| Layer |
Type |
AV |
Description |
Network |
TCP |
SYN flood |
TCP-based flood attack, abusing the 3-way handshake. Sending multiple TCP packets with respective TCP flags. |
| Tsunami SYN flood |
| SYN-ACK flood |
| ACK flood |
| RST flood |
| PSH flood |
| FIN flood |
| URG flood |
| ACK/FIN flood |
| PUSH/ACK flood |
| ACK/RST flood |
| URG/RST flood |
| URG/SYN flood |
| URG/RST/SYN/FIN flood |
| ACK/PUSH/RST/SYN/FIN flood |
| URG/ACK/PUSH/RST/FIN flood |
| URG/ACK/PUSH/RST/SYN Flood |
| URG/ACK/PUSH/SYN/FIN Flood |
| URG/ACK/RST/SYN/FIN Flood |
| URG/PUSH/RST/SYN/FIN Flood |
| URG/FIN flood |
| URG/PUSHf flood |
| ACK/PUSH/FIN flood |
| ACK/PUSH/RST flood |
| ACK/PUSH/SYN flood |
| ACK/RST/FIN flood |
| ACK/RST/SYN flood |
| ACK/SYN/FIN flood |
| PUSH/RST/FIN flood |
| PUSH/RST/SYN flood |
| PUSH/SYN/FIN flood |
| RST/SYN/FIN flood |
| URG/ACK/FIN flood |
| URG/ACK/PUSH flood |
| URG/ACK/RST flood |
| URG/ACK/SYN flood |
| URG/PUSH/FIN flood |
| URG/PUSH/RST flood |
| XMAS flood |
| TCP Middlebox Reflection flood |
TCP-based flood that abuses security flaws in network middleboxes |
| Fragmented ACK flood |
ACK flood while the IP packets are fragmented so the PPS rate is higher than in a regular attack |
UDP |
DNS Garbage flood |
UDP flood with malmformed data targeting port 53 |
| NTP flood |
UDP flood with malmformed data targeting port 123 |
| Fragmented UDP flood |
UDP flood while the IP packets are fragmented so the PPS rate is higher than in a regular attack |
| Reflective DNS flood |
UDP-based attacks that abuse network components with security flaws, which allow them to send amplified attacks to a puttingtarget |
| Reflective CHARGEN flood |
| Reflective Memcache flood |
| Reflective SIP flood |
| Reflective SSDP flood |
| Reflective DHCPDiscover flood |
| Reflective SADP flood |
| SNMP Reflection flood |
| CoAP Reflection flood |
| STUN Reflection flood |
IP |
ICMP flood |
Bandwidth floods that abuse different IP protocols |
| Ping of Death |
| IGMP flood |
| ESP flood |
| AH flood |
| GRE flood |
| IPv4-in-IPv4 flood |
| IPv6-in-IPv4 flood |
Special techniques |
Carpet Bombing |
Network flood against an entire subnet. For example, against /24 subnet |
| Hit and Run |
Network attack that is performed by short bursts that repetitively inflict the target. This technique aims to avoid detection by the risk mitigation |
| |
Web |
HTTP GET flood |
HTTP requests flood, by using one of the HTTP methods |
| |
HTTP POST flood |
| |
HTTP HEAD flood |
| |
HTTP OPTIONS flood |
| |
HTTP PUT flood |
| |
HTTP DELETE flood |
Application |
HTTPS GET flood |
HTTPS requests flood, by using one of the HTTP methods |
| HTTPS POST flood |
| HTTPS HEAD flood |
| HTTPS OPTIONS flood |
| HTTPS PUT flood |
| HTTPS DELETE flood |
| HTTPS Login flood |
HTTPS flood against a login endpoint, by using multiple credentials, saturating the DB's resources |
| HTTPS Search flood |
HTTPS flood against a search endpoint, by using multiple credentials, saturating the DB's resources |
| HTTPS Randomized path flood |
HTTPS flood against a hostname, while putting malmformed, randomly generated path in every request |
| HTTPS Randomized parameters flood |
HTTPS flood against an endpoint with an existing parameter. The attack includes puting a random value in every request. That's a cache busting attack vector |
| HTTPS Randomized HTTP headers flood |
HTTPS flood with random number and values of HTTP headers. Its objective is to bypass signature-based risk mitigations |
| HTTPS Randomized Cipher-Suites |
HTTPS flood with different client TLS fingerprints. It randomizes the JA3 and JA4 signatures of the requests |
| HTTP/2 Rapid Reset |
HTTP/2 protocol abuse by sending requests and shuttnig them off before their completion. It allows an attacker to amplify their HTTPS request volume |
| HTTP flood Direct-to-Origin |
HTTP against the origin IP, bypassing the proxy service |
| HTTPS flood Direct-to-Origin |
HTTPS against the origin IP, bypassing the proxy service |
| HTTPS multiple URI flood |
HTTPS flood that targets multiple, existing paths |
Browser engine support |
HTTP flood with JS support |
HTTP flood with a tool that supports JavaScriptreceive |
| HTTS flood with Cookie support |
HTTP flood with a tool that can recieve and send cookies |
| HTTPS flood with JS support |
HTTPS flood with a tool that supports JavaScriptspecific |
| HTTPS flood with Cookie support |
HTTPS flood with a tool that can recieve and send cookies |
Low and Slow |
Slow Read |
Low & slow attack that fetches specfic content very slowly from the server. It keeps thethe connection between the client and server open for a long time, saturating the server's resources, which requires it to hold multiple connections at the same time |
| Slow POST |
Low & slow attack that uploads content to the server very slowlyin which the client opens TLS sessions and repeatedly requests renegotiation ofrequest. It keeps hte connection between the client and server open for a long time, saturating the server's resources, which requires it to hold multiple connections at the same time |
| TLS renegotiation |
Low & slow attack where the client opens TLS sessions and constantly requests to renegotiate the encryption keys with the server. It saturates the server's resources |
| HTTP/2 continuation flood |
Low & slow attack where the attacker abuses the HTTP/2 framing syntax, making lots of never-ending requests streams, thus keeping the connection between the client and server open, causing resourcea saturation to the server |
Volumetric-applicative |
Large File Download |
Low-request-rate application attack, where an attacker pulls a large file from the victim server, causing uplink pipe saturation. This AV is useful for avoiding rate limit detection |
| Large File Download with randomized parameters |
Large File Download with a randomized parameter attack that's meant to bust the caching mechanism provided by a CDN |
| Large File Upload |
Low-request-rate application attack, where an attacker sends requests with large body size to the victim server, causing downlink pipe saturation. This AV is useful for avoiding rate limit detection |
DNS |
DNS Query flood |
An attacker sends the same DNS query multiple times against the DNS server, causing resource saturation |
| DNS Dictionary flood |
An attacker sends lots of different DNS queries to the victim DNS server, causing resource saturation |
| TLS |
TLS flood |
An attacker performs multiple TLS client hello requests against the victim server. Since the server will respond with server-hello and begin the encryption sequence, it may reach resource saturation |
| |
|
|
| |
|
|
| |
|
|
