Editing Denial-of-service attack (section)

==={{visible anchor|Distributed DoS|Distributed_attack}}===
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the [[Bandwidth (computing)|bandwidth]] or resources of a targeted system, usually one or more web servers.<ref name="Taghavi Zargar 2046–2069"/> A DDoS attack uses more than one unique IP address or machines, often from thousands of hosts infected with [[malware]].<ref>{{cite book | last1=Amiri | first1=I.S. | last2=Soltanian | first2=M.R.K. | title=Theoretical and Experimental Methods for Defending Against DDoS Attacks | publisher=Syngress | year=2015 | isbn=978-0-12-805399-7}}</ref><ref>{{cite news|title=Has Your Website Been Bitten By a Zombie?|url=http://blog.cloudbric.com/2015/08/has-your-website-been-bitten-by-zombie.html|access-date=15 September 2015|agency=Cloudbric|date=3 August 2015}}</ref> A distributed denial of service attack typically involves more than around 3–5 nodes on different networks; fewer nodes may qualify as a DoS attack but is not a DDoS attack.<ref name="Infosec7Layer"/><ref>{{cite book | last =Raghavan | first =S.V. | title =An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks | publisher =Springer | date =2011 | isbn =9788132202776}}</ref>

Multiple attack machines can generate more attack traffic than a single machine and are harder to disable, and the behavior of each attack machine can be stealthier, making the attack harder to track and shut down. Since the incoming traffic flooding the victim originates from different sources, it may be impossible to stop the attack simply by using [[ingress filtering]]. It also makes it difficult to distinguish legitimate user traffic from attack traffic when spread across multiple points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses ([[IP address spoofing]]) further complicating identifying and defeating the attack. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.{{Citation needed|date=April 2024}} The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a [[terabit per second]].<ref name="Goodin">{{cite web|last=Goodin |first=Dan |date=28 September 2016 |title=Record-breaking DDoS reportedly delivered by >145k hacked cameras |website=Ars Technica |url=https://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/ |archive-url=https://web.archive.org/web/20161002000235/http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/ |archive-date=2 October 2016 |url-status=live}}</ref><ref>{{Cite web |url=https://thehackernews.com/2016/09/ddos-attack-iot.html |title=World's largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices |last=Khandelwal |first=Swati |date=26 September 2016 |publisher=The Hacker News |archive-url=https://web.archive.org/web/20160930031903/https://thehackernews.com/2016/09/ddos-attack-iot.html |archive-date=30 September 2016 |url-status=live }}</ref> Some common examples of DDoS attacks are [[UDP flood attack|UDP flooding]], [[SYN flooding]] and [[#Amplification|DNS amplification]].<ref>{{Cite book|title=DDoS attacks : evolution, detection, prevention, reaction, and tolerance| last1=Bhattacharyya | first1=Dhruba Kumar | last2=Kalita | first2=Jugal Kumar|author2-link= Jugal Kalita |isbn=9781498729659|location=Boca Raton, FL| publisher=CRC Press|oclc=948286117|date = 2016-04-27}}</ref><ref>{{cite web |title=Imperva, Global DDoS Threat Landscape, 2019 Report |url=https://www.imperva.com/resources/reports/Imperva_DDOS_Report_20200131.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.imperva.com/resources/reports/Imperva_DDOS_Report_20200131.pdf |archive-date=2022-10-09 |url-status=live |website=Imperva.com |publisher=[[Imperva]] |access-date=4 May 2020}}</ref>

====Yo-yo attack====
A '''[[yo-yo]]''' attack is a specific type of DoS/DDoS aimed at [[cloud-hosted]] applications which use [[autoscaling]].<ref>{{cite journal |url=https://dl.acm.org/doi/10.1145/2829988.2790017 |title=Yo-Yo Attack: Vulnerability In Auto-scaling Mechanism |journal=ACM SIGCOMM Computer Communication Review |date=17 August 2015 |volume=45 |issue=4 |pages=103–104 |doi=10.1145/2829988.2790017 |last1=Sides |first1=Mor |last2=Bremler-Barr |first2=Anat |author-link2=Anat Bremler-Barr |last3=Rosensweig |first3=Elisha}}</ref><ref>{{cite book |title=Proceedings of the 11th International Conference on Cloud Computing and Services Science |chapter=Kubernetes Autoscaling: Yo ''Yo'' Attack Vulnerability and Mitigation |year=2021 |doi=10.5220/0010397900340044 |arxiv=2105.00542 |last1=Barr |first1=Anat |last2=Ben David |first2=Ronen |pages=34–44 |isbn=978-989-758-510-4 |s2cid=233482002}}</ref><ref>{{cite journal |title=Towards Yo-Yo attack mitigation in cloud auto-scaling mechanism |year=2020 |doi=10.1016/j.dcan.2019.07.002 |last1=Xu |first1=Xiaoqiong |last2=Li |first2=Jin |last3=Yu |first3=Hongfang |last4=Luo |first4=Long |last5=Wei |first5=Xuetao |last6=Sun |first6=Gang |journal=Digital Communications and Networks |volume=6 |issue=3 |pages=369–376 |s2cid=208093679 |doi-access=free}}</ref> The attacker generates a flood of traffic until a cloud-hosted service scales outwards to handle the increase of traffic, then halts the attack, leaving the victim with over-provisioned resources. When the victim scales back down, the attack resumes, causing resources to scale back up again. This can result in a reduced quality of service during the periods of scaling up and down and a financial drain on resources during periods of over-provisioning while operating with a lower cost for an attacker compared to a normal DDoS attack, as it only needs to be generating traffic for a portion of the attack period.