Appendix 1 - Basic DDoS Attack Types

Attack Types and Indicators

Attack Type
Textual identifier
Abnormal ICMP traffic
1-ICMP
Abnormal TCP traffic
1-TCP
Abnormal UDP traffic
1-UDP
Abnormal new IP addresses arrival rate
2
Abnormal network traffic entropy value
3
SYN flood
4-SYN
SYN-ACK flood
4-SYN-ACK
ACK flood
4-ACK
PSH - ACK flood
4-PSH-ACK
FIN/RST flood
4-FIN/RST
TCP-based application level protocol (e.g. HTTP) flood
7-TCP-<protocol>
UDP-based application level protocol (e.g. DNS) flood
7- UDP-<protocol>
"Tsunami" SYN flood
7-TSU-<protocol>
"Low and Slow" attack
9 - LS
TCP SYN flood from a relatively small attacking population
1-TCP:4-SYN
TCP SYN-ACK flood from a relatively small attacking population
1-TCP:4-SYN-ACK
TCP FIN/RST flood from a relatively small attacking population
1-TCP:4-FIN/RST
TCP SYN flood from a large attacking population
1-TCP:4-SYN:2
TCP SYN-ACK flood from a large attacking population
1-TCP:4-SYN-ACK:2
TCP FIN/RST flood from a large attacking population
1-TCP:4-FIN/RST:2
TCP SYN flood from a vast attacking population
1-TCP:4-SYN:2:3
TCP SYN-ACK flood from a vast attacking population
1-TCP:4-SYN-ACK:2:3
TCP FIN/RST flood from a vast attacking population
1-TCP:4-FIN/RST:2:3
UDP flood from a large attacking population
1-UDP:2
UDP flood from a vast attacking population
1-UDP:2:3
ICMP flood from a large attacking population
1-ICMP:2
ICMP flood from a vast attacking population
1-ICMP:2:3
Application level TCP flood attack
7-TCP-<protocol>:1-TCP
Application level UDP flood attack
7-UDP-<protocol>:1-UDP
Application level TCP "Tsunami" flood attack
7-TSU-<protocol>:1-TCP
Last modified 2yr ago
Copy link