Improperly-implemented D/TLS servers and load-balancers can be leveraged to launch reflection/amplification DDoS attacks. Most D/TLS reflectors/amplifiers are hardware load-balancers running outdated software.
Number of Attacks 456,040
Available Devices 4,282
Port Number n/a
New attack vectorAttack vector symbolAmplification factor0 – 50,000 Attacks50,001 – 500,000 Attacks500,001+ AttacksAttack vector name
Risk 56,000,000+ Available devicesRisk 44,000,001 – 6,000,000 Available devicesRisk 32,000,001 – 4,000,000 Available devicesRisk 2500,001 – 2,000,000 Available devicesRisk 11 – 500,000 Available devicesAvailable devices
37.34:1Dt○○○○●D/TLS
160:01:00 Dn○○○●●
DNS Amp
2
N/A Im
ICMP
3
N/A Ta
TCP ACK
4
N/A Tr
TCP RST
5
N/A Ts
TCP SYN
6
3:1 – Tk●●●●●
TCP SYN/ACK Amp
7
3.8:1 Bt○○○○●
BitTorrent Amp
9
56.89:1 Cd○○○○●
CLDAP Amp
10
37.34:1 Dt○○○○●
D/TLS
11
N/A Ds○○○●●
DNS
12
1:01 Ik○○○○●
ISAKMP/IKE Amp
13
13.5:1 Lt○○○●●
L2TP Amp
15
4.35:1 Md○○○○●
mDNS Amp
16
51,200:1 Mc○○○○●
Memcached Amp
17
25:01:00 Mq○○○○●
MSSQLRS Amp
18
556.9:1 Np●●●●●
NTP Amp
19
880:01:00 Sn○○○●●
SNMP Amp
21
30.8:1 Ss○○○●●
SSDP Amp
22
3.32:1 St○○○○●
STUN Amp
23
N/A Tn
TCP NULL
24
35.5:1 Ar○○○○●
ARMS Amp
25
120:01:00 Bc○○○○●
BACnet Amp
28
1,000:1 Ch○○○○●
Chargen Amp
29
5.7:1 Ci○○○○●
Citrix-ICA Amp
30
34:01:00 Cp○○○○●
COAP Amp
31
24:01:00 Di○○○○●
DHCPDiscover Amp
34
N/A Ht
HTML5
35
N/A In
IP NULL
36
1.1:1 Ip○○○○●
IPMI Amp
37
N/A Iv
IPv4 Protocol 0
40
5.6:1 Jk○○○○●
Jenkins Amp
41
700,000:1 Mh●●●●●
MBHTTP Amp
42
3:01 Nb○○○●●
NetBIOS Amp
43
33.9:1 Ov○○○●●
OpenVPN Amp
45
4.68:1 Pm○○○○●
PMSSDP Amp
46
140.3:1 Qd○○○○●
QOTD Amp
47
63.9:1 Qk○○○○●
Quake Amp
48
Variable Qc○○○○●
Quic Amp
49
85.9:1 Rd○○○○●
RDP Amp
51
134.24:1 Ri○○○○●
RIPv1 Amp
52
29:01:00 Rc○○○●●
rpcbind/portmap Amp
53
30.7:1 Se○○○○●
Sentinel Amp
54
10:01 Sp○○●●●
SIP Amp
55
46.5:1 Tf○○●●●
TFTP Amp
56
4,294,967,296:1 Tp○○○○●
TP240 PhoneHome Amp
57
4:01 Ub○○○○●
Ubiquiti Amp
58
2,464:1 Un○○○○●
Unreal-Tournament Amp
59
14:01 Ve○○○○●
VSE Amp
60
500:01:00 Wd○○○○●
WS-DD Amp
61
500,001+ Attacks
50,001-500,000 Attacks
0-50,000 Attacks
DNS Amp
A DNS reflection/amplification DDoS attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers.
Amplification Number
160:01:00
Number of Attacks
1,189,774
Available Devices
1,112,191
Port Number
53
ICMP
Programmatically-generated ICMP packets intended to consume link bandwidth (bps)/throughput (pps), as well as the capacity of targeted nodes to generate ICMP responses in the case of ICMP Echo Request (i.e., ping) floods. ICMP floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Amplification Number
N/A
Number of Attacks
944,306
TCP ACK
Programmatically-generated TCP ACK packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most ACK-floods are spoofed. ACK-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
1,979,785
TCP RST
Programmatically-generated TCP RST packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most RST-floods are spoofed. RST-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
1,092,525
TCP SYN
Programmatically-generated TCP SYN packets intended to overwhelm the TCP stacks of targeted hosts, consuming their capacity to instantiate new TCP connections for legitimate clients. SYN-Floods can also exhaust the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, et. al. Most SYN-Floods are spoofed. SYN-floods are primarily measured in packets-per-second (pps), and are both a volumetric and a connection-oriented form of DDoS attacks.
Amplification Number
N/A
Number of Attacks
1,349,140
TCP SYN/ACK Amp
Any node which runs a TCP-based service such as Web servers, SMTP mail relays, etc. can potentially be leveraged to launch TCP reflection/amplification DDoS attacks.
Amplification Number
3:1 –
Number of Attacks
1,108,008
Available Devices
1,200,000,000
BitTorrent Amp
Nodes running older versions of BitTorrent P2P file-sharing applications can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
3.8:1
Number of Attacks
70,733
Available Devices
210,325
Port Number
6,881
CLDAP Amp
Unsecured Connectionless Lightweight Directory Access Protocol (CLDAP) services can be leveraged to launch refleection/amplification DDoS attacks. Most abusable CLDAP reflectors/ampliifers are Microsoft Windows servers which have been unwisely exposed to the public Internet.
Amplification Number
56.89:1
Number of Attacks
91,573
Available Devices
14,825
Port Number
389
D/TLS
Improperly-implemented D/TLS servers and load-balancers can be leveraged to launch reflection/amplification DDoS attacks. Most D/TLS reflectors/amplifiers are hardware load-balancers running outdated software.
Amplification Number
37.34:1
Number of Attacks
456,040
Available Devices
4,282
Port Number
4,443
DNS
Programmatically-generated DNS queries mainly intended to overwhelm authoritative DNS servers; recursive DNS servers can also be targeted, and can be negatively impacted if used to reflect DNS query-floods towards targeted authoritative DNS servers. Queried Resource Records (RRs) can be pseudorandomly-generated ('DNS Water Torture'), or chosen from a dictionary of tens of thousands of plaubile-sounding labels (i.e, the 'Dyn attack').
Amplification Number
N/A
Number of Attacks
339,256
Available Devices
1,112,191
ISAKMP/IKE Amp
Misconfigured VPN servers and concentrators supporting the ISAKMP/IKE key-exchange methodology can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
1:01
Number of Attacks
55,947
Available Devices
26,668
Port Number
500
L2TP Amp
Misconfigured VPN servers and concentrators supporting the L2TP protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
13.5:1
Number of Attacks
122,736
Available Devices
1,673,359
Port Number
1,701
mDNS Amp
Large-scale state-sponsored, ISP-operated, and enterprise-run Web censorship systems which do not properly establish a TCP 3-way handshake prior to transmitting policy-violation responses to offending clients can be leveraged to launch reflection/ampification DDoS attacks.
Amplification Number
4.35:1
Number of Attacks
64,169
Available Devices
227,591
Port Number
5,353
Memcached Amp
Misconfigured, Internet-exposed memcached database-caching servers can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
51,200:1
Number of Attacks
59,459
Available Devices
2,532
Port Number
11,211
MSSQLRS Amp
Abusable, Internet-exposed Microsoft SQL Server nodes running the SQL Server Reporting Service can be leveraged to launch reflection/amplification attacks.
Amplification Number
25:01:00
Number of Attacks
62,325
Available Devices
84,663
Port Number
1,434
NTP Amp
Misconfigured Network Time Protocol (ntp) servers which expose abusable administrative functions to the internet can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
556.9:1
Number of Attacks
465,530
Available Devices
6,179,830
Port Number
123
SNMP Amp
Routers, layer-3 switches, WiFi access points, servers, and other Internet-connected devices running the SNMPv2 management protocol, and which have been misconfigured to expose it to the Internet with default credentials, can be leveraged to launch reflection/amplification attacks.
Amplification Number
880:01:00
Number of Attacks
73,517
Available Devices
1,334,671
Port Number
161
SSDP Amp
Consumer-grade broadband access routers which expose Simple Service Discovery Protocol (SSDP) ito the Internet can be leveraged to launch SSDP reflection/amplification attacks.
Amplification Number
30.8:1
Number of Attacks
138,596
Available Devices
1,031,415
Port Number
1,900
STUN Amp
Nodes running the STUN protocol used to provide dynamic mapping of NATted private IP addresses to publicly-routable IP addresses can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
3.32:1
Number of Attacks
256,823
Available Devices
123,018
Port Number
3,478,8,088,37,833
TCP NULL
Programmatically-generated TCP packets with no flags and no actual payload; they are typically padded with either zeroes or pseudo-random characters. TCP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as consume link capacity.
Amplification Number
N/A
Number of Attacks
52,689
ARMS Amp
Internet-exposed Apple computers running older versions of the Apple Remote Management System (ARMS) protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
35.5:1
Number of Attacks
17,375
Available Devices
7,350
Port Number
3,283
BACnet Amp
Internet-exposed servers and IoT devices running the BACNet HVAC management system protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
120:01:00
Number of Attacks
1,482
Available Devices
14,535
Port Number
47,808
Chargen Amp
Systems running the legacy character-generator (chargen) network test facility can be abused to launch reflection/amplification DDoS attacks. Most chargen reflectors/amplifiers are IoT devices which often have such abusable legacy services running by default.
Amplification Number
1,000:1
Number of Attacks
15,538
Available Devices
24,246
Port Number
19
Citrix-ICA Amp
Citrix Independent Computing Architecture (Citrix ICA) is a proprietary protocol for an application server system. Designed by Citrix systems, it is not bound to any single platform and lays down specification for passing data between server and clients. Citrix ICA includes a server software component, a network protocol component, and a client software component. The Cirix ICA protocol has been used as an attack vector for DDoS attacks.
Amplification Number
5.7:1
Number of Attacks
985
Available Devices
16,115
Port Number
1,604
COAP Amp
Misconfigured Constrained Application Protocol (CoAP) M2M speakers can be leveaged to launch reflection/amplification DDoS attacks. Most abusable CoAP reflectors/amplifiers are embedded IoT devices connected to the Internet over wireless broadband carriers. Like other UDP-based protocols, CoAP can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
34:01:00
Number of Attacks
3,665
Available Devices
238,672
Port Number
5,683
DHCPDiscover Amp
Internet-exposed DVRs and other types of IoT devices running the DHCPDiscover management protocol can be leveraged to launch reflection/amplification DDoS attacks (note that despite its name, DHCPDiscover is unrelated to the DHCP IP address-management protocol).
Amplification Number
24:01:00
Number of Attacks
28,422
Available Devices
38,896
Port Number
37,810
HTML5
HTML5 (Hypertext MaHTML5 (Hypertext Markup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.rkup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.
Amplification Number
N/A
IP NULL
Programmatically-generated IP packets with no actual payload; they are typically padded with either zeroes or pseudo-random characters. IP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as to consume link bandwidth (bps)/throughput (pps). IP Null floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
22,602
IPMI Amp
Internet-exposed Baseband Management Controller (BMCs) server management subsystems running the RMCP protocol can be leveraged to launch reflection/amplification attacks. These combined suites of hardware and software are collectively referred to as Intelligent Platform Management Interface (IPMI) systems.
Amplification Number
1.1:1
Number of Attacks
414
Available Devices
64,264
IPv4 Protocol 0
Programmatically-generated IPv4 Protocol 0 packets intended to consume link bandwidth/throughput, as well as the capacity of targeted nodes to process incoming packets. IPv4 Protocol 0 is an invalid protocol number, but is forwarded by most routers and layer-3 switches. IPv4 Protocol 0 floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Amplification Number
N/A
Number of Attacks
20,793
Jenkins Amp
Servers running obsolete versions of the popular Jenkins automation suite can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
5.6:1
Number of Attacks
2,638
Available Devices
19,045
Port Number
33,848
MBHTTP Amp
Large-scale state-sponsored, ISP-operated, and enterprise-run Web censorship systems which do not properly establish a TCP 3-way handshake prior to transmitting policy-violation responses to offending clients can be leveraged to launch reflection/ampification DDoS attacks.
Amplification Number
700,000:1
Available Devices
20,000,000
NetBIOS Amp
Network Basic Input/Output System (NetBIOS) provides services related to the session layer of the OSI model that allow applications on separate computers to communicate over a local area network. An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.
Amplification Number
3:01
Number of Attacks
32,345
Available Devices
560,779
Port Number
137
OpenVPN Amp
OpenVPN servers and concentrators running outdated software can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
33.9:1
Number of Attacks
39,631
Available Devices
951,150
Port Number
1,194
PMSSDP Amp
Plex Media Server nodes running outdated software and exposed to the public Internet can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
4.68:1
Number of Attacks
325
Available Devices
47,395
Port Number
32,410,32,414
QOTD Amp
The legacy Quote-of-the-Day (QotD) network entertainment service can be leveraged to launch reflection/amplification DDoS attacks. It is mainly found today on IoT devices running insecure default configurations which expose abusable, outdated services to the Internet at large.
Amplification Number
140.3:1
Number of Attacks
1,166
Available Devices
26,351
Port Number
17
Quake Amp
Quake game servers running legacy, outdated multiplayer software can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
63.9:1
Number of Attacks
2,778
Available Devices
523
Port Number
27,960,27,961,27,962,27,970
Quic Amp
A limited population of misconfigured QUIC servers can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
Variable
Available Devices
432,563
Port Number
443
RDP Amp
Misconfigured, abusable Microsoft Windows Remote Desktop Protocol (RDP) servers which are exposed to the Internet can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
85.9:1
Number of Attacks
7,214
Available Devices
3,851
Port Number
3,389
RIPv1 Amp
Nodes which expose the deprecated RIPv1 routing protocol to the Internet can be abused to launch reflection/amplification attacks.
Amplification Number
134.24:1
Number of Attacks
13,539
Available Devices
309,716
Port Number
520
rpcbind/portmap Amp
Misconfigured servers which expose the rpcbind/portmapper service to the Internet can be leveraged to launch reflection/amplification attacks.
Amplification Number
29:01:00
Number of Attacks
17,186
Available Devices
1,515,955
Port Number
111
Sentinel Amp
SPSS statistical software licensing servers running outdated software can be abused to launch Sentinel reflection/amplification DDoS attacks.
Amplification Number
30.7:1
Number of Attacks
1,522
Available Devices
899
Port Number
5,093
SIP Amp
Misconfigured, Internet-exposed Session Border Controllers (SBCs) and voice-over-IP (VoIP) PBXes can be abused to launch Session Initiation Protocol (SIP) reflection/amplification DDoS attacks.
Amplification Number
10:01
Number of Attacks
23,132
Available Devices
3,174,307
Port Number
5,060
TFTP Amp
Misconfigured, publicly-exposed Trivial File Transfer Protocol (tftp) servers can be leveraged to launch reflection/amplification attacks. Many abuable tftp servers are actually routers or other network infrastructure devices.
Amplification Number
46.5:1
Number of Attacks
3,423
Available Devices
2,055,371
Port Number
69
TP240 PhoneHome Amp
A test facility present in unpatched Mitel VoIP gateways running deprecated software versions can be abused to launch reflection/amplification DDoS attacks with a record-breaking amplification factor of 4,294,967,296:1.
Amplification Number
4,294,967,296:1
Number of Attacks
2,471
Available Devices
5,276
Port Number
10,074
Ubiquiti Amp
Some Ubiquiti wireless access devices running outdated software and which expose their managagment protocol to the public Internet can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
4:01
Number of Attacks
16,797
Available Devices
29,639
Port Number
10,001
Unreal-Tournament Amp
Multiplayer game servers running deprecated versions of the Unreal Tournament online gaming protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
2,464:1
Number of Attacks
20,406
Available Devices
1,029
Port Number
7,777-7,788
VSE Amp
Multiplayer game servers running deprecated versions of the Valve Steam Engine (VSE) online gaming protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
14:01
Number of Attacks
31,975
Available Devices
31,217
Port Number
27,015-27,021,21,025,21,026,28,015
WS-DD Amp
Misconfigured, Internet-exposed nodes running the Web Services Dynamic Discovery (WS-DD) protocol can be leveraged to launch reflection/amplification DDoS attacks.