This table lists all the valid values for the attackTypeName parameter:
| Attack type | Description |
|---|---|
| ACK Flood | The attacker sends a large number of TCP ACK packets towards a target, often one specific port. |
| CLDAP Reflection | Connectionless LDAP reflection is a form of UDP reflection attack. Multiple different servers send responses from the well-known port 389 to the victim's IP address. The amplification factor for this kind of attack is 46 to 55. |
| CharGEN Attack | CharGEN is a character generation protocol that listens on port 19 with TCP or UDP, which often has UDP fragments produced as byproduct. Processing these fragments can overwhelm the system and lead to a denial of service. |
| Connection Flood | This attack is also known as a TCP connection flood because it attempts to occupy all possible TCP connections on a server. By flooding the server with requests for new connections, the attack prevents legitimate requests from being established and served. |
| DNS Flood | This attack type can have one of two forms: DNS Amplification Attack: A type of reflection attack in which an attacker delivers traffic to the victim by reflecting it off of a third party to conceal the origin of the attack from the victim. In most cases it comes with a UDP Fragment Attack as a result of amplification. A DNS request of 60 bytes can be configured to elicit a response message of over 4000 bytes resulting in a "x70" amplification factor. Direct DNS Flood: This type of attack occurs when a large number of bots (e.g. Mirai) make a large amount of requests to a customer DNS server. This causes the DNS server to drop inbound DNS requests (in the case of UDP) or refuse to establish new connections (in the case of TCP.) |
| FIN Flood | After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session. In an FIN Flood attack, a target server receives a large number of spoofed FIN packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources. |
| FIN PUSH Flood | This attack disrupts network activity by saturating bandwidth and resources on stateful devices in its path. By continuously sending ACK-PSH-FIN packets towards a target, stateful defenses can go down (In some cases into a fail-open mode). This flood could also be used as a smoke screen for more advanced attacks. ACK-PSH-FIN Packets are considered an illegal packet by the original TCP RFC. While these packets allowed for customized behavior, they are virtually unused today. Different systems can react differently to these packets and may cause unexpected issues and behavior. |
| GET Flood | HTTP GET flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of GET requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| GRE Protocol Flood | In this attack type, malicious traffic uses GRE payload (protocol ID 47), the targeted IP address is visible in the first IP header. If you are using a GRE over GRE solution, general ACL filtering will be ineffective for filtering legitimate traffic. |
| HEAD Flood | An HTTP HEAD flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of HEAD requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| ICMP Flood | The attacker uses ICMP packets with an arbitrary type and/or code. Refer to the RFC for the list of valid ICMP types: ICMP parameters. |
| IGMP Flood | Internet Group Management Protocol (IGMP) is a connectionless protocol used by IP hosts to report or leave multicast group memberships for adjacent routers. An IGMP flood is non-vulnerability based, as IGMP is designed to allow multicast. Such floods involve a large number of IGMP message reports being sent to a network or router, significantly slowing and eventually preventing legitimate traffic from being transmitted across the target network. |
| mDNS Flood | Multicast DNS (mDNS) requests are used to overwhelm a victim’s server by flooding it with requests. This protocol is usually used on internal networks and thus should not be open for attack on WAN interfaces. |
| NTP FLOOD | NTP Flood is a kind of UDP flood attack where the attacker organizes a flood of fake NTP requests from a wide range of IP addresses. The NTP server tries to process all the requests, thus exhausting system and network resources. As a result, the server on which the NTP service is running gets overloaded and fails. |
| NetBIOS Flood | This is an amplified/reflection attack using the same strategy described for CharGEN or NTP Flood. The attack's source port is usually UDP 137. |
| POST Flood | HTTP POST flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of POST requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| PUSH Flood | HTTP PUSH flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of PUSH requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| PUT Flood | HTTP PUT flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of PUT requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| RESET Flood | After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session. In an RST (RESET) Flood attack, a target server receives a large number of spoofed RST packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources. |
| RIP Flood | RIP is an interior gateway protocol that uses a distance-vector algorithm to determine the best route to a destination. The protocol uses a source port of UDP 520. |
| RPC Flood | This attack uses poorly secured systems with enabled Remote Procedure Call Protocol for reflected floods. It can be mitigated by ACL based on source port. |
| Reserved Protocol Flood | An IPv4 flood attack using reserved or less common protocol numbers. (Other than TCP, UDP, ICMP, GRE, ESP, such as 20,21,22,100, or 120.) |
| SNMP Flood | Malicious traffic originates from poorly secured devices with enabled SNMP service. The attacker sends crafted requests with spoofed victim's IP so responses flood victim. Since the SNMP server listens on UDP port 161 by default, this is the fixed source port for this attack. |
| SQL Server Reflection | The attack method is based on tampering with the Microsoft SQL permission protocol to launch a reflection attack resulting in a denial of service. The attack occurs when Microsoft SQL Server responds to a request that attempts to use the Microsoft SQL Server privilege protocol (MC-SQLR) by listening on UDP port 1434. The SQL permission protocol is used whenever the client needs to obtain information from MS SQL Server. Attackers can exploit SQL servers by making scripted requests that use a spoofed IP address to appear as if they are coming from the intended victim. The number of existing database instances on a vulnerable SQL server determines the strength or amplification factor of a DDoS attack. |
| SSDP Flood | Simple Service Discovery Protocol (SSDP) uses UDP port 1900, and is meant to be used for Universal Plug and Play device detection, but frequently used as a reflection-based attack vector. This port should not be available over WAN interfaces. |
| SSL GET Flood | An HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS GET requests. An HTTPS flood can also overwhelm and saturate an SSL daemon causing degraded server services due to the resources required to perform asymmetric encryption. |
| SSL POST Flood | An SSL Flood or SSL Renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. An HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS POST requests. |
| SYN Flood | SYN Flood attacks work by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection. During a SYN flood, the three-way handshake never completes because the client never responds to the server's SYN-ACK. As a result, these connections remain in the half-open state until they time out |
| SYN PUSH | In this attack, the attacker sends large number of TCP SYN PUSH packets towards a target, often one specific port. This causes the server OS to allocate memory for a new session, so with a sufficient rate of TCP SYN PUSH packets per second, server may run out of memory and wont be able to process legitimate traffic. This attack relies on a large number or packets sent rather than volume, however in some cases, TCP SYN PUSH flood packets are sent with a large payload, with a goal to saturate internet link as well. |
| Sentinel Flood | Sentinel reflection is a vulnerability in the IBM SPSS license server, a well-known statistical software package. The SPSS license server service runs on port 5093 to a random destination port. The script uses the UDP request 7A 00 00 00 00 00, which is the letter “z” followed by five null characters. Because UDP does not validate source IP addresses, attackers can forge source IP addresses and exploit the license server to divert UDP responses to a victim’s systems.The amplification factor for this attack is 42.94, however only 745 unique sources of this attack traffic have been identified. Even with the extra bandwidth afforded by servers in well-connected networks, an attack of this type is limited by the number of reflectors available. |
| TCP Anomaly | This term refers to invalid TCP Flag usage. Similar to the XMAS flood, but with some but not all flags set. This too is considered an illegal packet by the original TCP RFC. The following six flags can be filtered with a border-protect ACL: FIN, SYN, RST, PSH, ACK, URG, and ALL, but it is not possible to filter the other flags: ECN Echo, CWR, NONCE. |
| TCP Fragment | Also known as Teardrop attacks, these assaults target TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets. |
| TFTP Flood | A TFTP flood is reflection and amplification attack utilizing the TFTP protocol. This attack can have amplification factor from 30x to 110x. |
| UDP Flood | In this attack, the attacker is sending large number of UDP packets towards a target. This is a direct attack type (not reflected), when usually multiple sources are sending large number of large UDP packets towards a single IP address. The goal of this attack is to saturate the internet links of the victim and/or overwhelm server resources. Depending on the tool used to perform the attack, often there will be random data inside the packets. In other cases the packets have the same content. |
| UDP Fragment | UDP Fragment attacks are related to such vectors as: CharGEN, DNS Flood, and CLDAP reflection, in which payloads that do not fit the MTU are fragmented. |
| XMAS | Christmas Tree Attack - a specific type of TCP anomaly where all TCP flag combinations are used in each packet. |