Note: Unfortunately this list is non-exhaustive. New attack vectors are discovered daily, and many less popular and modified attack vectors exist. This list is for informative purposes only.

Saturation Attacks
B1FloodsTCPTCP FloodTCP ACK Flood
TCP Frag Flood
A large number of TCP packets sent to a destination. Packet choice and flags set for maximum CPU utilization.
For every SYN packet received, the server must begin to handshake a new connection. Flooding TCP SYN packets results in saturation in half-open connections.
TCP ESSYN FloodVariation on SYN Flood to include ACK packets. Very effective against non-protected servers.
TCP Connection floodUnlike SYN flood these floods involve the correct handling of the three way handshake and normally originate from insecure services or applications (i.e old bittorent versions via announce url’s)
Historical: Bang!TCP SYN packets are sent to standard public servers with a spoofed source address, public servers respond with 2-3 SYN-ACK packets to the spoofed target
B2FloodsUDPUDP FloodUDP-Frag FloodFragmented UDP packets requiring buffering for subsequent re-assembly when received resulting in higher CPU usage
B3FloodsICMPICMP FloodSaturationUtilizing a large number of possibly compromised hosts saturate network / CPU processing and sending ICMP echo requests / responses.
BroadcastAmplification and reflection attack utilizing broadcast PING.
B4FloodsICMPHistorical: ICMP SMURF attack Spoofed ICMP source address on ICMP broadcast packets results in large numbers of ICMP packets sent to target.
B5FloodsUDPNTP amplification Insecure NTP servers used to increase the volume of an and anonymize the source of attacks
B6FloodsUDPDNS amplificationTXT, SPF etcInsecure DNS servers used to increase the volume of an and anonymize the source of attacks
DNS recursionCNAMEUse of insecure recursive resolvers to generate large numbers of incoming DNS queries
DNS amplification + ICMPDNS + ICMPDNS Queries sent to random IP addresses from spoofed target address. Triggering a mix of UDP responses and ICMP port unreachable responses
B7FloodsUDPCHARGEN amplification UDP Amplification method using insecure CHARGEN services on UDP port 19
B8FloodsUDPSNMP amplificationBulk Reply (v2)
Insecure SNMP services running on often outdated / non updated appliances with default community authentication settings are used to amplify and anonymize UDP floods
B9FloodsUDPSSDP amplification Like most UDP protocols another protocol that is useful for amplification through source spoofing.
B10FloodsIPIP Packet FloodIGMP Flood, etcAll Protocol types are capable of exhausting upstream network capacity, and local CPU and network capacity.
Semantic Attacks
S1Invalid PacketTCPBogus PacketsSYN + FIN
Combinations of packet flags that are invalid, or produce undesirable results. For example TCP SYN is used to open a connection; TCP FIN is used to terminate an existing connection.
S2Invalid PacketTCPResetTCP RST floodA spoofed TCP packet (address, ports) to reset the spoofed clients connection.
S3SecurityIGMPUnsafe ProtocolManyMany exploits exist for IGMP (Remote Denial of Service, Remote Code execution). It is mainly used for router multicasting and not relevant for most applications or services.
S4Large PacketICMPReassembly of large packetsPing of DeathRare: Large (greater than 2^16 bytes) ICMP Packet that exploits re-assembly bug in old software
HTTP(s) Layer 7 Attacks
H1FloodsHTTPProxy-FloodDAVOSET“DDoS attacks via other sites”. Web services such as language translators, HTTP proxies and code validators can be used to amplify and anonymize bulk requests. The large number of clients increases filtering difficulty.
H2FloodsHTTPWordpress-PingbackWordpressThe Pingback feature in the popular blogging platform Wordpress.
H3FloodsHTTPRequest SaturationSeige
ApacheBench (Ab)
Repeated loading of site pages in bulk by automated bots with malicious intent. Often the pages chosen to flood are dynamic (high cost) in nature.
H4Bad ClientHTTPMalformed HTTP Header Attempt to trigger undefined behavior or crash web server
H5FloodHTTPHTTP URL GET/POST Often called “refresh flood” or “bad bot traffic”. Resources tied up serving non-human visitors.
H6Bad ClientHTTPSlow-HTTP RequestSlowloris / Pyloris
Tie up processing resources waiting for connection completion
H7Bad ClientHTTPMalformed SSL Communication Attempt to trigger undefined behavior or crash the web server
H8Bad ClientHTTPHTTP / HTTPS ExhaustionSSL Renegotiation AttacksCPU Exhaustion through repeating an expensive process.
H9Bad ClientHTTPRange Header Resource ConsumptionApacheKiller
Memory and CPU consumption via maliciously constructed Range headers (overlapping and excessive amount)
H10Bad ClientHTTPPost field sizeRUDYIncrease the size of form fields until the server is dead.
X1 TCP & UDPPort scanningSearch for insecure servicesMany services by default bind to all network addresses on a server. This may include insecure services which may provide an attack or compromise vector.