ARMS Amp

ARMS: Apple Remote Management Service (a part of Apple’s Remote Desktop function) can be exploited to perform UDP reflection/amplification DDoS attacks.

BitTorrent Amp

BitTorrent is a popular peer-to-peer file-sharing protocol that utilizes a central “tracker” server to coordinate connections between peers via a BitTorrent ad-hoc file-sharing network, known as a “swarm.” The tracker is specified by the original file distributor and trusted unconditionally by peers in the swarm. This central point of control provides an opportunity for a file distributor to deploy a modified tracker to provide peers in a swarm with malicious coordination data, directing peer connection traffic toward an arbitrary target machine on an arbitrary service port.

Chargen Amp

The Character Generator Protocol (CHARGEN) listens on port 19 with TCP or UDP. When using UDP, CHARGEN can be exploited to perform reflection/amplification DDoS attacks.

Citrix-ICA Amp

Citrix Independent Computing Architecture (Citrix ICA) is a proprietary protocol for an application server system. Designed by Citrix systems, it is not bound to any single platform and lays down specification for passing data between server and clients. Citrix ICA includes a server software component, a network protocol component, and a client software component. The Cirix ICA protocol has been used as an attack vector for DDoS attacks.

CLDAP Amp

The Connectionless Lightweight Directory Access Protocol (CLDAP) is an LDAP alternative that uses UDP destination port 389 to connect, search, and modify share internet directories. Like other UDP-based protocols, CLDAP can be exploited to perform UDP reflection/amplification DDoS attacks.

COAP Amp

The Constrained Application Protocol (CoAP) is a specialized web transfer protocol designed for machine-to-machine (M2M) applications such as smart energy and building automation. Like other UDP-based protocols, CoAP can be exploited to perform UDP reflection/amplification DDoS attacks.

D/TLS

Datagram Transport Layer Security (DTLS) is a version of the TLS protocol implemented on the stream-friendly UDP transfer protocol for securing datagram-based applications to prevent eavesdropping, tampering, or message forgery. It can be abused to launch reflection/amplification DDoS attacks.

DHCPDiscover Amp

DHCPDiscover, a UDP-based JSON protocol used to manage networked digital video recorders (DVRs), can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication for the service. Unfortunately, many of these DVR variants by default do not include such authentication. At this point, the DHCPDiscover reflection/amplification attack vector appears to have been added to the arsenals of booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.

DNS

This attack vector uses programmatically generated DNS queries to overwhelm the capacity of recursive and authoritative DNS servers to respond to legitimate queries. For example, the variant known as DNS ‘water torture’ attacks uses query floods for pseudo-randomized non-existent resource records. DNS query floods are primarily measured in queries-per-second (qps) and are considered a form of application-layer DDoS attacks.

DNS Amp

A DNS reflection/amplification DDoS attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers.

HTML5

HTML5 (Hypertext Markup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.

ICMP

Programmatically-generated ICMP packets intended to consume link bandwidth (bps)/throughput (pps), as well as the capacity of targeted nodes to generate ICMP responses in the case of ICMP Echo Request (i.e., ping) floods. ICMP floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.

IP NULL

Programmatically-generated IP packets with no actual payload; they are typically padded with either zeroes or pseudo-random characters. IP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as to consume link bandwidth (bps)/throughput (pps). IP Null floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a volumetric form of DDoS attack.

IPMI Amp

Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based platform management systems used for centralized server control and monitoring. IPMI firmware has been exploited to launch DDoS attacks against data centers and servers.

IPv4 Protocol 0

Programmatically-generated IPv4 Protocol 0 packets intended to consume link bandwidth/throughput, as well as the capacity of targeted nodes to process incoming packets. IPv4 Protocol 0 is an invalid protocol number, but is forwarded by most routers and layer-3 switches. IPv4 Protocol 0 floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.

ISAKMP/IKE Amp

Internet Security Association and Key Management Protocol (ISAKMP) is a protocol for establishing Security Association (SA) and cryptographic keys in an internet environment. The Internet Key Exchange (IKE & IKEv2) relies on the UDP protocol. Like other UDP-based protocols, ISAKMP can be exploited to perform UDP reflection/amplification DDoS attacks.

Jenkins Amp

A popular open-source automation server used in almost all modern deployments, Jenkins servers support using a UDP multicast/broadcast network discovery protocol to locate other Jenkins instances. An attacker can generate a spoofed UDP packet and send it to the Jenkins server, generating a reflection/amplification attack.

L2TP Amp

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol used by an ISP to enable the operation of a virtual private network (VPN) over the internet. The L2TP protocol has been exploited to launch reflection/amplification DDoS attacks.

MBHTTP Amp

This TCP reflection/amplification attack leverages abusable internet censorship systems deployed by both nation-states and enterprises to consume link bandwidth and block the ability of targeted systems to respond to network traffic.

mDNS Amp

The multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as the unicast Domain Name System (DNS). The service has been exploited to launch DDoS attacks.

Memcached Amp

Memcached servers allow applications that need to access a lot of data from an external database to cache some of the data in memory, which can be accessed much more quickly by the application than having to travel out to the database to fetch something important. Threat actors exploited a vulnerability in misconfigured Memcached servers to launch enormous DDoS attacks.

MSSQLRS Amp

Microsoft SQL Reporting Services (MSSQLRS) is a server-based report generating software system from Microsoft that has been exploited to launch DDoS attacks.

NetBIOS Amp

Network Basic Input/Output System (NetBIOS) provides services related to the session layer of the OSI model that allow applications on separate computers to communicate over a local area network. An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.

NTP Amp

Network Time Protocol (NTP) is the standard protocol for time synchronization in the IT industry. A Network Time Protocol (NTP) attack is a volumetric reflection/amplification DDoS attack in which an attacker exploits a NTP server's functionality in order to overwhelm a targeted network or server with an amplified amount of UDP traffic, rendering the target and its surrounding infrastructure inaccessible to regular traffic.

OpenVPN Amp

The most popular VPN technology in use today, OpenVPN is used for remote-access and site-to-site VPN connections. OpenVPN uses its own SSL/TLS-based protocol. This protocol also allows UDP-based communications, making OpenVPN vulnerable to UDP reflection/amplification attacks.

PMSSDP Amp

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, along with variants customized for special-purpose platforms such as network-attached storage devices, external RAID storage units, and digital media players. Plex Media Server instances can potentially be abused as part of possible DDoS attacks if they have been deployed either on a public-facing network demilitarized zone, in an internet data center, or with manually configured port-forwarding rules that forward specific UDP ports from the public internet to devices running Plex Media Server.

QOTD Amp

The Quote of the Day (QOTD) service is part of the internet protocol suite. It was originally used by mainframe sysadmins to broadcast a daily quote on request by a user. It was then formally codified both for prior purposes as well as for testing and measurement purposes. Attackers have used the QOTD service to launch DDoS attacks.

Quake Amp

Quake is a first-person shooter video game typically played online with multiple players using the UDP internet protocol as its networking backbone. The Quake server network protocol has been exploited to launch UDP-based reflection/amplification attacks.

RDP Amp

Included in Microsoft Windows operating systems, Remote Desktop Protocol (RDP) is intended to provide authenticated remote Virtual Desktop Infrastructure access to Windows-based workstations and servers. When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/ amplification attacks.

RIPv1 Amp

The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from source to destination. The depreciated RIPv1 (version 1) routing protocol has been used an attack vector for reflection/amplification DDoS attacks.

rpcbind/portmap Amp

RPCBind (also called Portmapper, portmap, or RPC Portmapper) is a common remote procedure call (RPC) port-mapping function on the Linux platform and is bound to port 111 by default. Hackers launch UDP reflection/amplification DDoS attacks by batch-scanning UDP port 111.

Sentinel Amp

Sentinel reflection is a vulnerability in the SPSS license server, a well-known statistical software package from IBM. Attackers can forge source IP addresses and exploit a license server to launch UDP reflection/ amplification attacks.

SIP Amp

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video, and messaging applications. This application-layer attack vector involves sending a malformed or otherwise malicious SIP INVITE request to a telephony server, resulting in a crash of that server.

SNMP Amp

The Simple Network Management Protocol (SNMP) is used for configuring and collecting information from network devices such as servers, hubs, switches, routers, and printers. SNMP can be exploited and used as an attack vector to launch reflection/amplification DDoS attacks.

SSDP Amp

The Simple Service Discovery Protocol (SSDP) is a network protocol based on the internet protocol suite for advertisement and discovery of network services and presence information. SSDP can be exploited to launch reflection/amplification DDoS attacks.

STUN Amp

STUN is a protocol used to effectuate mappings between ‘inside’ and ‘outside’ IP addresses and protocol ports for hosts situated behind NAT installations. It is utilized by various services such as Session Initiation Protocol (SIP), Interactivity Connectivity Establishment (ICE), and Travels Using Relays around NAT (TURN). STUN may be configured to operate over both TCP and UDP transports. STUN services listening on UDP/3478, UDP/8088, and UDP/37833 may be abused to launch UDP reflection/amplification attacks with an average amplification ratio of 2.32:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from any of the three listed UDP ports and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. The amplified attack packets range from 48 bytes (the vast majority of attack traffic) to 1452 bytes in length. 75,556 abusable STUN servers have been identified to date.

TCP ACK

Programmatically-generated TCP ACK packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most ACK-floods are spoofed. ACK-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.

TCP NULL

This attack vector uses programmatically generated TCP packets with no flags and no actual payload; they are typically padded with either zeroes or pseudo-random characters. TCP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as consume link capacity.

TCP RST

Programmatically-generated TCP RST packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most RST-floods are spoofed. RST-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.

TCP SYN

Programmatically-generated TCP SYN packets intended to overwhelm the TCP stacks of targeted hosts, consuming their capacity to instantiate new TCP connections for legitimate clients. SYN-Floods can also exhaust the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, et. al. Most SYN-Floods are spoofed. SYN-floods are primarily measured in packets-per-second (pps), and are both a volumetric and a connection-oriented form of DDoS attacks.

TCP SYN/ACK Amp

TCP reflection/amplification attacks consist of programmatically-generated spoofed SYN-floods directed towards multiple TCP responders such as Web servers, mail servers, et. al. The attacker spoofs the source IP address of the intended target; the TCP responders which receive the spoofed SYN-packets ‘respond’ to the target with multiple SYN/ACK packets. TCP reflection/amplification attacks can overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. TCP reflection/amplification attacks are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.

TFTP Amp

Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol that allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement. TFTP servers connected to the internet can be exploited to launch DDoS attacks.

TP240 PhoneHome Amplification

The TP240 PhoneHome reflection/amplification DDoS vector discovered in early 2022 is new to the periodic table. This vector has the largest amplification factor in history, with a record-setting packet amplification ratio of 4,294,967,296:1. This was made possible by a bug-testing facility in Mitel PBX software that allowed anyone on the internet to send spoofed UDP packets to the testing facility. This resulted in a flood of outbound packets being sent to victims.

Ubiquiti Amp

Ubiquiti manufactures and sells wireless data communication and wired products for enterprises and homes under multiple brand names. A vulnerability in Ubiquiti devices can be exploited to launch DDoS attacks.

Unreal-Tournament Amp

Unreal Engine is a suite of creation tools for game development, architectural and automotive visualization, linear film and television content creation, broadcast and live event production, training and simulation, and other real-time applications. A vulnerability in Unreal Engine can be exploited to launch DDoS attacks.

VSE Amp

Valve Source Engine (VSE), a video game engine developed by Valve Corp. that runs popular games such as Half-Life and Team Fortress 2. A variant of the Gafgyt botnet malware has used vulnerabilities in routers to launch DDoS attacks against servers running VSE.

WS-DD Amp

Web Services Dynamic Discovery (WS-DD) is a technical specification that defines a multicast discovery protocol to locate services on a local network. As the name suggests, the actual communication between nodes is done using web services standards, notably SOAP-over-UDP. WS-DD therefore can be exploited to perform UDP-based reflection/amplification DDoS attacks.