New attack vectorAttack vector symbolAmplification factor0 – 50,000 Attacks50,001 – 500,000 Attacks500,001+ AttacksAttack vector name
Risk 56,000,000+ Available devicesRisk 44,000,001 – 6,000,000 Available devicesRisk 32,000,001 – 4,000,000 Available devicesRisk 2500,001 – 2,000,000 Available devicesRisk 11 – 500,000 Available devicesAvailable devices
160:01:00 Dn○○○●●
DNS Amp
2
N/A Im
ICMP
3
N/A Ta
TCP ACK
4
N/A Tr
TCP RST
5
N/A Ts
TCP SYN
6
3:1 – Tk●●●●●
TCP SYN/ACK Amp
7
3.8:1 Bt○○○○●
BitTorrent Amp
9
56.89:1 Cd○○○○●
CLDAP Amp
10
37.34:1 Dt○○○○●
D/TLS
11
N/A Ds○○○●●
DNS
12
1:01 Ik○○○○●
ISAKMP/IKE Amp
13
13.5:1 Lt○○○●●
L2TP Amp
15
4.35:1 Md○○○○●
mDNS Amp
16
51,200:1 Mc○○○○●
Memcached Amp
17
25:01:00 Mq○○○○●
MSSQLRS Amp
18
556.9:1 Np●●●●●
NTP Amp
19
880:01:00 Sn○○○●●
SNMP Amp
21
30.8:1 Ss○○○●●
SSDP Amp
22
3.32:1 St○○○○●
STUN Amp
23
N/A Tn
TCP NULL
24
35.5:1 Ar○○○○●
ARMS Amp
25
120:01:00 Bc○○○○●
BACnet Amp
28
1,000:1 Ch○○○○●
Chargen Amp
29
5.7:1 Ci○○○○●
Citrix-ICA Amp
30
34:01:00 Cp○○○○●
COAP Amp
31
24:01:00 Di○○○○●
DHCPDiscover Amp
34
N/A Ht
HTML5
35
N/A In
IP NULL
36
1.1:1 Ip○○○○●
IPMI Amp
37
N/A Iv
IPv4 Protocol 0
40
5.6:1 Jk○○○○●
Jenkins Amp
41
700,000:1 Mh●●●●●
MBHTTP Amp
42
3:01 Nb○○○●●
NetBIOS Amp
43
33.9:1 Ov○○○●●
OpenVPN Amp
45
4.68:1 Pm○○○○●
PMSSDP Amp
46
140.3:1 Qd○○○○●
QOTD Amp
47
63.9:1 Qk○○○○●
Quake Amp
48
Variable Qc○○○○●
Quic Amp
49
85.9:1 Rd○○○○●
RDP Amp
51
134.24:1 Ri○○○○●
RIPv1 Amp
52
29:01:00 Rc○○○●●
rpcbind/portmap Amp
53
30.7:1 Se○○○○●
Sentinel Amp
54
10:01 Sp○○●●●
SIP Amp
55
46.5:1 Tf○○●●●
TFTP Amp
56
4,294,967,296:1 Tp○○○○●
TP240 PhoneHome Amp
57
4:01 Ub○○○○●
Ubiquiti Amp
58
2,464:1 Un○○○○●
Unreal-Tournament Amp
59
14:01 Ve○○○○●
VSE Amp
60
500:01:00 Wd○○○○●
WS-DD Amp
61
500,001+ Attacks
50,001-500,000 Attacks
0-50,000 Attacks
DNS Amp
A DNS reflection/amplification DDoS attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers.
Amplification Number
160:01:00
Number of Attacks
1189774
Available Devices
1112191
Port Number
53
ICMP
Programmatically-generated ICMP packets intended to consume link bandwidth (bps)/throughput (pps), as well as the capacity of targeted nodes to generate ICMP responses in the case of ICMP Echo Request (i.e., ping) floods. ICMP floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Amplification Number
N/A
Number of Attacks
944306
TCP ACK
Programmatically-generated TCP ACK packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most ACK-floods are spoofed. ACK-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
1979785
TCP RST
Programmatically-generated TCP RST packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, etc. by forcing them to perform multiple simultaneous lookups for non-existent connections. Most RST-floods are spoofed. RST-floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
1092525
TCP SYN
Programmatically-generated TCP SYN packets intended to overwhelm the TCP stacks of targeted hosts, consuming their capacity to instantiate new TCP connections for legitimate clients. SYN-Floods can also exhaust the state-tables of stateful firewalls, load-balancers, ‘IPS’ devices, et. al. Most SYN-Floods are spoofed. SYN-floods are primarily measured in packets-per-second (pps), and are both a volumetric and a connection-oriented form of DDoS attacks.
Amplification Number
N/A
Number of Attacks
1349140
TCP SYN/ACK Amp
Any node which runs a TCP-based service such as Web servers, SMTP mail relays, etc. can potentially be leveraged to launch TCP reflection/amplification DDoS attacks.
Amplification Number
3:1 –
Number of Attacks
1108008
Available Devices
1200000000
BitTorrent Amp
Nodes running older versions of BitTorrent P2P file-sharing applications can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
3.8:1
Number of Attacks
70733
Available Devices
210325
Port Number
6881
CLDAP Amp
Unsecured Connectionless Lightweight Directory Access Protocol (CLDAP) services can be leveraged to launch refleection/amplification DDoS attacks. Most abusable CLDAP reflectors/ampliifers are Microsoft Windows servers which have been unwisely exposed to the public Internet.
Amplification Number
56.89:1
Number of Attacks
91573
Available Devices
14825
Port Number
389
D/TLS
Improperly-implemented D/TLS servers and load-balancers can be leveraged to launch reflection/amplification DDoS attacks. Most D/TLS reflectors/amplifiers are hardware load-balancers running outdated software.
Amplification Number
37.34:1
Number of Attacks
456040
Available Devices
4282
Port Number
4443
DNS
Programmatically-generated DNS queries mainly intended to overwhelm authoritative DNS servers; recursive DNS servers can also be targeted, and can be negatively impacted if used to reflect DNS query-floods towards targeted authoritative DNS servers. Queried Resource Records (RRs) can be pseudorandomly-generated ('DNS Water Torture'), or chosen from a dictionary of tens of thousands of plaubile-sounding labels (i.e, the 'Dyn attack').
Amplification Number
N/A
Number of Attacks
339256
Available Devices
1112191
ISAKMP/IKE Amp
Misconfigured VPN servers and concentrators supporting the ISAKMP/IKE key-exchange methodology can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
1:01
Number of Attacks
55947
Available Devices
26668
Port Number
500
L2TP Amp
Misconfigured VPN servers and concentrators supporting the L2TP protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
13.5:1
Number of Attacks
122736
Available Devices
1673359
Port Number
1701
mDNS Amp
Large-scale state-sponsored, ISP-operated, and enterprise-run Web censorship systems which do not properly establish a TCP 3-way handshake prior to transmitting policy-violation responses to offending clients can be leveraged to launch reflection/ampification DDoS attacks.
Amplification Number
4.35:1
Number of Attacks
64169
Available Devices
227591
Port Number
5353
Memcached Amp
Misconfigured, Internet-exposed memcached database-caching servers can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
51,200:1
Number of Attacks
59459
Available Devices
2532
Port Number
11211
MSSQLRS Amp
Abusable, Internet-exposed Microsoft SQL Server nodes running the SQL Server Reporting Service can be leveraged to launch reflection/amplification attacks.
Amplification Number
25:01:00
Number of Attacks
62325
Available Devices
84663
Port Number
1434
NTP Amp
Misconfigured Network Time Protocol (ntp) servers which expose abusable administrative functions to the internet can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
556.9:1
Number of Attacks
465530
Available Devices
6179830
Port Number
123
SNMP Amp
Routers, layer-3 switches, WiFi access points, servers, and other Internet-connected devices running the SNMPv2 management protocol, and which have been misconfigured to expose it to the Internet with default credentials, can be leveraged to launch reflection/amplification attacks.
Amplification Number
880:01:00
Number of Attacks
73517
Available Devices
1334671
Port Number
161
SSDP Amp
Consumer-grade broadband access routers which expose Simple Service Discovery Protocol (SSDP) ito the Internet can be leveraged to launch SSDP reflection/amplification attacks.
Amplification Number
30.8:1
Number of Attacks
138596
Available Devices
1031415
Port Number
1900
STUN Amp
Nodes running the STUN protocol used to provide dynamic mapping of NATted private IP addresses to publicly-routable IP addresses can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
3.32:1
Number of Attacks
256823
Available Devices
123018
Port Number
3478,8088,37833
TCP NULL
Programmatically-generated TCP packets with no flags and no actual payload; they are typically padded with either zeroes or pseudo-random characters. TCP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as consume link capacity.
Amplification Number
N/A
Number of Attacks
52689
ARMS Amp
Internet-exposed Apple computers running older versions of the Apple Remote Management System (ARMS) protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
35.5:1
Number of Attacks
17375
Available Devices
7350
Port Number
3283
BACnet Amp
Internet-exposed servers and IoT devices running the BACNet HVAC management system protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
120:01:00
Number of Attacks
1482
Available Devices
14535
Port Number
47808
Chargen Amp
Systems running the legacy character-generator (chargen) network test facility can be abused to launch reflection/amplification DDoS attacks. Most chargen reflectors/amplifiers are IoT devices which often have such abusable legacy services running by default.
Amplification Number
1,000:1
Number of Attacks
15538
Available Devices
24246
Port Number
19
Citrix-ICA Amp
Citrix Independent Computing Architecture (Citrix ICA) is a proprietary protocol for an application server system. Designed by Citrix systems, it is not bound to any single platform and lays down specification for passing data between server and clients. Citrix ICA includes a server software component, a network protocol component, and a client software component. The Cirix ICA protocol has been used as an attack vector for DDoS attacks.
Amplification Number
5.7:1
Number of Attacks
985
Available Devices
16115
Port Number
1604
COAP Amp
Misconfigured Constrained Application Protocol (CoAP) M2M speakers can be leveaged to launch reflection/amplification DDoS attacks. Most abusable CoAP reflectors/amplifiers are embedded IoT devices connected to the Internet over wireless broadband carriers. Like other UDP-based protocols, CoAP can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
34:01:00
Number of Attacks
3665
Available Devices
238672
Port Number
5683
DHCPDiscover Amp
Internet-exposed DVRs and other types of IoT devices running the DHCPDiscover management protocol can be leveraged to launch reflection/amplification DDoS attacks (note that despite its name, DHCPDiscover is unrelated to the DHCP IP address-management protocol).
Amplification Number
24:01:00
Number of Attacks
28422
Available Devices
38896
Port Number
37810
HTML5
HTML5 (Hypertext MaHTML5 (Hypertext Markup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.rkup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.
Amplification Number
N/A
IP NULL
Programmatically-generated IP packets with no actual payload; they are typically padded with either zeroes or pseudo-random characters. IP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as to consume link bandwidth (bps)/throughput (pps). IP Null floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
22602
IPMI Amp
Internet-exposed Baseband Management Controller (BMCs) server management subsystems running the RMCP protocol can be leveraged to launch reflection/amplification attacks. These combined suites of hardware and software are collectively referred to as Intelligent Platform Management Interface (IPMI) systems.
Amplification Number
1.1:1
Number of Attacks
414
Available Devices
64264
IPv4 Protocol 0
Programmatically-generated IPv4 Protocol 0 packets intended to consume link bandwidth/throughput, as well as the capacity of targeted nodes to process incoming packets. IPv4 Protocol 0 is an invalid protocol number, but is forwarded by most routers and layer-3 switches. IPv4 Protocol 0 floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Amplification Number
N/A
Number of Attacks
20793
Jenkins Amp
Servers running obsolete versions of the popular Jenkins automation suite can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
5.6:1
Number of Attacks
2638
Available Devices
19045
Port Number
33848
MBHTTP Amp
Large-scale state-sponsored, ISP-operated, and enterprise-run Web censorship systems which do not properly establish a TCP 3-way handshake prior to transmitting policy-violation responses to offending clients can be leveraged to launch reflection/ampification DDoS attacks.
Amplification Number
700,000:1
Available Devices
20000000
NetBIOS Amp
Network Basic Input/Output System (NetBIOS) provides services related to the session layer of the OSI model that allow applications on separate computers to communicate over a local area network. An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.
Amplification Number
3:01
Number of Attacks
32345
Available Devices
560779
Port Number
137
OpenVPN Amp
OpenVPN servers and concentrators running outdated software can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
33.9:1
Number of Attacks
39631
Available Devices
951150
Port Number
1194
PMSSDP Amp
Plex Media Server nodes running outdated software and exposed to the public Internet can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
4.68:1
Number of Attacks
325
Available Devices
47395
Port Number
32410,32414
QOTD Amp
The legacy Quote-of-the-Day (QotD) network entertainment service can be leveraged to launch reflection/amplification DDoS attacks. It is mainly found today on IoT devices running insecure default configurations which expose abusable, outdated services to the Internet at large.
Amplification Number
140.3:1
Number of Attacks
1166
Available Devices
26351
Port Number
17
Quake Amp
Quake game servers running legacy, outdated multiplayer software can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
63.9:1
Number of Attacks
2778
Available Devices
523
Port Number
27960,27961,27962,27970
Quic Amp
A limited population of misconfigured QUIC servers can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
Variable
Available Devices
432563
Port Number
443
RDP Amp
Misconfigured, abusable Microsoft Windows Remote Desktop Protocol (RDP) servers which are exposed to the Internet can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
85.9:1
Number of Attacks
7214
Available Devices
3851
Port Number
3389
RIPv1 Amp
Nodes which expose the deprecated RIPv1 routing protocol to the Internet can be abused to launch reflection/amplification attacks.
Amplification Number
134.24:1
Number of Attacks
13539
Available Devices
309716
Port Number
520
rpcbind/portmap Amp
Misconfigured servers which expose the rpcbind/portmapper service to the Internet can be leveraged to launch reflection/amplification attacks.
Amplification Number
29:01:00
Number of Attacks
17186
Available Devices
1515955
Port Number
111
Sentinel Amp
SPSS statistical software licensing servers running outdated software can be abused to launch Sentinel reflection/amplification DDoS attacks.
Amplification Number
30.7:1
Number of Attacks
1522
Available Devices
899
Port Number
5093
SIP Amp
Misconfigured, Internet-exposed Session Border Controllers (SBCs) and voice-over-IP (VoIP) PBXes can be abused to launch Session Initiation Protocol (SIP) reflection/amplification DDoS attacks.
Amplification Number
10:01
Number of Attacks
23132
Available Devices
3174307
Port Number
5060
TFTP Amp
Misconfigured, publicly-exposed Trivial File Transfer Protocol (tftp) servers can be leveraged to launch reflection/amplification attacks. Many abuable tftp servers are actually routers or other network infrastructure devices.
Amplification Number
46.5:1
Number of Attacks
3423
Available Devices
2055371
Port Number
69
TP240 PhoneHome Amp
A test facility present in unpatched Mitel VoIP gateways running deprecated software versions can be abused to launch reflection/amplification DDoS attacks with a record-breaking amplification factor of 4,294,967,296:1.
Amplification Number
4,294,967,296:1
Number of Attacks
2471
Available Devices
5276
Port Number
10074
Ubiquiti Amp
Some Ubiquiti wireless access devices running outdated software and which expose their managagment protocol to the public Internet can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
4:01
Number of Attacks
16797
Available Devices
29639
Port Number
10001
Unreal-Tournament Amp
Multiplayer game servers running deprecated versions of the Unreal Tournament online gaming protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
2,464:1
Number of Attacks
20406
Available Devices
1029
Port Number
7777-7788
VSE Amp
Multiplayer game servers running deprecated versions of the Valve Steam Engine (VSE) online gaming protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
14:01
Number of Attacks
31975
Available Devices
31217
Port Number
27015-27021,21025,21026,28015
WS-DD Amp
Misconfigured, Internet-exposed nodes running the Web Services Dynamic Discovery (WS-DD) protocol can be leveraged to launch reflection/amplification DDoS attacks.