DDoS Attack Vectors

DNS Amp

A DNS reflection/amplification DDoS attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers.

NTP Amp

Misconfigured Network Time Protocol (ntp) servers which expose abusable administrative functions to the internet can be leveraged to launch reflection/amplification DDoS attacks.

TCP ACK

Programmatically-generated TCP ACK packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most ACK-floods are spoofed. ACK-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.

TCP RST

Programmatically-generated TCP RST packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most RST-floods are spoofed. RST-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.

TCP SYN

Programmatically-generated TCP SYN packets intended to overwhelm the TCP stacks of targeted hosts, consuming their capacity to instantiate new TCP connections for legitimate clients. SYN-Floods can also exhaust the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, et. al. Most SYN-Floods are spoofed. SYN-floods are primarily measured in packets-per-second (pps), and are both a volumetric and a connection-oriented form of DDoS attacks.

TCP SYN/ACK Amp

Any node which runs a TCP-based service such as Web servers, SMTP mail relays, etc. can potentially be leveraged to launch TCP reflection/amplification DDoS attacks.

BitTorrent Amp

Nodes running older versions of BitTorrent P2P file-sharing applications can be leveraged to launch reflection/amplification DDoS attacks.

Chargen Amp

Systems running the legacy character-generator (chargen) network test facility can be abused to launch reflection/amplification DDoS attacks. Most chargen reflectors/amplifiers are IoT devices which often have such abusable legacy services running by default.

CLDAP Amp

Unsecured Connectionless Lightweight Directory Access Protocol (CLDAP) services can be leveraged to launch refleection/amplification DDoS attacks. Most abusable CLDAP reflectors/ampliifers are Microsoft Windows servers which have been unwisely exposed to the public Internet.

DNS

Programmatically-generated DNS queries mainly intended to overwhelm authoritative DNS servers; recursive DNS servers can also be targeted, and can be negatively impacted if used to reflect DNS query-floods towards targeted authoritative DNS servers. Queried Resource Records (RRs) can be pseudorandomly-generated ('DNS Water Torture'), or chosen from a dictionary of tens of thousands of plaubile-sounding labels (i.e, the 'Dyn attack').

ISAKMP/IKE Amp

Misconfigured VPN servers and concentrators supporting the ISAKMP/IKE key-exchange methodology can be leveraged to launch reflection/amplification DDoS attacks.

L2TP Amp

Misconfigured VPN servers and concentrators supporting the L2TP protocol can be leveraged to launch reflection/amplification DDoS attacks.

mDNS Amp

Internet-exposed nodes running misconfigured, abusable mDNS services can be leveraged to launch reflection/amplication DDoS attacks.

Memcached Amp

Misconfigured, Internet-exposed memcached database-caching servers can be leveraged to launch reflection/amplification DDoS attacks.

MSSQLRS Amp

Abusable, Internet-exposed Microsoft SQL Server nodes running the SQL Server Reporting Service can be leveraged to launch reflection/amplification attacks.

SNMP Amp

Routers, layer-3 switches, WiFi access points, servers, and other Internet-connected devices running the SNMPv2 management protocol, and which have been misconfigured to expose it to the Internet with default credentials, can be leveraged to launch reflection/amplification attacks.

SSDP Amp

Consumer-grade broadband access routers which expose Simple Service Discovery Protocol (SSDP) ito the Internet can be leveraged to launch SSDP reflection/amplification attacks.

STUN Amp

Nodes running the STUN protocol used to provide dynamic mapping of NATted private IP addresses to publicly-routable IP addresses can be leveraged to launch reflection/amplification DDoS attacks.

TCP NULL

Programmatically-generated TCP packets with no flags and no actual payload; they are typically padded with either zeroes or pseudo-random characters. TCP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as consume link capacity.

ARMS Amp

Internet-exposed Apple computers running older versions of the Apple Remote Management System (ARMS) protocol can be leveraged to launch reflection/amplification DDoS attacks.

BACnet Amp

Internet-exposed servers and IoT devices running the BACNet HVAC management system protocol can be abused to launch reflection/amplification DDoS attacks.

Citrix-ICA Amp

Citrix Independent Computing Architecture (Citrix ICA) is a proprietary protocol for an application server system. Designed by Citrix systems, it is not bound to any single platform and lays down specification for passing data between server and clients. Citrix ICA includes a server software component, a network protocol component, and a client software component. The Cirix ICA protocol has been used as an attack vector for DDoS attacks.

COAP Amp

Misconfigured Constrained Application Protocol (CoAP) M2M speakers can be leveaged to launch reflection/amplification DDoS attacks. Most abusable CoAP reflectors/amplifiers are embedded IoT devices connected to the Internet over wireless broadband carriers. Like other UDP-based protocols, CoAP can be exploited to perform UDP reflection/amplification DDoS attacks.

D/TLS

Improperly-implemented D/TLS servers and load-balancers can be leveraged to launch reflection/amplification DDoS attacks. Most D/TLS reflectors/amplifiers are hardware load-balancers running outdated software.

DHCPDiscover Amp

Internet-exposed DVRs and other types of IoT devices running the DHCPDiscover management protocol can be leveraged to launch reflection/amplification DDoS attacks (note that despite its name, DHCPDiscover is unrelated to the DHCP IP address-management protocol).

HTML5

HTML5 (Hypertext Markup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.

IP NULL

Programmatically-generated IP packets with no actual payload; they are typically padded with either zeroes or pseudo-random characters. IP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as to consume link bandwidth (bps)/throughput (pps). IP Null floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a volumetric form of DDoS attack.

IPMI Amp

Internet-exposed Baseband Management Controller (BMCs) server management subsystems running the RMCP protocol can be leveraged to launch reflection/amplification attacks. These combined suites of hardware and software are collectively referred to as Intelligent Platform Management Interface (IPMI) systems.

IPv4 Protocol 0

Programmatically-generated IPv4 Protocol 0 packets intended to consume link bandwidth/throughput, as well as the capacity of targeted nodes to process incoming packets. IPv4 Protocol 0 is an invalid protocol number, but is forwarded by most routers and layer-3 switches. IPv4 Protocol 0 floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.

Jenkins Amp

Servers running obsolete versions of the popular Jenkins automation suite can be leveraged to launch reflection/amplification DDoS attacks.

MBHTTP Amp

Large-scale state-sponsored, ISP-operated, and enterprise-run Web censorship systems which do not properly establish a TCP 3-way handshake prior to transmitting policy-violation responses to offending clients can be leveraged to launch reflection/ampification DDoS attacks.

NetBIOS Amp

Network Basic Input/Output System (NetBIOS) provides services related to the session layer of the OSI model that allow applications on separate computers to communicate over a local area network. An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.

OpenVPN Amp

OpenVPN servers and concentrators running outdated software can be abused to launch reflection/amplification DDoS attacks.

PMSSDP Amp

Plex Media Server nodes running outdated software and exposed to the public Internet can be abused to launch reflection/amplification DDoS attacks.

QOTD Amp

The legacy Quote-of-the-Day (QotD) network entertainment service can be leveraged to launch reflection/amplification DDoS attacks. It is mainly found today on IoT devices running insecure default configurations which expose abusable, outdated services to the Internet at large.

Quake Amp

Quake game servers running legacy, outdated multiplayer software can be leveraged to launch reflection/amplification DDoS attacks.

Quic Amp

A limited population of misconfigured QUIC servers can be abused to launch reflection/amplification DDoS attacks.

RDP Amp

Misconfigured, abusable Microsoft Windows Remote Desktop Protocol (RDP) servers which are exposed to the Internet can be leveraged to launch reflection/amplification DDoS attacks.

RIPv1 Amp

Nodes which expose the deprecated RIPv1 routing protocol to the Internet can be abused to launch reflection/amplification attacks.

rpcbind/portmap Amp

Misconfigured servers which expose the rpcbind/portmapper service to the Internet can be leveraged to launch reflection/amplification attacks.

Sentinel Amp

SPSS statistical software licensing servers running outdated software can be abused to launch Sentinel reflection/amplification DDoS attacks.

SIP Amp

Misconfigured, Internet-exposed Session Border Controllers (SBCs) and voice-over-IP (VoIP) PBXes can be abused to launch Session Initiation Protocol (SIP) reflection/amplification DDoS attacks.

SLP Amp

Misconfigured, publicly-exposed Session Location Protocol (SLP) responders can be leveraged to launch reflection/amplification attacks. Many abusable SLP responders are actually Internet-exposed print servers.

TFTP Amp

Misconfigured, publicly-exposed Trivial File Transfer Protocol (tftp) servers can be leveraged to launch reflection/amplification attacks. Many abuable tftp servers are actually routers or other network infrastructure devices.

TP240 PhoneHome Amp

A test facility present in unpatched Mitel VoIP gateways running deprecated software versions can be abused to launch reflection/amplification DDoS attacks with a record-breaking amplification factor of 4,294,967,296:1.

Ubiquiti Amp

Some Ubiquiti wireless access devices running outdated software and which expose their managagment protocol to the public Internet can be abused to launch reflection/amplification DDoS attacks.

Unreal-Tournament Amp

Multiplayer game servers running deprecated versions of the Unreal Tournament online gaming protocol can be abused to launch reflection/amplification DDoS attacks.

VSE Amp

Multiplayer game servers running deprecated versions of the Valve Steam Engine (VSE) online gaming protocol can be abused to launch reflection/amplification DDoS attacks.

WS-DD Amp

Misconfigured, Internet-exposed nodes running the Web Services Dynamic Discovery (WS-DD) protocol can be leveraged to launch reflection/amplification DDoS attacks.