DDoS Attack Vectors
Interactive Periodic Table of Vectors
Attack Count
500,001+
50,001 - 500,000
0 - 50,000
- 160:1 Dn ○○○●● DNS Amp 2
- N/A Im ICMP 3
- N/A Ta TCP ACK 4
- N/A Tr TCP RST 5
- N/A Ts TCP SYN 6
- 3:1 Tk TCP SYN/ACK Amp 7
- 3.8:1 Bt ○○○○● BitTorrent Amp 9
- 1,000:1 Ch ○○○○● Chargen Amp 10
- N/A Ds DNS 11
- 10:1 Ik ○○○○● ISAKMP/IKE Amp 12
- 13.5:1 Lt ○○●●● L2TP Amp 13
- 4.35:1 Md ○○○○● mDNS Amp 15
- 51,200:1 Mc ○○○○● Memcached Amp 16
- 25:1 Mq ○○○○● MSSQLRS Amp 17
- 556.9:1 Np ●●●●● NTP Amp 18
- 6.3:1 Sn ○○○●● SNMP Amp 19
- 30.8:1 Ss ○○○●● SSDP Amp 21
- 3.32:1 St ○○○○● STUN Amp 22
- N/A Tn TCP NULL 23
- 2,464:1 Un ○○○○● Unreal-Tournament Amp 24
- 14:1 Ve ○○○○● VSE Amp 25
- 500:1 Wd ○○○○● WS-DD Amp 28
- 35.5:1 Ar ○○○○● ARMS Amp 29
- 120:1 Bc ○○○○● BACnet Amp 30
- 5.7:1 Ci ○○○○● Citrix-ICA Amp 31
- 56.89:1 Cd ○○○○● CLDAP Amp 34
- 34:1 Cp ○○○○● COAP Amp 35
- 37.34:1 Dt D/TLS 36
- 25.68:1 Di ○○○○● DHCPDiscover Amp 37
- N/A Ht HTML5 39
- N/A In IP NULL 40
- 1.1:1 Ip ○○○○● IPMI Amp 41
- N/A Iv IPv4 Protocol 0 42
- 5.6:1 Jk ○○○○● Jenkins Amp 43
- 700,000:1 Mh ○○○●● MBHTTP Amp 45
- 3:1 Nb ○○○○● NetBIOS Amp 46
- 33.9:1 Ov ○○○●● OpenVPN Amp 47
- 4.68:1 Pm ○○○○● PMSSDP Amp 48
- 140.3:1 Qd ○○○○● QOTD Amp 49
- 63.9:1 Qk ○○○○● Quake Amp 51
- Variable Qc ○○○○● Quic Amp 52
- 85.9:1 Rd ○○○○● RDP Amp 53
- 134.24:1 Ri ○○○○● RIPv1 Amp 54
- 29:1 Rc ○○○●● rpcbind/portmap Amp 55
- 30.7:1 Se ○○○○● Sentinel Amp 56
- 10:1 Sp ○○●●● SIP Amp 57
- 2,200:1 Sl ○○○○● SLP Amp 58
- 46.5:1 Tf ○○○●● TFTP Amp 59
- 4,294,967,296:1 Tp ○○○○● TP240 PhoneHome Amp 60
- 4:1 Ub ○○○○● Ubiquiti Amp 61
Attack Count
500,001+
50,001 - 500,000
0 - 50,000
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
DNS Amp
A DNS reflection/amplification DDoS attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers.
Amplification Number
160:1
Number of Attacks
1514557
Reflectors/Amplifiers
1627440
Port Number
53
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
ICMP
Programmatically generated ICMP packets intended to consume link bandwidth (bps)/throughput (pps), as well as the capacity of targeted nodes to generate ICMP responses in the case of ICMP Echo Request (i.e., ping) floods. ICMP floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Amplification Number
N/A
Number of Attacks
1046732
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TCP ACK
Programmatically generated TCP ACK packets primarily intended to overwhelm the state-tables of stateful firewalls, load-balancers, IPS devices, and so forth by forcing them to perform multiple simultaneous lookups for nonexistent connections. Most ACK floods are spoofed. ACK floods are primarily measured in packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
2305734
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TCP RST
Programmatically generated TCP RST packets primarily intended to overwhelm the state-tables of stateful firewalls, load balancers, IPS devices, and so forth by forcing them to perform multiple simultaneous lookups for nonexistent connections. Most RST floods are spoofed. RST floods are primarily measured in packets-per-second (pps) and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
1088436
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TCP SYN
Programmatically generated TCP SYN packets intended to overwhelm the TCP stacks of targeted hosts, consuming their capacity to instantiate new TCP connections for legitimate clients. SYN floods can also exhaust the state-tables of stateful firewalls, load balancers, IPS devices, et al. Most SYN floods are spoofed. SYN floods are primarily measured in packets-per-second (pps), and are both a volumetric and a connection-oriented form of DDoS attacks.
Amplification Number
N/A
Number of Attacks
1140870
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TCP SYN/ACK Amp
Any node that runs a TCP-based service such as web servers, SMTP mail relays, and so forth can potentially be leveraged to launch TCP reflection/amplification DDoS attacks.
Amplification Number
3:1
Number of Attacks
1020085
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
BitTorrent Amp
Nodes running older versions of BitTorrent P2P file-sharing applications can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
3.8:1
Number of Attacks
70755
Reflectors/Amplifiers
137826
Port Number
6881
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Chargen Amp
Systems running the legacy character-generator (chargen) network test facility can be abused to launch reflection/amplification DDoS attacks. Most chargen reflectors/amplifiers are IoT devices, which often have such abusable legacy services running by default.
Amplification Number
1,000:1
Number of Attacks
70743
Reflectors/Amplifiers
14570
Port Number
19
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
DNS
Programmatically generated DNS queries mainly intended to overwhelm authoritative DNS servers; recursive DNS servers can also be targeted, and can be negatively impacted if used to reflect DNS query floods toward targeted authoritative DNS servers. Queried Resource Records (RRs) can be pseudorandomly generated (DNS Water Torture), or chosen from a dictionary of tens of thousands of plausible-sounding labels (i.e, the Dyn attack).
Amplification Number
N/A
Number of Attacks
494677
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
ISAKMP/IKE Amp
Misconfigured VPN servers and concentrators supporting the ISAKMP/IKE key-exchange methodology can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
10:1
Number of Attacks
81169
Reflectors/Amplifiers
23426
Port Number
500
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
L2TP Amp
Misconfigured VPN servers and concentrators supporting the L2TP protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
13.5:1
Number of Attacks
108282
Reflectors/Amplifiers
2031634
Port Number
1701
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
mDNS Amp
Internet-exposed nodes running misconfigured, abusable mDNS services can be leveraged to launch reflection/amplication DDoS attacks.
Amplification Number
4.35:1
Number of Attacks
77332
Reflectors/Amplifiers
207558
Port Number
5353
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Memcached Amp
Misconfigured, internet-exposed memcached database-caching servers can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
51,200:1
Number of Attacks
77225
Reflectors/Amplifiers
4144
Port Number
11211
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
MSSQLRS Amp
Abusable, internet-exposed Microsoft SQL Server nodes running the SQL Server Reporting Service can be leveraged to launch reflection/amplification attacks.
Amplification Number
25:1
Number of Attacks
82288
Reflectors/Amplifiers
85876
Port Number
1434
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
NTP Amp
Misconfigured Network Time Protocol (NTP) servers that expose abusable administrative functions to the internet can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
556.9:1
Number of Attacks
378123
Reflectors/Amplifiers
6855982
Port Number
123
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
SNMP Amp
Routers, layer-3 switches, Wi-Fi access points, servers, and other internet-connected devices running the SNMPv2 management protocol, and which have been misconfigured to expose it to the internet with default credentials, can be leveraged to launch reflection/amplification attacks.
Amplification Number
6.3:1
Number of Attacks
76295
Reflectors/Amplifiers
1287986
Port Number
161
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
SSDP Amp
Consumer-grade broadband access routers that expose Simple Service Discovery Protocol (SSDP) to the internet can be leveraged to launch SSDP reflection/amplification attacks.
Amplification Number
30.8:1
Number of Attacks
153316
Reflectors/Amplifiers
1589150
Port Number
1900
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
STUN Amp
Nodes running the STUN protocol used to provide dynamic mapping of NATted private IP addresses to publicly routable IP addresses can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
3.32:1
Number of Attacks
377585
Reflectors/Amplifiers
146005
Port Number
3478,
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TCP NULL
Programmatically generated TCP packets with no flags and no actual payload; they are typically padded with either zeroes or pseudo-random characters. TCP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as consume link capacity.
Amplification Number
N/A
Number of Attacks
63887
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Unreal-Tournament Amp
Multiplayer game servers running deprecated versions of the Unreal Tournament online gaming protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
2,464:1
Number of Attacks
57341
Reflectors/Amplifiers
2589
Port Number
7777-7788
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
VSE Amp
Multiplayer game servers running deprecated versions of the Valve Steam Engine (VSE) online gaming protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
14:1
Number of Attacks
50030
Reflectors/Amplifiers
23771
Port Number
27015-27021,
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
WS-DD Amp
Misconfigured, internet-exposed nodes running the Web Services Dynamic Discovery (WS-DD) protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
500:1
Number of Attacks
74073
Reflectors/Amplifiers
21761
Port Number
3702
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
ARMS Amp
Internet-exposed Apple computers running older versions of the Apple Remote Management System (ARMS) protocol can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
35.5:1
Number of Attacks
30329
Reflectors/Amplifiers
5466
Port Number
3283
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
BACnet Amp
Internet-exposed servers and IoT devices running the BACNet HVAC management system protocol can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
120:1
Number of Attacks
2303
Reflectors/Amplifiers
15917
Port Number
47808
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Citrix-ICA Amp
Citrix Independent Computing Architecture (Citrix ICA) is a proprietary protocol for an application server system. Designed by Citrix Systems, it is not bound to any single platform and lays down specification for passing data between server and clients. Citrix ICA includes a server software component, a network protocol component, and a client software component. The Citrix ICA protocol has been used as an attack vector for DDoS attacks.
Amplification Number
5.7:1
Number of Attacks
1538
Reflectors/Amplifiers
4848
Port Number
1604
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
CLDAP Amp
Unsecured Connectionless Lightweight Directory Access Protocol (CLDAP) services can be leveraged to launch reflection/amplification DDoS attacks. Most abusable CLDAP reflectors/ampliifers are Microsoft Windows servers that have been unwisely exposed to the public internet.
Amplification Number
56.89:1
Number of Attacks
38573
Reflectors/Amplifiers
16031
Port Number
389
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
COAP Amp
Misconfigured Constrained Application Protocol (CoAP) M2M speakers can be leveraged to launch reflection/amplification DDoS attacks. Most abusable CoAP reflectors/amplifiers are embedded IoT devices connected to the internet over wireless broadband carriers. Like other UDP-based protocols, CoAP can be exploited to perform UDP reflection/amplification DDoS attacks.
Amplification Number
34:1
Number of Attacks
19620
Reflectors/Amplifiers
360154
Port Number
5683
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
D/TLS
Improperly implemented D/TLS servers and load-balancers can be leveraged to launch reflection/amplification DDoS attacks. Most D/TLS reflectors/amplifiers are hardware load balancers running outdated software.
Amplification Number
37.34:1
Number of Attacks
N/A
Reflectors/Amplifiers
N/A
Port Number
4443
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
DHCPDiscover Amp
Internet-exposed DVRs and other types of IoT devices running the DHCPDiscover management protocol can be leveraged to launch reflection/amplification DDoS attacks (note that despite its name, DHCPDiscover is unrelated to the DHCP IP address-management protocol).
Amplification Number
25.68:1
Number of Attacks
9766
Reflectors/Amplifiers
43932
Port Number
37810
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
HTML5
HTML5 (Hypertext Markup Language) is used for structuring and presenting content on the World Wide Web. The HTML5 language's ping attribute is used by websites as a mechanism to notify a website if a user follows a given link on a page. It has also been utilized as a DDoS attack vector to overwhelm targeted victims.
Amplification Number
N/A
Number of Attacks
N/A
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
IP NULL
Programmatically generated IP packets with no actual payload; they are typically padded with either zeroes or pseudo-random characters. IP Null Floods are primarily intended to overwhelm the TCP/IP stacks of targeted nodes with payloadless packets, as well as to consume link bandwidth (bps)/throughput (pps). IP Null floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a volumetric form of DDoS attack.
Amplification Number
N/A
Number of Attacks
22691
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
IPMI Amp
Internet-exposed Baseband Management Controller (BMC) server management subsystems running the RMCP protocol can be leveraged to launch reflection/amplification attacks. These combined suites of hardware and software are collectively referred to as Intelligent Platform Management Interface (IPMI) systems.
Amplification Number
1.1:1
Number of Attacks
568
Reflectors/Amplifiers
56662
Port Number
623
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
IPv4 Protocol 0
Programmatically generated IPv4 Protocol 0 packets intended to consume link bandwidth/throughput, as well as the capacity of targeted nodes to process incoming packets. IPv4 Protocol 0 is an invalid protocol number, but is forwarded by most routers and layer-3 switches. IPv4 Protocol 0 floods are measured in both bits-per-second (bps) and packets-per-second (pps), and are a form of volumetric DDoS attack.
Amplification Number
N/A
Number of Attacks
22109
Reflectors/Amplifiers
N/A
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Jenkins Amp
Servers running obsolete versions of the popular Jenkins automation suite can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
5.6:1
Number of Attacks
3631
Reflectors/Amplifiers
28272
Port Number
33848
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
MBHTTP Amp
Large-scale state-sponsored, ISP-operated, and enterprise-run web censorship systems that do not properly establish a TCP 3-way handshake prior to transmitting policy-violation responses to offending clients can be leveraged to launch reflection/ampification DDoS attacks.
Amplification Number
700,000:1
Number of Attacks
N/A
Reflectors/Amplifiers
999975
Port Number
N/A
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
NetBIOS Amp
Network Basic Input/Output System (NetBIOS) provides services related to the session layer of the OSI model that allow applications on separate computers to communicate over a local area network. An attacker can cause a victim's machine to refuse all NetBIOS network traffic, resulting in a denial of service.
Amplification Number
3:1
Number of Attacks
35977
Reflectors/Amplifiers
494935
Port Number
137
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
OpenVPN Amp
OpenVPN servers and concentrators running outdated software can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
33.9:1
Number of Attacks
48093
Reflectors/Amplifiers
968576
Port Number
1194
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
PMSSDP Amp
Plex Media Server nodes running outdated software and exposed to the public internet can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
4.68:1
Number of Attacks
205
Reflectors/Amplifiers
58369
Port Number
32410,
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
QOTD Amp
The legacy Quote-of-the-Day (QotD) network entertainment service can be leveraged to launch reflection/amplification DDoS attacks. It is mainly found today on IoT devices running insecure default configurations that expose abusable, outdated services to the internet at large.
Amplification Number
140.3:1
Number of Attacks
1139
Reflectors/Amplifiers
19598
Port Number
17
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Quake Amp
Quake game servers running legacy, outdated multiplayer software can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
63.9:1
Number of Attacks
4679
Reflectors/Amplifiers
1730
Port Number
27960,
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Quic Amp
A limited population of misconfigured QUIC servers can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
Variable
Number of Attacks
N/A
Reflectors/Amplifiers
425024
Port Number
443
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
RDP Amp
Misconfigured, abusable Microsoft Windows Remote Desktop Protocol (RDP) servers that are exposed to the internet can be leveraged to launch reflection/amplification DDoS attacks.
Amplification Number
85.9:1
Number of Attacks
10126
Reflectors/Amplifiers
3187
Port Number
3389
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
RIPv1 Amp
Nodes that expose the deprecated RIPv1 routing protocol to the internet can be abused to launch reflection/amplification attacks.
Amplification Number
134.24:1
Number of Attacks
20331
Reflectors/Amplifiers
285140
Port Number
520
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
rpcbind/portmap Amp
Misconfigured servers that expose the rpcbind/portmapper service to the internet can be leveraged to launch reflection/amplification attacks.
Amplification Number
29:1
Number of Attacks
21564
Reflectors/Amplifiers
1510319
Port Number
111
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Sentinel Amp
SPSS statistical software-licensing servers running outdated software can be abused to launch Sentinel reflection/amplification DDoS attacks.
Amplification Number
30.7:1
Number of Attacks
1350
Reflectors/Amplifiers
1215
Port Number
5093
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
SIP Amp
Misconfigured, internet-exposed Session Border Controllers (SBCs) and voice-over-IP (VoIP) PBXes can be abused to launch Session Initiation Protocol (SIP) reflection/amplification DDoS attacks.
Amplification Number
10:1
Number of Attacks
21179
Reflectors/Amplifiers
3163642
Port Number
5060
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
SLP Amp
Misconfigured, publicly exposed Session Location Protocol (SLP) responders can be leveraged to launch reflection/amplification attacks. Many abusable SLP responders are actually internet-exposed print servers.
Amplification Number
2,200:1
Number of Attacks
7747
Reflectors/Amplifiers
27294
Port Number
427
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TFTP Amp
Misconfigured, publicly exposed Trivial File Transfer Protocol (TFTP) servers can be leveraged to launch reflection/amplification attacks. Many abusable TFTP servers are actually routers or other network infrastructure devices.
Amplification Number
46.5:1
Number of Attacks
24814
Reflectors/Amplifiers
1019877
Port Number
69
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
TP240 PhoneHome Amp
A test facility present in unpatched Mitel VoIP gateways running deprecated software versions can be abused to launch reflection/amplification DDoS attacks with a record-breaking amplification factor of 4,294,967,296:1.
Amplification Number
4,294,967,296:1
Number of Attacks
692
Reflectors/Amplifiers
3867
Port Number
10074
500,001+ Attacks
50,001 - 500,000 Attacks
0 - 50,000 Attacks
Ubiquiti Amp
Some Ubiquiti wireless access devices running outdated software and that expose their managagment protocol to the public internet can be abused to launch reflection/amplification DDoS attacks.
Amplification Number
4:1
Number of Attacks
14051
Reflectors/Amplifiers
26378
Port Number
10001