Attack types

This table lists all the valid values for the attackTypeName parameter:

Attack typeDescription
ACK FloodThe attacker sends a large number of TCP ACK packets towards a target, often one specific port.
addpAn attack exploiting vulnerabilities in Advanced Disconnect Detection Protocol, a heartbeat mechanism to detect dropped connections, especially in VoIP.
afsAn attack exploiting vulnerabilities in Andrew File System (AFS), a distributed network protocol that enables users to access files stored on remote servers as if they were on their local machine.
Apple Remote DesktopAn attack exploiting vulnerabilities in Apple Remote Desktop.
ARMS ReflectionThe attacker spoofs a target's IP address and sends a request for information using the ARMS protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
bfdAn attack using the (Bidirectional Forwarding Detection) protocol used by various routing protocols for fast failure detection in a network path.
Censorship TCP ReflectionThe attacker spoofs a target's IP address and sends a request for information using the Censorship TCP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
CLDAP ReflectionA CLDAP Reflection Attack exploits the Connectionless Lightweight Directory Access Protocol (CLDAP), which is an efficient alternative to LDAP queries over UDP. Attacker sends a CLDAP request to an LDAP server with a spoofed sender IP address (the target’s IP). The server responds with a bulked-up response to the target’s IP causing the reflection attack. The victim’s machine cannot process the massive amount of CLDAP data at the same time.
CharGEN AttackCharGEN is a character generation protocol that listens on port 19 with TCP or UDP, which often has UDP fragments produced as byproduct. Processing these fragments can overwhelm the system and lead to a denial of service.
coapAn attack using the UDP-based IoT device discovery protocol CoAP (Constrained Application Protocol).
Connection FloodThis attack is also known as a TCP connection flood because it attempts to occupy all possible TCP connections on a server. By flooding the server with requests for new connections, the attack prevents legitimate requests from being established and served.
crestoncipAn attack using the Windows IoT device discovery protocol CrestonCIP.
DHdiscoveryA reflection attack using DVR, on port 37810.
DNS FloodThis attack type can have one of two forms:
DNS Amplification Attack: A type of reflection attack in which an attacker delivers traffic to the victim by reflecting it off of a third party to conceal the origin of the attack from the victim. In most cases it comes with a UDP Fragment Attack as a result of amplification. A DNS request of 60 bytes can be configured to elicit a response message of over 4000 bytes resulting in a "x70" amplification factor.
Direct DNS Flood: This type of attack occurs when a large number of bots (e.g. Mirai) make a large amount of requests to a customer DNS server. This causes the DNS server to drop inbound DNS requests (in the case of UDP) or refuse to establish new connections (in the case of TCP.)
DNS ReflectionThe attacker is causing legitimate DNS servers on the internet to send answers for DNS queries to a victim using UDP src spoofing. These attacks often ask a legitimate DNS server to get all records for a domain, or for a TXT or SPF record, with the goal to cause the largest possible response which will be directed to victim. Those responses are in compliance with the DNS standard, but the victim receives a flood of useless data with a goal to saturate internet links.
Packets can be directed to one port or to random ports and contain one or many different DNS replies, and often these appear as UDP fragments as large responses get fragmented.
DTLSAn attack using the Datagram Transport Layer Service, which supports TLS encryption over UDP connections.
ESP FloodDDoS attacks related to the Encapsulating Security Payload (ESP) protocol, which is part of the IPsec suite, on port 50.
FIN FloodAfter a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session.
In an FIN Flood attack, a target server receives a large number of spoofed FIN packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.
FIN PUSH FloodThis attack disrupts network activity by saturating bandwidth and resources on stateful devices in its path. By continuously sending ACK-PSH-FIN packets towards a target, stateful defenses can go down (In some cases into a fail-open mode). This flood could also be used as a smoke screen for more advanced attacks.
ACK-PSH-FIN Packets are considered an illegal packet by the original TCP RFC. While these packets allowed for customized behavior, they are virtually unused today. Different systems can react differently to these packets and may cause unexpected issues and behavior.
fivemAn attack exploiting vulnerabilities in the FiveM direct connect protocol for gaming servers.
gatewaydiscA category of attacks that target a network's gateway discovery methods, often leveraging misconfigurations.
GET FloodHTTP GET flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of GET requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
GRE Protocol FloodIn this attack type, malicious traffic uses GRE payload (protocol ID 47), the targeted IP address is visible in the first IP header. If you are using a GRE over GRE solution, general ACL filtering will be ineffective for filtering legitimate traffic.
HEAD FloodAn HTTP HEAD flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of HEAD requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
heartbeatHeartbleed attacks that exploit the OpenSSL heartbeat mechanism to hijack sessions.
HTTP FloodA denial of service attack that uses any of the HTTP request methods which are part of the Hypertext Transfer Protocol (HTTP).
ICMP FloodThe attacker uses ICMP packets with an arbitrary type and/or code. Refer to the RFC for the list of valid ICMP types: ICMP parameters.
IGMP FloodInternet Group Management Protocol (IGMP) is a connectionless protocol used by IP hosts to report or leave multicast group memberships for adjacent routers. An IGMP flood is non-vulnerability based, as IGMP is designed to allow multicast. Such floods involve a large number of IGMP message reports being sent to a network or router, significantly slowing and eventually preventing legitimate traffic from being transmitted across the target network.
ikev1An attack exploiting vulnerabilities in Internet Key Exchange version 1.
IP FragmentAn attack using IP fragments other than TCP or UDP Protocol.
IP in IP protocol floodThe IP-in-IP protocol involves encapsulating one IP packet within another. The outer IP header identifies the "tunnel" endpoint, while the inner IP header contains the destination of the actual intended recipient.
Attackers send a large number of encapsulated IP packets, each containing another IP packet (the inner packet) within it. This creates a flood of encapsulated packets, significantly increasing the traffic volume.
jenkinsThis attack allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
mDNS FloodMulticast DNS (mDNS) requests are used to overwhelm a victim’s server by flooding it with requests. This protocol is usually used on internal networks and thus should not be open for attack on WAN interfaces.
mDNS ReflectionThe attacker spoofs a target's IP address and sends a request for information using the mDNS protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
Memcached ReflectionAn attack aimed at Memcached, a database caching system designed to speed up websites and networks. It works by flooding a website or application with traffic to crash the servers.
nat pmpNAT-PMP (NAT Port Mapping Protocol) attacks exploit vulnerabilities in how routers handle port forwarding, potentially allowing attackers to intercept traffic, redirect it, or even launch denial-of-service attacks.
NTP FLOODNTP Flood is a kind of UDP flood attack where the attacker organizes a flood of fake NTP requests from a wide range of IP addresses. The NTP server tries to process all the requests, thus exhausting system and network resources. As a result, the server on which the NTP service is running gets overloaded and fails.
NTP ReflectionAn NTP reflection attack is a distributed denial-of-service attack (DDoS) that uses the NTP protocol (network time protocol). The attacker spoofs the source IP address to that of the victim, sends small packets to a vulnerable NTP server, and the NTP server sends a big response to the victim.
NetBIOS FloodThis is an amplified/reflection attack using the same strategy described for CharGEN or NTP Flood. The attack's source port is usually UDP 137.
NetBIOS ReflectionThe attacker spoofs a target's IP address and sends a request for information using the NetBIOS protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
netisnetcoreAn attack that takes advantage of a vulnerability in Netis Netcore routers that allows use of a hard-coded password to gain access.
plexA type of UDP-spoofing SSDP attack specific to Plex media servers.
POST FloodHTTP POST flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of POST requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
PUSH FloodHTTP PUSH flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of PUSH requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
PUSH ACK FloodThis is a denial of service attack based on the PUSH & ACK flags.
PUT FloodHTTP PUT flood is a layer 7 attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines which simulate HTTP clients. These attacks use standard URL requests, thus it can be challenging to differentiate them from valid traffic, and the traffic volume is often under detection thresholds.
This attack consists of PUT requests, unlike other HTTP floods that may include other request methods such as GET, PUT, DELETE etc.
quakeA type of brute-force attack on Microsoft MFA called AuthQuake.
QUIC FloodA DDoS attack exploiting vulnerabilities in the QUIC protocol, which sends the TLS certificate along with the initial "hello" message, creating a much larger packet, instead of the usual TCP ACK.
RESET FloodAfter a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by the host and a client machine to close the TCP-SYN session.
In an RST (RESET) Flood attack, a target server receives a large number of spoofed RST packets that do not belong to any session on the target server. The attack attempts to exhaust a server’s resources (its RAM, CPU, etc) as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.
RIP FloodRIP is an interior gateway protocol that uses a distance-vector algorithm to determine the best route to a destination. The protocol uses a source port of UDP 520.
RIP ReflectionThe attacker spoofs a target's IP address and sends a request for information using the RIP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
RPC FloodThis attack uses poorly secured systems with enabled Remote Procedure Call Protocol for reflected floods. It can be mitigated by ACL based on source port.
RPC ReflectionThe attacker spoofs a target's IP address and sends a request for information using the RPC protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
Reserved Protocol FloodAn IPv4 flood attack using reserved or less common protocol numbers. (Other than TCP, UDP, ICMP, GRE, ESP, such as 20,21,22,100, or 120.)
SADP ReflectionThe attacker spoofs a target's IP address and sends a request for information using the SDAP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
Sentinel FloodSentinel reflection is a vulnerability in the IBM SPSS license server, a well-known statistical software package. The SPSS license server service runs on port 5093 to a random destination port.
The script uses the UDP request 7A 00 00 00 00 00, which is the letter “z” followed by five null characters. Because UDP does not validate source IP addresses, attackers can forge source IP addresses and exploit the license server to divert UDP responses to a victim’s systems.
The amplification factor for this attack is 42.94, however only 745 unique sources of this attack traffic have been identified. Even with the extra bandwidth afforded by servers in well-connected networks, an attack of this type is limited by the number of reflectors available.
SipSIP protocol attacks exploit vulnerabilities in the Session Initiation Protocol (SIP), commonly used in Voice over IP (VoIP) systems, to disrupt services, steal information, or cause financial loss. These attacks can range from simple call flooding to more sophisticated methods like registration hijacking and eavesdropping.
SLP ReflectionThe attacker spoofs a target's IP address and sends a request for information using the SLP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
SNMP FloodMalicious traffic originates from poorly secured devices with enabled SNMP service. The attacker sends crafted requests with spoofed victim's IP so responses flood victim. Since the SNMP server listens on UDP port 161 by default, this is the fixed source port for this attack.
SNMP ReflectionThe attacker spoofs a target's IP address and sends a request for information using the SNMP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
SQL Server ReflectionThe attack method is based on tampering with the Microsoft SQL permission protocol to launch a reflection attack resulting in a denial of service.
The attack occurs when Microsoft SQL Server responds to a request that attempts to use the Microsoft SQL Server privilege protocol (MC-SQLR) by listening on UDP port 1434. The SQL permission protocol is used whenever the client needs to obtain information from MS SQL Server. Attackers can exploit SQL servers by making scripted requests that use a spoofed IP address to appear as if they are coming from the intended victim. The number of existing database instances on a vulnerable SQL server determines the strength or amplification factor of a DDoS attack.
SSDP FloodSimple Service Discovery Protocol (SSDP) uses UDP port 1900, and is meant to be used for Universal Plug and Play device detection, but is frequently used as a reflection-based attack vector. This port should not be available over WAN interfaces.
SSDP ReflectionSSDP (Simple Service Discovery Protocol) - uses UDP port 1900, also called "Stupidly Simple DDoS Protocol". Meant to be used as a Universal Plug and Play devices detection protocol, but frequently used as a reflection-based attack vector.
SSL GET FloodAn HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS GET requests. An HTTPS flood can also overwhelm and saturate an SSL daemon causing degraded server services due to the resources required to perform asymmetric encryption.
SSL POST FloodAn SSL Flood or SSL Renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. An HTTPS flood is like an HTTP flood but instead consists of a seemingly legitimate set of HTTPS POST requests.
steamremoteplaySteam Remote Play allows streaming games to other devices, which has been identified as a potential attack vector. Vulnerabilities in the underlying Steam protocol or game engines could be exploited by attackers. These attacks can potentially lead to Remote Code Execution (RCE).
STUNAn attack leveraging the STUN (Session Traversal Utilities for NAT) protocol that helps devices behind Network Address Translators (NATs) discover their public IP address and port information.
SYN FloodSYN Flood attacks work by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection. During a SYN flood, the three-way handshake never completes because the client never responds to the server's SYN-ACK. As a result, these connections remain in the half-open state until they time out
SYN ACK FloodThis is a denial of service attack based on the SYN & ACK flags.
SYN PUSHIn this attack, the attacker sends large number of TCP SYN PUSH packets towards a target, often one specific port. This causes the server OS to allocate memory for a new session, so with a sufficient rate of TCP SYN PUSH packets per second, server may run out of memory and wont be able to process legitimate traffic. This attack relies on a large number or packets sent rather than volume, however in some cases, TCP SYN PUSH flood packets are sent with a large payload, with a goal to saturate internet link as well.
TCP AnomalyThis term refers to invalid TCP Flag usage. Similar to the XMAS flood, but with some but not all flags set. This too is considered an illegal packet by the original TCP RFC.
The following six flags can be filtered with a border-protect ACL: FIN, SYN, RST, PSH, ACK, URG, and ALL, but it is not possible to filter the other flags: ECN Echo, CWR, NONCE.
TCP FragmentAlso known as Teardrop attacks, these assaults target TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets.
TLS ExhaustionDDoS attacks that target the SSL/TLS handshake by sending worthless data to the server in an attempt to cause connection issues for legitimate users.
TFTP FloodA TFTP flood is an amplification attack utilizing the TFTP protocol. This attack can have amplification factor from 30x to 110x.
TFTP ReflectionThe attacker spoofs a target's IP address and sends a request for information using the TFTP protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
Ubnt ReflectionThe attacker spoofs a target's IP address and sends a request for information using the Ubnt protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
UDP FloodIn this attack, the attacker is sending large number of UDP packets towards a target. This is a direct attack type (not reflected), when usually multiple sources are sending large number of large UDP packets towards a single IP address. The goal of this attack is to saturate the internet links of the victim and/or overwhelm server resources. Depending on the tool used to perform the attack, often there will be random data inside the packets. In other cases the packets have the same content.
UDP FragmentUDP Fragment attacks are related to such vectors as: CharGEN, DNS Flood, and CLDAP reflection, in which payloads that do not fit the MTU are fragmented.
WSDiscovery FloodDDoS vector that leverages a UDP Amplification technique known as WS-Discovery (WSD). WSD is yet another technology developed to ease consumer device network discovery and connectivity. Since UDP is a stateless protocol, requests to the WSD service can be spoofed. This ultimately causes the impacted server, or service, to send responses to the intended victim, consuming large amounts of the target's bandwidth.
WSDiscovery ReflectionThe attacker spoofs a target's IP address and sends a request for information using the WSD protocol. The server then responds to the request, sending an answer to the target’s IP address, using the same protocol. Any server operating UDP or TCP-based services can be targeted as a reflector.
valvesrcdsRemote code execution attacks targeting the Steam gaming network, run by Valve.
voip10074An attack exploiting vulnerabilities in the VOIP protocol traffic on port 10074.
VxworksAn attack exploiting remote vulnerabilities in the VXworks operating system, particularly the URGENT/11 vulnerability (CVE-2019-12255 through CVE-2019-12265).
xen imaAn attack exploiting vulnerabilities in the Xen hypervisor's Integrity Management Architecture.
XMASChristmas Tree Attack - a specific type of TCP anomaly where all TCP flag combinations are used in each packet.