03 Adversaries Evolve and Innovate Attack Methods and VectorsMenu
03
Adversaries Evolve and Innovate Attack Methods and Vectors
Adversaries constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year. As DDoS defenses become more precise and effective, attackers continue to find ways to bypass those defenses with new DDoS attack vectors and methodology.
But new vectors and methodology aren’t the only tools used by adversaries, as evidenced by an increase in TCP-based direct-path attacks in the past 18 months. We have developed a white paper that examines these trends in greater detail, including findings such as these:
Explore the Whitepaper
To learn about new DDoS attack vectors and changes in adversary behavior, explore our whitepaper.
When direct attacks or tried-and-true vectors fail, adversaries turn to other methods such as carpet-bombing and DNS water torture.
Carpet-bombing occurs when a DDoS attack targets a wide range of destination services/devices with smaller portions of traffic in an effort to fill up multiple pipes without triggering traffic thresholds. DNS water torture, on the other hand, takes place when an adversary sends a huge amount of bogus subdomain requests in an attempt to overwhelm application-layer services and slow or disrupt those services altogether. Both of these adversary methodologies experienced significant increases in 1H 2022.
Carpet Bombing
DNS Water Torture Attacks
Periodic Table of Attack Vectors
Click on an element for more information
Number of Attacks
Available Devices
New attack vectorAttack vector symbolAmplification factor0 – 50,000 Attacks50,001 – 500,000 Attacks500,001+ AttacksAttack vector name
Risk 56,000,000+ Available devicesRisk 44,000,001 – 6,000,000 Available devicesRisk 32,000,001 – 4,000,000 Available devicesRisk 2500,001 – 2,000,000 Available devicesRisk 11 – 500,000 Available devicesAvailable devices
ARMS: Apple Remote Management Service (a part of Apple’s Remote Desktop function) can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
35.5:1
Number of Attacks
10,517
Available Devices
18032
BACnet Amp
BACnet stands for Building Automation and Control Network.
A network flooded with messages can cause collisions, which prevents transmission of control and monitoring messages between devices. By flooding a device’s microprocessor with commands and tasks, one can limit the ability of the device to operate normally. This can be scaled to shut down large systems such as a campus or a factory.
Amplification Number
120:01:00
Number of Attacks
1,583
Available Devices
15648
BitTorrent Amp
BitTorrent is a popular peer-to-peer file-sharing protocol that utilizes a central “tracker” server to coordinate connections between peers via a BitTorrent ad-hoc file-sharing network, known as a “swarm.” The tracker is specified by the original file distributor and trusted unconditionally by peers in the swarm. This central point of control provides an opportunity for a file distributor to deploy a modified tracker to provide peers in a swarm with malicious coordination data, directing peer connection traffic toward an arbitrary target machine on an arbitrary service port.
Amplification Number
3.8:1
Number of Attacks
58,025
Available Devices
306840
Chargen Amp
The Character Generator Protocol (CHARGEN) listens on port 19 with TCP or UDP. When using UDP, CHARGEN can be exploited to perform reflection/amplification DDoS attacks.
Amplification Number
1,000:1
Number of Attacks
25,817
Available Devices
41857
Citrix-ICA Amp
Citrix Independent Computing Architecture (Citrix ICA) is a proprietary protocol for an application server system. Designed by Citrix systems, it is not bound to any single platform and lays down specification for passing data between server and clients. Citrix ICA includes a server software component, a network protocol component, and a client software component. The Cirix ICA protocol has been used as an attack vector for DDoS attacks.
Amplification Number
5.7:1
Number of Attacks
1019
Available Devices
22833
CLDAP Amp
The Connectionless Lightweight Directory Access Protocol (CLDAP) is an LDAP alternative that uses UDP destination port 389 to connect, search, and modify share internet directories. Like other UDP-based protocols, CLDAP can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
56.89:1
Number of Attacks
175644
Available Devices
19321
COAP Amp
The Constrained Application Protocol (CoAP) is a specialized web transfer protocol designed for machine-to-machine (M2M) applications such as smart energy and building automation.
Like other UDP-based protocols, CoAP can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
34:01:00
Number of Attacks
4417
Available Devices
428187
D/TLS
Datagram Transport Layer Security (DTLS) is a version of the TLS protocol implemented on the stream-friendly UDP transfer protocol for securing datagram-based applications to prevent eavesdropping, tampering, or
message forgery. It can be abused to
launch reflection/amplification DDoS attacks.
Amplification Number
37.34:1
Number of Attacks
n/a
Available Devices
4283
DHCPDiscover Amp
DHCPDiscover, a UDP-based JSON protocol used to manage networked digital video recorders (DVRs), can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication for the service. Unfortunately, many of these DVR variants by default do not include such authentication. At this point, the DHCPDiscover reflection/amplification attack vector appears to have been added to the arsenals of booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.
Amplification Number
24:01:00
Number of Attacks
13284
Available Devices
116232
DNS
This attack vector uses programmatically generated DNS queries to overwhelm the capacity of recursive and authoritative DNS servers to respond to legitimate queries. For example, the variant known as DNS ‘water torture’ attacks uses query floods for pseudo-randomized non-existent resource records. DNS query floods are primarily measured in queries-per-second (qps) and are considered a form of application-layer DDoS attacks.
Number of Attacks
279808
Available Devices
n/a
DNS Amp
A DNS reflection/amplification DDoS attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers.
Amplification Number
160:01:00
Number of Attacks
927366
Available Devices
1617024
HTML5
HTML5 (Hypertext Markup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.
Number of Attacks
n/a
Available Devices
n/a
ICMP
Programmatically-generated ICMP packets intended to consume link bandwidth (bps)/throughput (pps), as well as the capacity of targeted nodes to generate ICMP responses in the case of ICMP Echo Request (i.e., ping) floods. ICMP floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Number of Attacks
667349
Available Devices
n/a
IP NULL
Programmatically-generated IP packets with no actual payload; they are typically padded with either zeroes or pseudo-random characters. IP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as to consume link bandwidth (bps)/throughput (pps). IP Null floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a volumetric form of DDoS attack.
Number of Attacks
2041
Available Devices
n/a
IPMI Amp
Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based platform management systems used for centralized server control and monitoring. IPMI firmware has been exploited to launch DDoS attacks against data centers and servers.
Amplification Number
1.1:1
Number of Attacks
795
Available Devices
81428
IPv4 Protocol 0
Programmatically-generated IPv4 Protocol 0 packets intended to consume link bandwidth/throughput, as well as the capacity of targeted nodes to process incoming packets. IPv4 Protocol 0 is an invalid protocol number, but is forwarded by most routers and layer-3 switches. IPv4 Protocol 0 floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Number of Attacks
2673
Available Devices
n/a
ISAKMP/IKE Amp
Internet Security Association and Key Management Protocol (ISAKMP) is a protocol for establishing Security Association (SA) and cryptographic keys in an internet environment. The Internet Key Exchange (IKE & IKEv2) relies on the UDP protocol. Like other UDP-based protocols, ISAKMP can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
1:01
Number of Attacks
62717
Available Devices
43951
Jenkins Amp
A popular open-source automation server used in almost all modern deployments, Jenkins servers support using a UDP multicast/broadcast network discovery protocol to locate other Jenkins instances. An attacker can generate a spoofed UDP packet and send it to the Jenkins server, generating a reflection/amplification attack.
Amplification Number
5.6:1
Number of Attacks
1126
Available Devices
n/a
L2TP Amp
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol used by an ISP to enable the operation of a virtual private network (VPN) over the internet. The L2TP protocol has been exploited to launch reflection/amplification DDoS attacks.
Amplification Number
13.5:1
Number of Attacks
71194
Available Devices
1752417
MBHTTP Amp
This TCP reflection/amplification attack leverages abusable internet censorship systems deployed by both nation-states and enterprises to consume link bandwidth and block the ability of targeted systems to respond to network traffic.
Number of Attacks
n/a
Available Devices
n/a
mDNS Amp
The multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as the unicast Domain Name System (DNS). The service has been exploited to launch DDoS attacks.
Amplification Number
4.35:1
Number of Attacks
84843
Available Devices
344834
Memcached Amp
Memcached servers allow applications that need to access a lot of data from an external database to cache some of the data in memory, which can be accessed much more quickly by the application than having to travel out to the database to fetch something important. Threat actors exploited a vulnerability in misconfigured Memcached servers to launch enormous DDoS attacks.
Amplification Number
51,200:1
Number of Attacks
89153
Available Devices
10584
MSSQLRS Amp
Microsoft SQL Reporting Services (MSSQLRS) is a server-based report generating software system from Microsoft that has been exploited to launch DDoS attacks.
Amplification Number
25:01:00
Number of Attacks
82924
Available Devices
105244
NetBIOS Amp
Network Basic Input/Output System (NetBIOS) provides services related to the session layer of the OSI model that allow applications on separate computers to communicate over a local area network. An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.
Amplification Number
3:01
Number of Attacks
45150
Available Devices
671231
NTP Amp
Network Time Protocol (NTP) is the standard protocol for time synchronization in the IT industry.
A Network Time Protocol (NTP) attack is a volumetric reflection/amplification DDoS attack in which an attacker exploits a NTP server's functionality in order to overwhelm a targeted network or server with an amplified amount of UDP traffic, rendering the target and its surrounding infrastructure inaccessible to regular traffic.
Amplification Number
556.9:1
Number of Attacks
410458
Available Devices
2751834
OpenVPN Amp
The most popular VPN technology in use today, OpenVPN is used for remote-access and site-to-site VPN connections. OpenVPN uses its own SSL/TLS-based protocol. This protocol also allows UDP-based communications, making OpenVPN vulnerable to UDP reflection/amplification attacks.
Amplification Number
33.9:1
Number of Attacks
40584
Available Devices
964046
PMSSDP Amp
Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, along with variants customized for special-purpose platforms such as network-attached storage devices, external RAID storage units, and digital media players. Plex Media Server instances can potentially be abused as part of possible DDoS attacks if they have been deployed
either on a public-facing network demilitarized zone, in an internet data center, or with manually configured port-forwarding rules that forward specific UDP ports from the public internet to devices running Plex Media Server.
Amplification Number
4.68:1
Number of Attacks
2499
Available Devices
103887
QOTD Amp
The Quote of the Day (QOTD) service is part of the internet protocol suite. It was originally used by mainframe sysadmins to broadcast a daily quote on request by a user. It was then formally codified both for prior purposes as well as for testing and measurement purposes. Attackers have used the QOTD service to launch DDoS attacks.
Amplification Number
140.3:1
Number of Attacks
1318
Available Devices
38616
Quake Amp
Quake is a first-person shooter video game typically played online with multiple players using the UDP internet protocol as its networking backbone. The Quake server network protocol has been exploited to launch UDP-based reflection/amplification attacks.
Amplification Number
63.9:1
Number of Attacks
2618
Available Devices
1384
RDP Amp
Included in Microsoft Windows operating systems,
Remote Desktop Protocol (RDP) is intended to provide authenticated remote Virtual Desktop Infrastructure access to Windows-based workstations and servers. When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/ amplification attacks.
Amplification Number
85.9:1
Number of Attacks
6017
Available Devices
9996
RIPv1 Amp
The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from source to destination. The depreciated RIPv1 (version 1) routing protocol has been used an attack vector for reflection/amplification DDoS attacks.
Amplification Number
134.24:1
Number of Attacks
16123
Available Devices
300798
rpcbind/portmap Amp
RPCBind (also called Portmapper, portmap, or RPC Portmapper) is a common remote procedure call (RPC) port-mapping function on the Linux platform and is bound to port 111 by default. Hackers launch UDP reflection/amplification DDoS attacks by batch-scanning UDP port 111.
Amplification Number
29:01:00
Number of Attacks
23076
Available Devices
1770125
Sentinel Amp
Sentinel reflection is a vulnerability in the SPSS license server, a well-known statistical software package from IBM. Attackers can forge source IP addresses and exploit a license server to launch UDP reflection/ amplification attacks.
Amplification Number
30.7:1
Number of Attacks
2554
Available Devices
1379
SIP Amp
The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video, and messaging applications. This application-layer attack vector involves sending a malformed or otherwise malicious SIP INVITE request to a telephony server, resulting in a crash of that server.
Amplification Number
10:01
Number of Attacks
28399
Available Devices
5629026
SNMP Amp
The Simple Network Management Protocol (SNMP) is used for configuring and collecting information from network devices such as servers, hubs, switches, routers, and printers.
SNMP can be exploited and used as an attack vector to launch reflection/amplification DDoS attacks.
Amplification Number
880:01:00
Number of Attacks
81674
Available Devices
1629428
SSDP Amp
The Simple Service Discovery Protocol (SSDP) is a network protocol based on the internet protocol suite for advertisement and discovery of network services and presence information. SSDP can be exploited to launch reflection/amplification DDoS attacks.
Amplification Number
30.8:1
Number of Attacks
120870
Available Devices
1647126
STUN Amp
STUN is a protocol used to effectuate mappings between ‘inside’ and ‘outside’ IP addresses and protocol ports for hosts situated behind NAT installations. It is utilized by various services such as Session Initiation Protocol (SIP), Interactivity Connectivity Establishment (ICE), and Travels Using Relays around NAT (TURN). STUN may be configured to operate over both TCP and UDP transports. STUN services listening on UDP/3478, UDP/8088, and UDP/37833 may be abused to launch UDP reflection/amplification attacks with an average amplification ratio of 2.32:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from any of the three listed UDP ports and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. The amplified attack packets range from 48 bytes (the vast majority of attack traffic) to 1452 bytes in length. 75,556 abusable STUN servers have been identified to date.
Amplification Number
3.32:1
Number of Attacks
177448
Available Devices
153728
TCP ACK
Programmatically-generated TCP ACK packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most ACK-floods are spoofed. ACK-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Number of Attacks
1260307
Available Devices
n/a
TCP NULL
This attack vector uses programmatically generated TCP packets with no flags and no actual payload; they are typically padded with either zeroes or pseudo-random characters. TCP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as consume link capacity.
Number of Attacks
12906
Available Devices
n/a
TCP RST
Programmatically-generated TCP RST packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most RST-floods are spoofed. RST-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Number of Attacks
803433
Available Devices
n/a
TCP SYN
Programmatically-generated TCP SYN packets intended to overwhelm the TCP stacks of targeted hosts, consuming their capacity to instantiate new TCP connections for legitimate clients. SYN-Floods can also exhaust the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, et. al. Most SYN-Floods are spoofed. SYN-floods are primarily measured in packets-per-second (pps), and are both a volumetric and a connection-oriented form of DDoS attacks.
Number of Attacks
1035639
Available Devices
n/a
TCP SYN/ACK Amp
TCP reflection/amplification attacks consist of programmatically-generated spoofed SYN-floods directed towards multiple TCP responders such as Web servers, mail servers, et. al. The attacker spoofs the source IP address of the intended target; the TCP responders which receive the spoofed SYN-packets ‘respond’ to the target with multiple SYN/ACK packets. TCP reflection/amplification attacks can overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. TCP reflection/amplification attacks are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Number of Attacks
649878
Available Devices
n/a
TFTP Amp
Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol that allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement. TFTP servers connected to the internet can be exploited to launch DDoS attacks.
Amplification Number
46.5:1
Number of Attacks
3203
Available Devices
2638120
TP240 PhoneHome Amplification
The TP240 PhoneHome reflection/amplification DDoS vector discovered in early 2022 is new to the periodic table. This vector has the largest amplification factor in history, with a record-setting packet amplification ratio of 4,294,967,296:1. This was made possible by a bug-testing facility in Mitel PBX software that allowed anyone on the internet to send spoofed UDP packets to the testing facility. This resulted in a flood of outbound packets being sent to victims.
Amplification Number
4,294,967,296:1
Number of Attacks
4000
Available Devices
2600
Ubiquiti Amp
Ubiquiti manufactures and sells wireless data communication and wired products for enterprises and homes under multiple brand names. A vulnerability in Ubiquiti devices can be exploited to launch DDoS attacks.
Amplification Number
4:01
Number of Attacks
8421
Available Devices
60120
Unreal-Tournament Amp
Unreal Engine is a suite of creation tools for game development, architectural and automotive visualization, linear film and television content creation, broadcast and live event production, training and simulation, and other real-time applications. A vulnerability in Unreal Engine can be exploited to launch DDoS attacks.
Amplification Number
2,464:1
Number of Attacks
19619
Available Devices
31774
VSE Amp
Valve Source Engine (VSE), a video game engine developed by Valve Corp. that runs popular games such as Half-Life and Team Fortress 2. A variant of the Gafgyt botnet malware has used vulnerabilities in routers to launch DDoS attacks against servers running VSE.
Amplification Number
14:01
Number of Attacks
25929
Available Devices
159192
WS-DD Amp
Web Services Dynamic Discovery (WS-DD) is a technical specification that defines a multicast discovery protocol to locate services on a local network. As the name suggests, the actual communication between nodes is done using web services standards, notably SOAP-over-UDP. WS-DD therefore can be exploited to perform UDP-based reflection/amplification DDoS attacks.
Amplification Number
500:01:00
Number of Attacks
11463
Available Devices
286409
Explore the Whitepaper
To learn about new DDoS attack vectors and changes in adversary behavior, explore our whitepaper.