This table lists all the valid values for the attackTypeName parameter:
| Attack type | Description |
|---|---|
| ACK Flood | The attacker sends a large number of TCP ACK packets towards a target, often one specific port. |
| addp | An attack exploiting vulnerabilities in Advanced Disconnect Detection Protocol, a heartbeat mechanism to detect dropped connections, especially in VoIP. |
| afs | An attack exploiting vulnerabilities in Andrew File System (AFS), a distributed network protocol that enables users to access files stored on remote servers as if they were on their local machine. |
| Apple Remote Desktop | An attack exploiting vulnerabilities in Apple Remote Desktop. |
| ARMS Reflection | The attacker spoofs a target's IP address and sends a request for information using the ARMS protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| bfd | An attack using the (Bidirectional Forwarding Detection) protocol used by various routing protocols for fast failure detection in a network path. |
| Censorship TCP Reflection | The attacker spoofs a target's IP address and sends a request for information using the Censorship TCP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| CLDAP Reflection | A CLDAP Reflection Attack exploits the Connectionless Lightweight Directory Access Protocol (CLDAP), which is an efficient alternative to LDAP queries over UDP. Attacker sends a CLDAP request to an LDAP server with a spoofed sender IP address (the target’s IP). The server responds with a bulked-up response to the target’s IP causing the reflection attack. The victim’s machine cannot process the massive amount of CLDAP data at the same time. |
| CharGEN Attack | CharGEN is a character generation protocol that listens on port 19 with TCP or UDP, which often has UDP fragments produced as byproduct. Processing these fragments can overwhelm the system and lead to a denial of service. |
| coap | An attack using the UDP-based IoT device discovery protocol CoAP (Constrained Application Protocol). |
| Connection Flood | This attack is also known as a TCP connection flood because it attempts to occupy all possible TCP connections on a server. By flooding the server with requests for new connections, the attack prevents legitimate requests from being established and served. |
| crestoncip | An attack using the Windows IoT device discovery protocol CrestonCIP. |
| DHdiscovery | A reflection attack using DVR, on port 37810. |
| DNS Flood | This attack type can have one of two forms: DNS Amplification Attack: A type of reflection attack in which an attacker delivers traffic to the victim by reflecting it off of a third party to conceal the origin of the attack from the victim. In most cases it comes with a UDP Fragment Attack as a result of amplification. A DNS request of 60 bytes can be configured to elicit a response message of over 4000 bytes resulting in a "x70" amplification factor. Direct DNS Flood: This type of attack occurs when a large number of bots (e.g. Mirai) make a large amount of requests to a customer DNS server. This causes the DNS server to drop inbound DNS requests (in the case of UDP) or refuse to establish new connections (in the case of TCP.) |
| DNS Reflection | The attacker is causing legitimate DNS servers on the internet to send answers for DNS queries to a victim using UDP src spoofing. These attacks often ask a legitimate DNS server to get all records for a domain, or for a TXT or SPF record, with the goal to cause the largest possible response which will be directed to victim. Those responses are in compliance with the DNS standard, but the victim receives a flood of useless data with a goal to saturate internet links. Packets can be directed to one port or to random ports and contain one or many different DNS replies, and often these appear as UDP fragments as large responses get fragmented. |
| DTLS | An attack using the Datagram Transport Layer Service, which supports TLS encryption over UDP connections. |
| ESP Flood | DDoS attacks related to the Encapsulating Security Payload (ESP) protocol, which is part of the IPsec suite, on port 50. |
| FIN Flood | After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session. In an FIN Flood attack, a target server receives a large number of spoofed FIN packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources. |
| FIN PUSH Flood | This attack disrupts network activity by saturating bandwidth and resources on stateful devices in its path. By continuously sending ACK-PSH-FIN packets towards a target, stateful defenses can go down (In some cases into a fail-open mode). This flood could also be used as a smoke screen for more advanced attacks. ACK-PSH-FIN Packets are considered an illegal packet by the original TCP RFC. While these packets allowed for customized behavior, they are virtually unused today. Different systems can react differently to these packets and may cause unexpected issues and behavior. |
| fivem | An attack exploiting vulnerabilities in the FiveM direct connect protocol for gaming servers. |
| gatewaydisc | A category of attacks that target a network's gateway discovery methods, often leveraging misconfigurations. |
| GET Flood | HTTP GET flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of GET requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| GRE Protocol Flood | In this attack type, malicious traffic uses GRE payload (protocol ID 47), the targeted IP address is visible in the first IP header. If you are using a GRE over GRE solution, general ACL filtering will be ineffective for filtering legitimate traffic. |
| HEAD Flood | An HTTP HEAD flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of HEAD requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| heartbeat | Heartbleed attacks that exploit the OpenSSL heartbeat mechanism to hijack sessions. |
| HTTP Flood | A denial of service attack that uses any of the HTTP request methods which are part of the Hypertext Transfer Protocol (HTTP). |
| ICMP Flood | The attacker uses ICMP packets with an arbitrary type and/or code. Refer to the RFC for the list of valid ICMP types: ICMP parameters. |
| IGMP Flood | Internet Group Management Protocol (IGMP) is a connectionless protocol used by IP hosts to report or leave multicast group memberships for adjacent routers. An IGMP flood is non-vulnerability based, as IGMP is designed to allow multicast. Such floods involve a large number of IGMP message reports being sent to a network or router, significantly slowing and eventually preventing legitimate traffic from being transmitted across the target network. |
| ikev1 | An attack exploiting vulnerabilities in Internet Key Exchange version 1. |
| IP Fragment | An attack using IP fragments other than TCP or UDP Protocol. |
| IP in IP protocol flood | The IP-in-IP protocol involves encapsulating one IP packet within another. The outer IP header identifies the "tunnel" endpoint, while the inner IP header contains the destination of the actual intended recipient. Attackers send a large number of encapsulated IP packets, each containing another IP packet (the inner packet) within it. This creates a flood of encapsulated packets, significantly increasing the traffic volume. |
| jenkins | This attack allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. |
| mDNS Flood | Multicast DNS (mDNS) requests are used to overwhelm a victim’s server by flooding it with requests. This protocol is usually used on internal networks and thus should not be open for attack on WAN interfaces. |
| mDNS Reflection | The attacker spoofs a target's IP address and sends a request for information using the mDNS protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| Memcached Reflection | An attack aimed at Memcached, a database caching system designed to speed up websites and networks. It works by flooding a website or application with traffic to crash the servers. |
| nat pmp | NAT-PMP (NAT Port Mapping Protocol) attacks exploit vulnerabilities in how routers handle port forwarding, potentially allowing attackers to intercept traffic, redirect it, or even launch denial-of-service attacks. |
| NTP FLOOD | NTP Flood is a kind of UDP flood attack where the attacker organizes a flood of fake NTP requests from a wide range of IP addresses. The NTP server tries to process all the requests, thus exhausting system and network resources. As a result, the server on which the NTP service is running gets overloaded and fails. |
| NTP Reflection | An NTP reflection attack is a distributed denial-of-service attack (DDoS) that uses the NTP protocol (network time protocol). The attacker spoofs the source IP address to that of the victim, sends small packets to a vulnerable NTP server, and the NTP server sends a big response to the victim. |
| NetBIOS Flood | This is an amplified/reflection attack using the same strategy described for CharGEN or NTP Flood. The attack's source port is usually UDP 137. |
| NetBIOS Reflection | The attacker spoofs a target's IP address and sends a request for information using the NetBIOS protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| netisnetcore | An attack that takes advantage of a vulnerability in Netis Netcore routers that allows use of a hard-coded password to gain access. |
| plex | A type of UDP-spoofing SSDP attack specific to Plex media servers. |
| POST Flood | HTTP POST flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of POST requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| PUSH Flood | HTTP PUSH flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of PUSH requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| PUSH ACK Flood | This is a denial of service attack based on the PUSH & ACK flags. |
| PUT Flood | HTTP PUT flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds. This attack consists of PUT requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc. |
| quake | A type of brute-force attack on Microsoft MFA called AuthQuake. |
| QUIC Flood | A DDoS attack exploiting vulnerabilities in the QUIC protocol, which sends the TLS certificate along with the initial "hello" message, creating a much larger packet, instead of the usual TCP ACK. |
| RESET Flood | After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session. In an RST (RESET) Flood attack, a target server receives a large number of spoofed RST packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources. |
| RIP Flood | RIP is an interior gateway protocol that uses a distance-vector algorithm to determine the best route to a destination. The protocol uses a source port of UDP 520. |
| RIP Reflection | The attacker spoofs a target's IP address and sends a request for information using the RIP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| RPC Flood | This attack uses poorly secured systems with enabled Remote Procedure Call Protocol for reflected floods. It can be mitigated by ACL based on source port. |
| RPC Reflection | The attacker spoofs a target's IP address and sends a request for information using the RPC protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| Reserved Protocol Flood | An IPv4 flood attack using reserved or less common protocol numbers. (Other than TCP, UDP, ICMP, GRE, ESP, such as 20,21,22,100, or 120.) |
| SADP Reflection | The attacker spoofs a target's IP address and sends a request for information using the SDAP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| Sentinel Flood | Sentinel reflection is a vulnerability in the IBM SPSS license server, a well-known statistical software package. The SPSS license server service runs on port 5093 to a random destination port. The script uses the UDP request 7A 00 00 00 00 00, which is the letter “z” followed by five null characters. Because UDP does not validate source IP addresses, attackers can forge source IP addresses and exploit the license server to divert UDP responses to a victim’s systems.The amplification factor for this attack is 42.94, however only 745 unique sources of this attack traffic have been identified. Even with the extra bandwidth afforded by servers in well-connected networks, an attack of this type is limited by the number of reflectors available. |
| Sip | SIP protocol attacks exploit vulnerabilities in the Session Initiation Protocol (SIP), commonly used in Voice over IP (VoIP) systems, to disrupt services, steal information, or cause financial loss. These attacks can range from simple call flooding to more sophisticated methods like registration hijacking and eavesdropping. |
| SLP Reflection | The attacker spoofs a target's IP address and sends a request for information using the SLP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| SNMP Flood | Malicious traffic originates from poorly secured devices with enabled SNMP service. The attacker sends crafted requests with spoofed victim's IP so responses flood victim. Since the SNMP server listens on UDP port 161 by default, this is the fixed source port for this attack. |
| SNMP Reflection | The attacker spoofs a target's IP address and sends a request for information using the SNMP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| SQL Server Reflection | The attack method is based on tampering with the Microsoft SQL permission protocol to launch a reflection attack resulting in a denial of service. The attack occurs when Microsoft SQL Server responds to a request that attempts to use the Microsoft SQL Server privilege protocol (MC-SQLR) by listening on UDP port 1434. The SQL permission protocol is used whenever the client needs to obtain information from MS SQL Server. Attackers can exploit SQL servers by making scripted requests that use a spoofed IP address to appear as if they are coming from the intended victim. The number of existing database instances on a vulnerable SQL server determines the strength or amplification factor of a DDoS attack. |
| SSDP Flood | Simple Service Discovery Protocol (SSDP) uses UDP port 1900, and is meant to be used for Universal Plug and Play device detection, but is frequently used as a reflection-based attack vector. This port should not be available over WAN interfaces. |
| SSDP Reflection | SSDP (Simple Service Discovery Protocol) - uses UDP port 1900, also called "Stupidly Simple DDoS Protocol". Meant to be used as a Universal Plug and Play devices detection protocol, but frequently used as a reflection-based attack vector. |
| SSL GET Flood | An HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS GET requests. An HTTPS flood can also overwhelm and saturate an SSL daemon causing degraded server services due to the resources required to perform asymmetric encryption. |
| SSL POST Flood | An SSL Flood or SSL Renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. An HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS POST requests. |
| steamremoteplay | Steam Remote Play allows streaming games to other devices, which has been identified as a potential attack vector. Vulnerabilities in the underlying Steam protocol or game engines could be exploited by attackers. These attacks can potentially lead to Remote Code Execution (RCE). |
| STUN | An attack leveraging the STUN (Session Traversal Utilities for NAT) protocol that helps devices behind Network Address Translators (NATs) discover their public IP address and port information. |
| SYN Flood | SYN Flood attacks work by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection. During a SYN flood, the three-way handshake never completes because the client never responds to the server's SYN-ACK. As a result, these connections remain in the half-open state until they time out |
| SYN ACK Flood | This is a denial of service attack based on the SYN & ACK flags. |
| SYN PUSH | In this attack, the attacker sends large number of TCP SYN PUSH packets towards a target, often one specific port. This causes the server OS to allocate memory for a new session, so with a sufficient rate of TCP SYN PUSH packets per second, server may run out of memory and wont be able to process legitimate traffic. This attack relies on a large number or packets sent rather than volume, however in some cases, TCP SYN PUSH flood packets are sent with a large payload, with a goal to saturate internet link as well. |
| TCP Anomaly | This term refers to invalid TCP Flag usage. Similar to the XMAS flood, but with some but not all flags set. This too is considered an illegal packet by the original TCP RFC. The following six flags can be filtered with a border-protect ACL: FIN, SYN, RST, PSH, ACK, URG, and ALL, but it is not possible to filter the other flags: ECN Echo, CWR, NONCE. |
| TCP Fragment | Also known as Teardrop attacks, these assaults target TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets. |
| TLS Exhaustion | DDoS attacks that target the SSL/TLS handshake by sending worthless data to the server in an attempt to cause connection issues for legitimate users. |
| TFTP Flood | A TFTP flood is an amplification attack utilizing the TFTP protocol. This attack can have amplification factor from 30x to 110x. |
| TFTP Reflection | The attacker spoofs a target's IP address and sends a request for information using the TFTP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| Ubnt Reflection | The attacker spoofs a target's IP address and sends a request for information using the Ubnt protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| UDP Flood | In this attack, the attacker is sending large number of UDP packets towards a target. This is a direct attack type (not reflected), when usually multiple sources are sending large number of large UDP packets towards a single IP address. The goal of this attack is to saturate the internet links of the victim and/or overwhelm server resources. Depending on the tool used to perform the attack, often there will be random data inside the packets. In other cases the packets have the same content. |
| UDP Fragment | UDP Fragment attacks are related to such vectors as: CharGEN, DNS Flood, and CLDAP reflection, in which payloads that do not fit the MTU are fragmented. |
| WSDiscovery Flood | DDoS vector that leverages a UDP Amplification technique known as WS-Discovery (WSD). WSD is yet another technology developed to ease consumer device network discovery and connectivity. Since UDP is a stateless protocol, requests to the WSD service can be spoofed. This ultimately causes the impacted server, or service, to send responses to the intended victim, consuming large amounts of the target's bandwidth. |
| WSDiscovery Reflection | The attacker spoofs a target's IP address and sends a request for information using the WSD protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector. |
| valvesrcds | Remote code execution attacks targeting the Steam gaming network, run by Valve. |
| voip10074 | An attack exploiting vulnerabilities in the VOIP protocol traffic on port 10074. |
| Vxworks | An attack exploiting remote vulnerabilities in the VXworks operating system, particularly the URGENT/11 vulnerability (CVE-2019-12255 through CVE-2019-12265). |
| xen ima | An attack exploiting vulnerabilities in the Xen hypervisor's Integrity Management Architecture. |
| XMAS | Christmas Tree Attack - a specific type of TCP anomaly where all TCP flag combinations are used in each packet. |