This table lists all the valid values for the attackTypeName parameter:

Attack typeDescription
ACK FloodThe attacker sends a large number of TCP ACK packets towards a target, often one specific port.
CLDAP ReflectionConnectionless LDAP reflection is a form of UDP reflection attack. Multiple different servers send responses from the well-known port 389 to the victim's IP address. The amplification factor for this kind of attack is 46 to 55.
CharGEN AttackCharGEN is a character generation protocol that listens on port 19 with TCP or UDP, which often has UDP fragments produced as byproduct. Processing these fragments can overwhelm the system and lead to a denial of service.
Connection FloodThis attack is also known as a TCP connection flood because it attempts to occupy all possible TCP connections on a server. By flooding the server with requests for new connections, the attack prevents legitimate requests from being established and served.
DNS FloodThis attack type can have one of two forms:
DNS Amplification Attack: A type of reflection attack in which an attacker delivers traffic to the victim by reflecting it off of a third party to conceal the origin of the attack from the victim. In most cases it comes with a UDP Fragment Attack as a result of amplification. A DNS request of 60 bytes can be configured to elicit a response message of over 4000 bytes resulting in a "x70" amplification factor.
Direct DNS Flood: This type of attack occurs when a large number of bots (e.g. Mirai) make a large amount of requests to a customer DNS server. This causes the DNS server to drop inbound DNS requests (in the case of UDP) or refuse to establish new connections (in the case of TCP.)
FIN FloodAfter a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session.
In an FIN Flood attack, a target server receives a large number of spoofed FIN packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.
FIN PUSH FloodThis attack disrupts network activity by saturating bandwidth and resources on stateful devices in its path. By continuously sending ACK-PSH-FIN packets towards a target, stateful defenses can go down (In some cases into a fail-open mode). This flood could also be used as a smoke screen for more advanced attacks.
ACK-PSH-FIN Packets are considered an illegal packet by the original TCP RFC. While these packets allowed for customized behavior, they are virtually unused today. Different systems can react differently to these packets and may cause unexpected issues and behavior.
GET FloodHTTP GET flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of GET requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
GRE Protocol FloodIn this attack type, malicious traffic uses GRE payload (protocol ID 47), the targeted IP address is visible in the first IP header. If you are using a GRE over GRE solution, general ACL filtering will be ineffective for filtering legitimate traffic.
HEAD FloodAn HTTP HEAD flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of HEAD requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
ICMP FloodThe attacker uses ICMP packets with an arbitrary type and/or code. Refer to the RFC for the list of valid ICMP types: ICMP parameters.
IGMP FloodInternet Group Management Protocol (IGMP) is a connectionless protocol used by IP hosts to report or leave multicast group memberships for adjacent routers. An IGMP flood is non-vulnerability based, as IGMP is designed to allow multicast. Such floods involve a large number of IGMP message reports being sent to a network or router, significantly slowing and eventually preventing legitimate traffic from being transmitted across the target network.
mDNS FloodMulticast DNS (mDNS) requests are used to overwhelm a victim’s server by flooding it with requests. This protocol is usually used on internal networks and thus should not be open for attack on WAN interfaces.
NTP FLOODNTP Flood is a kind of UDP flood attack where the attacker organizes a flood of fake NTP requests from a wide range of IP addresses. The NTP server tries to process all the requests, thus exhausting system and network resources. As a result, the server on which the NTP service is running gets overloaded and fails.
NetBIOS FloodThis is an amplified/reflection attack using the same strategy described for CharGEN or NTP Flood. The attack's source port is usually UDP 137.
POST FloodHTTP POST flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of POST requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
PUSH FloodHTTP PUSH flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of PUSH requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
PUT FloodHTTP PUT flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of PUT requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
RESET FloodAfter a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session.
In an RST (RESET) Flood attack, a target server receives a large number of spoofed RST packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.
RIP FloodRIP is an interior gateway protocol that uses a distance-vector algorithm to determine the best route to a destination. The protocol uses a source port of UDP 520.
RPC FloodThis attack uses poorly secured systems with enabled Remote Procedure Call Protocol for reflected floods. It can be mitigated by ACL based on source port.
Reserved Protocol FloodAn IPv4 flood attack using reserved or less common protocol numbers. (Other than TCP, UDP, ICMP, GRE, ESP, such as 20,21,22,100, or 120.)
SNMP FloodMalicious traffic originates from poorly secured devices with enabled SNMP service. The attacker sends crafted requests with spoofed victim's IP so responses flood victim. Since the SNMP server listens on UDP port 161 by default, this is the fixed source port for this attack.
SQL Server ReflectionThe attack method is based on tampering with the Microsoft SQL permission protocol to launch a reflection attack resulting in a denial of service.
The attack occurs when Microsoft SQL Server responds to a request that attempts to use the Microsoft SQL Server privilege protocol (MC-SQLR) by listening on UDP port 1434. The SQL permission protocol is used whenever the client needs to obtain information from MS SQL Server. Attackers can exploit SQL servers by making scripted requests that use a spoofed IP address to appear as if they are coming from the intended victim. The number of existing database instances on a vulnerable SQL server determines the strength or amplification factor of a DDoS attack.
SSDP FloodSimple Service Discovery Protocol (SSDP) uses UDP port 1900, and is meant to be used for Universal Plug and Play device detection, but frequently used as a reflection-based attack vector. This port should not be available over WAN interfaces.
SSL GET FloodAn HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS GET requests. An HTTPS flood can also overwhelm and saturate an SSL daemon causing degraded server services due to the resources required to perform asymmetric encryption.
SSL POST FloodAn SSL Flood or SSL Renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. An HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS POST requests.
SYN FloodSYN Flood attacks work by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection. During a SYN flood, the three-way handshake never completes because the client never responds to the server's SYN-ACK. As a result, these connections remain in the half-open state until they time out
SYN PUSHIn this attack, the attacker sends large number of TCP SYN PUSH packets towards a target, often one specific port. This causes the server OS to allocate memory for a new session, so with a sufficient rate of TCP SYN PUSH packets per second, server may run out of memory and wont be able to process legitimate traffic. This attack relies on a large number or packets sent rather than volume, however in some cases, TCP SYN PUSH flood packets are sent with a large payload, with a goal to saturate internet link as well.
Sentinel FloodSentinel reflection is a vulnerability in the IBM SPSS license server, a well-known statistical software package. The SPSS license server service runs on port 5093 to a random destination port.
The script uses the UDP request 7A 00 00 00 00 00, which is the letter ‚Äúz‚ÄĚ followed by five null characters. Because UDP does not validate source IP addresses, attackers can forge source IP addresses and exploit the license server to divert UDP responses to a victim‚Äôs systems.
The amplification factor for this attack is 42.94, however only 745 unique sources of this attack traffic have been identified. Even with the extra bandwidth afforded by servers in well-connected networks, an attack of this type is limited by the number of reflectors available.
TCP AnomalyThis term refers to invalid TCP Flag usage. Similar to the XMAS flood, but with some but not all flags set. This too is considered an illegal packet by the original TCP RFC.
The following six flags can be filtered with a border-protect ACL: FIN, SYN, RST, PSH, ACK, URG, and ALL, but it is not possible to filter the other flags: ECN Echo, CWR, NONCE.
TCP FragmentAlso known as Teardrop attacks, these assaults target TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets.
TFTP FloodA TFTP flood is reflection and amplification attack utilizing the TFTP protocol. This attack can have amplification factor from 30x to 110x.
UDP FloodIn this attack, the attacker is sending large number of UDP packets towards a target. This is a direct attack type (not reflected), when usually multiple sources are sending large number of large UDP packets towards a single IP address. The goal of this attack is to saturate the internet links of the victim and/or overwhelm server resources. Depending on the tool used to perform the attack, often there will be random data inside the packets. In other cases the packets have the same content.
UDP FragmentUDP Fragment attacks are related to such vectors as: CharGEN, DNS Flood, and CLDAP reflection, in which payloads that do not fit the MTU are fragmented.
XMASChristmas Tree Attack - a specific type of TCP anomaly where all TCP flag combinations are used in each packet.