DDoS attack list
| Category | Attack | Description | DDoS condition |
| Bandwidth-based attacks | |||
| Floods | UDP Floods | UDP packets flooding a link | Link congestion |
| Floods | ICMP Floods | ICMP packets sent to a victim address | Link congestion |
| Floods | TCP Floods | TCP packet floods with various flags set eat CPU cycles. | Link congestion End-point resource exhaustion (CPU) |
| Floods | Smurf attack | ICMP amplification attack, also reflection attack. Sends PING request to a broadcast address, machines reply to the spoofed victim's address in the request. | Link congestion End-point resource exhaustion |
| Floods | Fraggle attack | UDP variant of Smurf attack.Spoofed UDP packets are sent to broadcast addresses to port 7 (echo port), replies go to the victim's address | Link congestion |
| Floods | Papasmurf attack | Hybrid attack made by combining Smurf and Fraggle | Link congestion |
| Unexpected header values | Land attack | The Land attack uses IP spoofing in combination with the opening of a TCP connection. In Land, both IP addresses, source and destination are modified to be the same, and as a result the kernel gets into an ACK war against itself. | End-point crash |
| Unexpected header values | Eyenetdee | This works like Land attack but sends SYN flood with low packet rate to telnet, FTP, pop, finger or inetd service. These services shut down in response. | End-host application crash |
| Floods | Mail Bombs | The attacker sends large volumes of mail to a mail server thus crashing it and causing it to deny service to other legal users. | End-point crash |
| Floods | NAPTHA | NAPTHA bypasses the TCP protocol stack on the agent machine, participating in the connection making up replies based on received packets -> fills up the TCP connection queue on the host machine. | End-point resource exhaustion |
| Floods | DNS Amplification Attacks | Amplification through recursive queries | Link congestion End-point resource exhaustion |
| Congestion control exploits | Low-rate TCP-based attacks | Low-rate pulsating attacks that modulate TCP congestion control and flow management parameters | Reduction of end-to-end flow throughput |
| Semantic attacks | |||
| Floods | IGMP flood | Flooding with random IGMP messages | End-point resource exhaustion |
| Invalid input | Moyari13 | This attack is similar to kiss of death attack. It sends illegal ICMP Timestamp packets which crashes some Windows versions. | End-point crash |
| Invalid input | IGMP Win attack (Kiss of death) | A specially crafted IGMP packet will crash some versions of Windows | End-point crash |
| Congestion control exploits IGMP membership attacks | IGMP uses a report suppression mechanism to prevent redundant IGMP member reports from being sent to the querier router. A host that receives unicast membership report will believe that another member is on its subnet and will supress its own membership reports. The host can thus be cut from the multicast tree. | End-point application crash. | |
| Unexpected header values | Twinge, trash | Twinge cycles through all ICMP types and codes, will crash some Windows boxes. Trash sends ICMP messages with random types/codes. | End-point crash |
| Impersonation attacks | Smack | Sends random ICMP unreachable packets from random IP's. | End-point networking crash |
| Unexpected header values | Snort TCP SACK Option Denial Of Service | By sending a badly formed TCP SACK Option in a packet, it is possible to cause Snort in certain circumstances to crash. Typically this will occur when verbose mode is turned on with the -v switch. (source: Imperfect networks) | End-point application crash |
| Unexpected header values | DNS Resolver Denial of Service | This threat sends a DNS Reply packet that contains all transaction IDs available for a DNS Reply. This causes some implementations of Windows DNS Resolver to fail to resolve further names. The destination port must be set to the port that the dns resolver listens on, typically the first or second low privilege port (1026, 1027). To make certain that the threat reaches the correct DNS resolver port, a range can be specified, such as @range(1025, 1035). (source: Imperfect networks) | End-point application crash |
| Unexpected header values | Tcpdump and ethereal DoS attacks | A malformed packet will cause an application to crash when trying to process it. This will hide subsequent attacker's activities. | End-point application crash |
| Unexpected header values | Cisco ONS Denial of Service | Sending IP packets with a non-zero Type of Service to the timing control card on the LAN interface will cause the Cisco Optical Transport Platform (running ONS 3.1.0 to 3.2.0) to reset, resulting in a denial of service. (source: Imperfect networks) | End-point networking crash |
| Congestion control exploits | TCP CWR Flood | This threat floods a user specified target with TCP packets from randomized, spoofed addresses, where the CWR (Congestion Window Reduced) flag has been turned on. This attack is an attempt to flood the target with erroneous packets in order to hinder performance and cause a slowed response to legitimate traffic and possibly a DoS. (source: Imperfect networks) | Reduction of end-to-end flow throughput |
| Floods | TCP FIN flood | Flood with spoofed source addresses, ports and FIN flag on. If the attacker guesses the sequence numbers, port combinations and source address of an existing flow this flow will be terminated. Since there is low probability for a successful guess, the attacker's goal is likely to overwhelm network or end host with excess packets and the flag is just there to bypass security systems that may block other packet types. | Flow termination End-point resource exhaustion Link congestion |
| Unexpected header values | TCP NULL flood | Flood with TCP packets with no flag set. | End-point crash End-point resource exhaustion Link congestion |
| Unexpected header values | TCP Xmas | Flood with TCP packets with FIN, URG and PUSH flags set. Frequently used for OS fingerprinting but may crash some OSs. | End-point crash End-point resource exhaustion Link congestion |
| Unexpected header values | IP non-existing protocol attack | Flood with IP packets with reserved values in protocol field | End-point resource exhaustion Link congestion |
| Floods | TCP RST flood, stream | Flood with spoofed source addresses, ports and RST flag on. Description is same as for TCP FIN flood. | Flow termination End-point resource exhaustion Link congestion |
| Unexpected header values | TCP Erroneous Flags Flood | Erroneous combination of TCP flags has been turned on in attack packets. | End-point crash End-point resource exhaustion Link congestion |
| Floods | TCP ACK flood | Flood with packets that have ACK flag set | End-point resource exhaustion Link congestion |
| Unexpected header values | ICMP p-smash Flood | This threat floods the targeted remote machine with ICMP type 9 messages - router advertisement (source: Imperfect networks) | End-point crash |
| Congestion control exploits | ICMP Source Quench Denial of Service | This exploit sends spoofed ICMP Quench Packets from known, user specified gateways on the hosts routing table. ICMP quench packets are informational messages sent to hosts by gateway devices as the result of network issues, system resources running low, or an ongoing DoS attack in order to advise the host to limit the packet load and/or find alternate sources. The result of this exploit will slow the network traffic. (source: Imperfect networks) | End-point throughput reduction |
| Invalid input (but really this is amplification/reflection exploit not a new attack) | MS02-039 MS SQL Server 2000 UDP Ping Flood | MS SQL Server 2000 employs UDP Port 1434 for foreign hosts to ping for connectivity. Sending a UDP packet with a specific payload to the port will result in the server responding with a ping reply. This threat may be executed by sending a flood of UDP packets from a falsified source or finding another vulnerable MS SQL Server and using it as the source causing the two servers to ping each other resulting in a denial of service. (source: Imperfect networks) | Link congestion |
| Floods | TCP URG Flood | This threat floods a target with TCP packets, from randomized, spoofed addresses, where the URG (urgent) flag has been turned on. If the packets happen to guess parameters of existing connection the target will pass data immediately to application for execution. Probability of this is low so it is more likely that packets are just aiming to exhaust resources. (source: Imperfect networks) | End-point application crash End-point resource exhaustion |
| Invalid input | Microsoft Windows BOOTP Denial of Service | This threat sends a BOOTP packet with a maximum length hostname and Fully Qualified Domain Name (FQDN). Will cause aberrant behaviour on Windows DHCP service if BOOTP is enabled. (source: Imperfect networks) | End-point crash |
| Floods | IMail LDAP Denial of Service | This threat sends a large amount of data to the LDAP service that comes with IMail 5.0. This threat will cause the LDAP service to use upwards of 90% of CPU, thereby causing a DoS condition. (source: Imperfect networks) | End-point resource exhaustion |
| Invalid input | Microsoft SMS Denial of Service | This threat is executed by sending this crafted packet to port 2702 which will result in the SMS client to throw an exception and crash. (source: Imperfect networks) | End-point application crash |
| Floods | SIP Flood | This threat sends out a flood of SIP INVITE messages attempting to cause a denial of service on SIP equipment. SIP typically listens on port 5060. (source: Imperfect networks) | End-point application crash |
| Unexpected header values | Snort TCP Options Denial of Service | This threat sends out a TCP packet with the options set to 0600ffff, which is known to cause Snort to crash when running from a command line. (source: Imperfect networks) | End-point application crash |
| Unexpected header values | Kerio Personal Firewall IP Options Denial Of Service | This threat creates a false DNS reply packet that contains a malformed IP Options field designed to crash Kerio Personal Firewall. The IP Options are set to 01014400, which specifies a timestamp field with a length of 00, causing the Kerio Firewall software to enter an unending loop inside of the Microsoft Windows kernel. (source: Imperfect networks) | End-point application crash |
| Unexpected header values | Racoon Denial Of Service Attack | This threat sends flood of ISAKMP packets at the Racoon VPN server. It uses random elements in the reserved flag fields, causing a crash. KAME listens typically listens on UDP port 500. (source: Imperfect networks) | End-point crash |
| Invalid input | IBM Lotus Domino Server Web Service Denial Of Service | This threat causes the web service for Lotus Domino to crash. This is performed by sending a large HTTP GET request to the cgi-bin processor. (source: Imperfect networks) | End-point service crash |
| Floods | NetBIOS Denial of Service (WinNuke) | This threat sends a large amount of data at UDP port 137. Causes older implementations of Microsoft Windows to use 100% CPU and crash the NetBIOS service. (source: Imperfect networks) | End-point application crash |
| Unexpected header values | Cisco SNMPv3 Denial of Service | This threat sends an SNMPv3 message to the target on port 162. | End-point application crash |
| Invalid input | Symantec Firewall DNS Response Denial of Service | This threat sends a DNS packet where the compressed name pointer points back to itself, causing various Symantec Firewall applications to cause the kernel to go into an infinite loop. (source: Imperfect networks) | End-point crash |
| Invalid input | Samba SWAT Denial of Service | This threat exploits a weakness in the Samba SWAT HTTP daemon. Causes a crash in the service, denying access to legitimate users. (source: Imperfect networks) | End-point application crash |
| Large packets | DB2 Discover Service Denial of Service | The IBM DB2 provides a UDP discovery service that listens on port 523. The service expects packets to be sent to the service with a payload of 20 bytes or less. This threat sends a UDP packet to the service whose length is greater than 20 bytes which causes the service to crash resulting in a denial of service to legitimate users. (source: Imperfect networks) | End-point crash |
| Unexpected header values | Cisco Catalyst ACK Denial of Service | Attacker sends a TCP SYN packet followed by another TCP packet that has its flags set to anything but the appropriate response. This will cause the target machine to crash. | End-point crash |
| Invalid input | ISC DHCP Buffer Overflow | This threat attacks a buffer overflow present in ISC DHCP Server version 3.0.1rc8 and earlier. Affects multiple Linux distributions. (source: Imperfect networks) | End-point crash |
| Unexpected header values | UDP Port 0 DoS | This threat is executed by sending the targeted host a UDP packet to port 0 causing either the firewall or remote host to crash. (source: Imperfect networks) | End-point crash. |
| Congestion control exploits | TCP ECE flood | This threat floods a user specified target with TCP packets from randomized, spoofed addresses, where the ECE flag has been turned on. This attack is an attempt to flood the target with erroneous packets in order to hinder performance and cause a slowed response to legitimate traffic and possibly a DoS. (source: Imperfect networks) | Reduction of end-to-end flow throughput |
| Large packets | Ping of death | Attacker sends an ICMP packet larger than 2^16 bytes, that gets fragmented and reassembled at the receiver. These attacks are targeted at specific operating system versions that crash or reboot during reassembly of packets larger than 2^16 bytes. Attack used ICMP packets probably because of an easy way to generate those via command-line ping, but it could use any IP packet. | End-point crash |
| Impersonation attacks | Winfreez | The "Winfreez" denial of service attack involves the attacker, located within the same LAN (Local Area Network) as the victim, sending a storm of spoofed ICMP Redirect-Host packets from a router to the victims machine. Microsoft Windows based machines will receive the ICMP Redirect-Host packets and change their network routing table, therefore becoming frozen, operating very slowly, and/or fail to execute normal applications during the attack. (source: Sabronet.com) | End-point networking crash |
| Floods | Frag, opentear | Generates new IP fragments. End-point tries to reassemble packets but never completes because later fragments are not sent. | End-point crash |
| Invalid fragments | Nestea, TearDrop, Jolt | Generates IP fragments that overlap and affected targets crash or are caused to reboot. | End-point crash |
| Invalid fragments | Boink, Bonk | Generates IP fragments that result in reassembly of too large a packetand affected targets crash or are caused to reboot. | End-point crash |
| Invalid input | SQL Slammer | Exploits buffer overflow vulnerability in SQL Server and MSDE code. | End-point crash |
| Impersonation attacks | DNS Cache poisoning attacks | Exploits flaw in BIND's assignment of transaction ids and as a result the victim caches a spoofed record. End user may be redirected to attacker assigned site. | End-point corruption |