03

Adversaries Evolve and Innovate Attack Methods and Vectors

Adversaries constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year. As DDoS defenses become more precise and effective, attackers continue to find ways to bypass those defenses with new DDoS attack vectors and methodology.

But new vectors and methodology aren’t the only tools used by adversaries, as evidenced by an increase in TCP-based direct-path attacks in the past 18 months. We have developed a white paper that examines these trends in greater detail, including findings such as these:

When direct attacks or tried-and-true vectors fail, adversaries turn to other methods such as carpet-bombing and DNS water torture.

Carpet-bombing occurs when a DDoS attack targets a wide range of destination services/devices with smaller portions of traffic in an effort to fill up multiple pipes without triggering traffic thresholds. DNS water torture, on the other hand, takes place when an adversary sends a huge amount of bogus subdomain requests in an attempt to overwhelm application-layer services and slow or disrupt those services altogether. Both of these adversary methodologies experienced significant increases in 1H 2022.

Carpet Bombing

DNS Water Torture Attacks

Periodic Table of Attack Vectors

Click on an element for more information

Number of Attacks
Available Devices
New attack vector Attack vector symbol Amplification factor 0 – 50,000 Attacks 50,001 – 500,000 Attacks 500,001+ Attacks Attack vector name
Risk 56,000,000+ Available devices Risk 44,000,001 – 6,000,000 Available devices Risk 32,000,001 – 4,000,000 Available devices Risk 2500,001 – 2,000,000 Available devices Risk 11 – 500,000 Available devicesAvailable devices
  • 35.5:1 Ar ARMS Amp2
  • 120:01:00 Bc BACnet Amp3
  • 3.8:1 Bt BitTorrent Amp4
  • 1,000:1 Ch Chargen Amp5
  • 5.7:1 Ci Citrix-ICA Amp6
  • 56.89:1 Cd CLDAP Amp7
  • 34:01:00 Cp COAP Amp8
  • 37.34:1 Dt D/TLS9
  • 24:01:00 Di DHCPDiscover Amp10
  •   Ds DNS11
  • 160:01:00 Dn DNS Amp12
  •   Ht HTML513
  •   Im ICMP14
  •   In IP NULL15
  • 1.1:1 Ip IPMI Amp16
  •   Iv IPv4 Protocol 017
  • 1:01 Ik ISAKMP/IKE Amp18
  • 5.6:1 Jk Jenkins Amp19
  • 13.5:1 Lt L2TP Amp20
  •   Mh MBHTTP Amp21
  • 4.35:1 Md mDNS Amp22
  • 51,200:1 Mc Memcached Amp23
  • 25:01:00 Mq MSSQLRS Amp24
  • 3:01 Nb NetBIOS Amp25
  • 556.9:1 Np NTP Amp26
  • 33.9:1 Ov OpenVPN Amp27
  • 4.68:1 Pm PMSSDP Amp28
  • 140.3:1 Qd QOTD Amp29
  • 63.9:1 Qk Quake Amp30
  • 85.9:1 Rd RDP Amp31
  • 134.24:1 Ri RIPv1 Amp32
  • 29:01:00 Rc rpcbind/portmap Amp33
  • 30.7:1 Se Sentinel Amp34
  • 10:01 Sp SIP Amp35
  • 880:01:00 Sn SNMP Amp36
  • 30.8:1 Ss SSDP Amp37
  • 3.32:1 St STUN Amp38
  •   Ta TCP ACK39
  •   Tn TCP NULL40
  •   Tr TCP RST41
  •   Ts TCP SYN42
  •   Tk TCP SYN/ACK Amp43
  • 46.5:1 Tf TFTP Amp44
  • 4,294,967,296:1 Tp TP240 PhoneHome Amplification45
  • 4:01 Ub Ubiquiti Amp46
  • 2,464:1 Un Unreal-Tournament Amp47
  • 14:01 Ve VSE Amp48
  • 500:01:00 Wd WS-DD Amp49

500,001+ Attacks

50,001-500,000 Attacks

0-50,000 Attacks

Explore the Whitepaper

To learn about new DDoS attack vectors and changes in adversary behavior, explore our whitepaper.