Skip to main content
Version: Next

Attack Types & Indicators

The NFO DDoS Detector classifies every incident into one of 31 specific attack types. These classifications are determined by the Correlator based on specific indicators flagged by the six Analytical Experts.

Expert A: TCP/IP Information

This expert identifies 11 distinct types of protocol-level abuse by monitoring the TCP state machine and packet flags.

  • TCP SYN flood: Overwhelming a target with half-open connection requests.
  • TCP SYN-ACK reflection: Using third-party servers to reflect SYN-ACK traffic back to the victim.
  • TCP ACK flood: Flooding with ACK packets to force the target to search its state table for non-existent connections.
  • TCP FIN / RST / PSH-ACK / SYN-ACK floods: Various combinations of TCP flags used to exhaust CPU resources or bypass simple firewalls.
  • Fragmented ACK / SYN / UDP / ICMP floods: Using packet fragmentation to bypass inspection or overwhelm reassembly buffers.

Expert B: Network Traffic Properties

This expert monitors volumetric deviations and abnormal throughput across three major protocols.

  • Abnormal TCP traffic: Significant spikes in bit, packet, or flow rates for TCP-based communication.
  • Abnormal UDP traffic: Volumetric surges in UDP traffic, often used for spoofing-based floods.
  • Abnormal ICMP traffic: High-volume "Ping" floods designed to saturate bandwidth.

Expert C: New IP Address Arrival Rate

This expert identifies 5 types of attacks characterized by the behavior of the attacking population rather than just volume.

  • Flood from a large attacking population: High-volume traffic originating from a massive number of unique source IPs (Botnets).
  • Flood from a relatively small attacking population: High-volume traffic originating from a limited set of sources.
  • Flood from a vast attacking population: Massive-scale distributed attacks involving millions of sources.

Expert D: Network Noise Level

This expert monitors for 3 types of reconnaissance and background "noise" that often mask more targeted threats.

  • High Noise Level: A sudden surge of hosts sending only 1 or 2 packets before disappearing.
  • Scattered connection attempts: Numerous sources attempting to connect to a wide range of ports or IP addresses.

Expert E: Application Level Attacks

This expert uses 6 specialized indicators to detect threats targeting specific services like HTTP or DNS.

  • Application Protocol Flood: An abnormal number of requests from a specific client group directed at a single server or service.
  • HTTP / DNS / SIP Floods: Protocol-specific floods that mimic legitimate user requests to crash the underlying application.

Expert F: Low and Slow Attacks

This expert identifies 3 types of stealthy resource exhaustion attacks that bypass volumetric thresholds.

  • Low and Slow Session Persistence: Keeping connections open with minimal data transfer to exhaust server thread pools.
  • Sockstress: Specifically targeting the TCP three-way handshake to consume all available socket resources on a server.