Showing attack vectors for

DDoS Attack Taxonomy

Interactive reference of 113+ attack types across network, transport, and application layers. Each attack mapped to DDactic tools, defense bypass methods, and OPI impact scoring.

113
Attack Types
7
Categories
3
Protocol Variants
75
H1/H2/H3 Combos
12
Evasion Methods
14
Reflector Protocols
Attack path visualization
ATTACKER Multi-cloud fleet 13 platforms ISP / TRANSIT Upstream link Blackhole risk SCRUBBING L3/L4 filtering BGP diversion XDP/eBPF/ASIC CDN / WAF L7 inspection Anycast mesh Rate limiting ON-PREM WAF / LB / IPS F5 / Radware Pipe bottleneck ORIGIN Application server Database / APIs L3/L4 PIPE L3/L4 SCRUB L7 FILTER APPLIANCE APPLICATION BLOCKED FILTERED GAP GAP
Layer: Status:
Layer 3 - Network 12 attacks Bandwidth exhaustion, IP fragmentation, tunnel abuse
Layer 4 - Transport 30 attacks TCP state exhaustion, UDP amplification, DNS abuse
Layer 7 - Application 34 attacks HTTP floods, slowloris family, H2/H3 protocol attacks, resource exhaustion
Multi-Vector / Advanced 10 attacks CDN bypass, PoP rotation, carpet bombing, protocol hopping
Account Takeover (ATO) 9 attacks Credential stuffing, session hijacking, MFA bypass
API DDoS 10 attacks REST, GraphQL, gRPC resource exhaustion
Protocol-Specific 27 attacks SIP/SMTP/SSH/RDP/LDAP/IoT/Streaming/XMPP
Protocol Comparison H1 vs H2 vs H3 - connection models and attack surface
HTTP/1.1
TCP + TLS 1.2/1.3
MultiplexingNone
Connections neededMany (1 req/conn)
Head-of-line blockingYes
Server pushNo
Header compressionNo
Connection exhaustionHigh risk
Key attacks
Slowloris Slow POST Slow Read GET Flood Connection Flood
HTTP/2
TCP + TLS 1.2/1.3 (ALPN h2)
MultiplexingStreams over 1 conn
Connections needed1 (many streams)
Head-of-line blockingTCP level only
Server pushYes
Header compressionHPACK
Frame-level attacksHigh risk
Key attacks
Rapid Reset (CVE-2023-44487) CONTINUATION Flood PING Flood SETTINGS Abuse Empty Frames
HTTP/3
QUIC (UDP + TLS 1.3 built-in)
MultiplexingIndependent streams
Connections needed1 (QUIC conn ID)
Head-of-line blockingNone
Server pushYes
Header compressionQPACK
UDP-based attacksNew surface
Key attacks
QUIC Initial Flood CID Exhaustion Version Negotiation 0-RTT Replay ACK Manipulation
H1/H2/H3 test matrix - 75 combinations
CONCURRENCY LEVELS
Level 110 conns
Level 2100 conns
Level 3500 conns
Level 41,000 conns
Level 55,000 conns
CONNECTION MODES
PersistentKeep-alive reuse
New-connFresh per request
MultiplexedH2 streams
PipelineH1 pipeline
MixedRandomized
ESCALATOR FLAGS
--conns NConcurrent connections
--new-connNo reuse
--streams NH2 streams per conn
--http-version1 | 2
--burstPulse wave mode
Protocol Stack How protocols nest - every attack inherits the layers below it
OSI protocol nesting - attacks mapped to their actual layer
L3 NETWORK IPv4/IPv6 - Routing, addressing, fragmentation ICMP Flood IP Fragment GRE Flood ESP Flood MPLS Conn model: NONE (connectionless). Each packet independently routed. L4 TCP 3-way handshake, stateful, ordered delivery Conn: SYN -> SYN-ACK -> ACK (connection table entry) SYN Flood ACK Flood Sockstress RST Flood Conn Table Full Middlebox Refl. L4 UDP Connectionless, no handshake, fire-and-forget Conn: NONE. No state. Spoofing trivial. UDP Flood DNS Amp 50x SLP Amp 2200x NTP Amp 500x SSDP Amp 30x TP240 Amp 4.3Bx CLDAP Amp 70x TLS 1.2 / 1.3 Encryption, certificate validation, key exchange TLS 1.2: RSA or ECDHE key exchange. TLS 1.3: ECDHE only (forward secrecy mandatory) H2 requires TLS + ALPN negotiation. DH ciphers required for forward secrecy. TLS Exhaustion SSL Renegotiation QUIC (L4+TLS 1.3 built-in) UDP-based transport with integrated encryption Conn: Connection ID (not IP:port). 0-RTT resumption. Independent streams. TLS 1.3 baked in - no separate handshake. ECDHE only. No RSA. Initial Flood CID Exhaustion 0-RTT Replay ACK Manip. HTTP/1.1 Over: TCP + TLS 1.2/1.3 1 request per connection Keep-alive reuses conn Slowloris Slow POST Slow Read GET/POST Fl. HTTP/2 Over: TCP + TLS (ALPN h2) Multiplexed streams on 1 conn Requires ECDHE/DH ciphers Rapid Reset CONTINUATION PING Flood SETTINGS Fl. HTTP/3 Over: QUIC (UDP + TLS 1.3) Independent streams (no HOL) QPACK header compression HEADERS Fl. Frame Flood Version Neg. APP PROTOCOLS Run ON HTTP (not beside it) REST API H1/H2/H3 GraphQL POST /graphql WebSocket HTTP Upgrade H2-ONLY PROTOCOLS gRPC Requires H2 frames Stream Exhaust. gRPC Flood gRPC attack = H2 stream attack with protobuf serialization overhead NON-HTTP L7 Direct on TCP or UDP SIP UDP:5060 SMTP TCP:25 SSH TCP:22 MQTT LDAP RTSP HTTP/3 does NOT depend on HTTP/2. Clean protocol on QUIC (UDP). Slowloris = H1 only. H2 equivalent: CONTINUATION flood gRPC attack = H2 stream attack + protobuf overhead
L3 Network (IP)
L4 TCP
L4 UDP
TLS / QUIC
HTTP/3 + QUIC
Each attack inherits ALL layers below it
Scaling Models How protection architectures distribute attack traffic
Anycast Mesh (CDN)
Traffic distributed across PoPs, inherently resilient
ATK PoP PoP PoP PoP PoP ORIGIN 100 Gbps / 5 PoPs = 20 Gbps each
CapacityTbps (distributed)
FailoverAutomatic (anycast)
Latency impactMinimal (edge close)
Cache benefit80% less origin load
Hub-Spoke (Scrubbing)
Centralized absorption at fewer locations
ATK SCRUB-1 SCRUB-2 GRE / BGP tunnel ORIGIN
CapacityTbps (centralized)
FailoverBGP re-route (minutes)
Latency impactHigher (traffic detour)
ActivationOn-demand: 3-10 min gap
Direct / Self-Managed
Single pipe, single device, no distribution
ATK 10G PIPE SATURATED ORIGIN
CapacityISP pipe limit (1-100G)
FailoverNone (single PoF)
Latency impactN/A - offline
ISP responseBlackhole (all traffic)
OPI Finding Impact How protection gaps map to attack effectiveness
Finding OPI Impact Attack Effect Related Attacks
No Cloud WAF Defense -35 HTTP floods reach origin unfiltered. No rate limiting, no bot detection, no challenge pages. Application processes every request. HTTP GET FloodPOST FloodSlowloris
On-Prem WAF Only Defense -25, Origin -20 Upstream pipe saturates before appliance can process. Device capacity (e.g. 400 Gbps F5) is irrelevant if the 10G ISP link fills first. Pulse WaveHTTP BombLFD
No CDN Defense -40, L3/L4 -50 All traffic hits origin directly. SYN floods exhaust connection tables. UDP floods saturate bandwidth. No anycast distribution. SYN FloodUDP FloodCarpet Bomb
Origin IP Exposed Origin -40 Attacker bypasses CDN entirely by hitting origin IP directly. All L7 protections (WAF, rate limits, bot detection) are circumvented. CDN BypassSYN FloodUDP Flood
No Scrubbing L3/L4 -30 Volumetric UDP floods saturate ISP link directly. No upstream filtering. ISP may blackhole the target IP, dropping all traffic including legitimate. UDP FloodDNS AmpSLP Amp
On-Demand Scrubbing L3/L4 -15 3-10 minute activation gap while BGP re-routes. Attack traffic hits origin during this window. Yo-yo attacks can trigger repeated activation cycles. Yo-Yo AttackPulse Wave
ISP Blackhole L3/L4 -20 ISP null-routes target IP under volumetric attack. ALL traffic dropped (legitimate + malicious). Attacker achieves DoS without maintaining the flood. UDP FloodICMP Flood
No Rate Limiting L7 -15 Request flood overwhelms application without throttling. Database queries pile up. CPU saturates. No per-IP or per-endpoint limits. Search FloodAPI AbuseGraphQL
F5 LFU/LFD Vulnerable Vendor-specific Large file uploads exhaust F5 connection tables. Slow read with tiny TCP window holds F5 buffers. Radware DPX handles this via throttling. LFDSlow ReadHTTP Bomb
Pipe Bottleneck Origin -30 400G device on 10G pipe. Device capacity is irrelevant - the upstream link dies first. Volumetric attacks need only exceed pipe capacity, not device capacity. UDP FloodSYN Flood
Single Point of Failure Origin -15 Single hardware device, no redundancy. Device failure = zero protection. No failover path. Targeted appliance crash removes all defenses. TLS ExhaustionSockstress
Evasion Techniques 12 methods Fingerprint, IP, and protocol evasion
E1JA3 Randomization
Randomize TLS client fingerprint to bypass JA3-based WAF rules
escalator --random-ciphersWAF bypass
E2JA4 Rotation
Rotate JA4 fingerprints across different browser profiles
escalatorFingerprinting
E3p0f Fingerprint Spoofing
Mimic OS TCP/IP stack behavior to bypass OS fingerprinting detection
p0fping --p0f-fileOS detection
E4User-Agent Rotation
Rotate User-Agent strings across real browser profiles
escalator + UA listUA filtering
E5Header Randomization
Randomize HTTP headers order and values to avoid header analysis
escalator --random-headersHeader analysis
E6Source IP Spoofing
Fake source IP addresses using raw sockets (requires BCP38-free provider)
p0fping --rand-sourceIP reputation
E7-E9IP/Proxy Rotation
Rotate through IP ranges, residential/mobile proxies, or Tor exit nodes
escalator --proxy-listRate limits
E11CDN PoP Rotation
Route through different CDN edge regions to multiply per-PoP rate limits. Effective vs CF/Fastly/AWS, NOT vs Akamai (global counting).
geo-proxiesPer-PoP limits