Note: Unfortunately this list is non-exhaustive. New attack vectors are discovered daily, and many less popular and modified attack vectors exist. This list is for informative purposes only.
| # | Category | Protocol | Attack | Variants | Description |
| Saturation Attacks | |||||
| B1 | Floods | TCP | TCP Flood | TCP ACK Flood TCP Frag Flood | A large number of TCP packets sent to a destination. Packet choice and flags set for maximum CPU utilization. |
| TCP SYN Flood Sockstress | For every SYN packet received, the server must begin to handshake a new connection. Flooding TCP SYN packets results in saturation in half-open connections. | ||||
| TCP ESSYN Flood | Variation on SYN Flood to include ACK packets. Very effective against non-protected servers. | ||||
| TCP Connection flood | Unlike SYN flood these floods involve the correct handling of the three way handshake and normally originate from insecure services or applications (i.e old bittorent versions via announce url’s) | ||||
| Historical: Bang! | TCP SYN packets are sent to standard public servers with a spoofed source address, public servers respond with 2-3 SYN-ACK packets to the spoofed target | ||||
| B2 | Floods | UDP | UDP Flood | UDP-Frag Flood | Fragmented UDP packets requiring buffering for subsequent re-assembly when received resulting in higher CPU usage |
| B3 | Floods | ICMP | ICMP Flood | Saturation | Utilizing a large number of possibly compromised hosts saturate network / CPU processing and sending ICMP echo requests / responses. |
| Broadcast | Amplification and reflection attack utilizing broadcast PING. | ||||
| B4 | Floods | ICMP | Historical: ICMP SMURF attack | Spoofed ICMP source address on ICMP broadcast packets results in large numbers of ICMP packets sent to target. | |
| B5 | Floods | UDP | NTP amplification | Insecure NTP servers used to increase the volume of an and anonymize the source of attacks | |
| B6 | Floods | UDP | DNS amplification | TXT, SPF etc | Insecure DNS servers used to increase the volume of an and anonymize the source of attacks |
| DNS recursion | CNAME | Use of insecure recursive resolvers to generate large numbers of incoming DNS queries | |||
| DNS amplification + ICMP | DNS + ICMP | DNS Queries sent to random IP addresses from spoofed target address. Triggering a mix of UDP responses and ICMP port unreachable responses | |||
| B7 | Floods | UDP | CHARGEN amplification | UDP Amplification method using insecure CHARGEN services on UDP port 19 | |
| B8 | Floods | UDP | SNMP amplification | Bulk Reply (v2) Other | Insecure SNMP services running on often outdated / non updated appliances with default community authentication settings are used to amplify and anonymize UDP floods |
| B9 | Floods | UDP | SSDP amplification | Like most UDP protocols another protocol that is useful for amplification through source spoofing. | |
| B10 | Floods | IP | IP Packet Flood | IGMP Flood, etc | All Protocol types are capable of exhausting upstream network capacity, and local CPU and network capacity. |
| Semantic Attacks | |||||
| S1 | Invalid Packet | TCP | Bogus Packets | SYN + FIN SYN + RST | Combinations of packet flags that are invalid, or produce undesirable results. For example TCP SYN is used to open a connection; TCP FIN is used to terminate an existing connection. |
| S2 | Invalid Packet | TCP | Reset | TCP RST flood | A spoofed TCP packet (address, ports) to reset the spoofed clients connection. |
| S3 | Security | IGMP | Unsafe Protocol | Many | Many exploits exist for IGMP (Remote Denial of Service, Remote Code execution). It is mainly used for router multicasting and not relevant for most applications or services. |
| S4 | Large Packet | ICMP | Reassembly of large packets | Ping of Death | Rare: Large (greater than 2^16 bytes) ICMP Packet that exploits re-assembly bug in old software |
| HTTP(s) Layer 7 Attacks | |||||
| H1 | Floods | HTTP | Proxy-Flood | DAVOSET | “DDoS attacks via other sites”. Web services such as language translators, HTTP proxies and code validators can be used to amplify and anonymize bulk requests. The large number of clients increases filtering difficulty. |
| H2 | Floods | HTTP | Wordpress-Pingback | Wordpress | The Pingback feature in the popular blogging platform Wordpress. |
| H3 | Floods | HTTP | Request Saturation | Seige ApacheBench (Ab) | Repeated loading of site pages in bulk by automated bots with malicious intent. Often the pages chosen to flood are dynamic (high cost) in nature. |
| H4 | Bad Client | HTTP | Malformed HTTP Header | Attempt to trigger undefined behavior or crash web server | |
| H5 | Flood | HTTP | HTTP URL GET/POST | Often called “refresh flood” or “bad bot traffic”. Resources tied up serving non-human visitors. | |
| H6 | Bad Client | HTTP | Slow-HTTP Request | Slowloris / Pyloris | Tie up processing resources waiting for connection completion |
| H7 | Bad Client | HTTP | Malformed SSL Communication | Attempt to trigger undefined behavior or crash the web server | |
| H8 | Bad Client | HTTP | HTTP / HTTPS Exhaustion | SSL Renegotiation Attacks | CPU Exhaustion through repeating an expensive process. |
| H9 | Bad Client | HTTP | Range Header Resource Consumption | ApacheKiller | Memory and CPU consumption via maliciously constructed Range headers (overlapping and excessive amount) |
| H10 | Bad Client | HTTP | Post field size | RUDY | Increase the size of form fields until the server is dead. |
| Security | |||||
| X1 | TCP & UDP | Port scanning | Search for insecure services | Many services by default bind to all network addresses on a server. This may include insecure services which may provide an attack or compromise vector. | |
