.com/net-admin/dos-vs-ddos-attacks-differences-prevention/#:~:text=A%20DoS%20attack%20is%20a,with%20packets%20from%20multiple%20locations.