Appendix 1 - Basic DDoS Attack Types

Attack Types and Indicators

Attack Type

Textual identifier

Abnormal ICMP traffic

1-ICMP

Abnormal TCP traffic

1-TCP

Abnormal UDP traffic

1-UDP

Abnormal new IP addresses arrival rate

2

Abnormal network traffic entropy value

3

SYN flood

4-SYN

SYN-ACK flood

4-SYN-ACK

ACK flood

4-ACK

PSH - ACK flood

4-PSH-ACK

FIN/RST flood

4-FIN/RST

TCP-based application level protocol (e.g. HTTP) flood

7-TCP-<protocol>

UDP-based application level protocol (e.g. DNS) flood

7- UDP-<protocol>

"Tsunami" SYN flood

7-TSU-<protocol>

"Low and Slow" attack

9 - LS

TCP SYN flood from a relatively small attacking population

1-TCP:4-SYN

TCP SYN-ACK flood from a relatively small attacking population

1-TCP:4-SYN-ACK

TCP FIN/RST flood from a relatively small attacking population

1-TCP:4-FIN/RST

TCP SYN flood from a large attacking population

1-TCP:4-SYN:2

TCP SYN-ACK flood from a large attacking population

1-TCP:4-SYN-ACK:2

TCP FIN/RST flood from a large attacking population

1-TCP:4-FIN/RST:2

TCP SYN flood from a vast attacking population

1-TCP:4-SYN:2:3

TCP SYN-ACK flood from a vast attacking population

1-TCP:4-SYN-ACK:2:3

TCP FIN/RST flood from a vast attacking population

1-TCP:4-FIN/RST:2:3

UDP flood from a large attacking population

1-UDP:2

UDP flood from a vast attacking population

1-UDP:2:3

ICMP flood from a large attacking population

1-ICMP:2

ICMP flood from a vast attacking population

1-ICMP:2:3

Application level TCP flood attack

7-TCP-<protocol>:1-TCP

Application level UDP flood attack

7-UDP-<protocol>:1-UDP

Application level TCP "Tsunami" flood attack

7-TSU-<protocol>:1-TCP