Types of DDoS attacks
A complete reference to DDoS attack types you can run in controlled DDoS testing and simulation with Engarde. Covers volumetric, protocol (Layer 4), and application-layer vectors — each article explains traffic behavior, what to monitor in Attack/Target Monitor, and includes an illustrative packet flow.
L7 HTTP / HTTPS 12 articles
- HTTP GET flood GET High-volume GET requests against URLs or APIs. Targets read-heavy paths, cache layers, and connection limits on web servers, CDNs, and WAFs.
- HTTP POST flood POST Write-heavy POST traffic to forms or APIs. Stresses validation, database writes, and authentication paths more than read-only GET floods.
- Random GET (cache bypass) RANDOMGET GET requests with randomized paths or query strings. Designed to reduce CDN/cache effectiveness and force origin fetches.
- HTTP PUT flood PUT Update-oriented REST traffic replacing or overwriting resources. Tests idempotency handling and storage write paths.
- HTTP PATCH flood PATCH Partial update traffic for APIs that accept incremental changes. Can stress merge logic and partial validation rules.
- HTTP DELETE flood DELETE Delete-method traffic targeting removal endpoints. Exercises authorization checks and soft-delete/archive backends.
- HTTPS / TLS application flood HTTP/S HTTP traffic over TLS adds handshake CPU cost before any request is processed. High parallel HTTPS GET/POST floods stress SSL termination, WAF, and origin workers together.
- Plain GET vs HTTP/S (TLS) floods GET vs HTTP/S Engarde exposes plain GET Flood and separate HTTP/S presets per method (GET, POST, PUT, PATCH, DELETE). Comparing them isolates TLS overhead from application-layer limits.
- HTTP/S POST flood HTTP/S POST TLS-wrapped POST requests stress write paths, WAF body inspection, and backend validation — on top of SSL termination cost.
- HTTP/S PUT flood HTTP/S PUT Idempotent full-resource updates over TLS. Tests object storage, REST gateways, and lock contention under encrypted write load.
- HTTP/S PATCH flood HTTP/S PATCH Partial updates inside TLS sessions. Exercises merge handlers and row-level locks on APIs that accept PATCH.
- HTTP/S DELETE flood HTTP/S DELETE Destructive method traffic over TLS. Validates authorization, audit pipelines, and rate limits on delete routes under encrypted load.
L4 TCP 19 articles
- TCP SYN flood SYN Large volumes of TCP SYN packets to exhaust connection tables on firewalls, load balancers, and servers before the handshake completes.
- TCP ACK flood ACK High-rate ACK packets force stateful firewalls and load balancers to track sessions that may never have completed a legitimate handshake.
- TCP FIN flood FIN FIN-flag floods attempt to exhaust connection teardown handling and confuse state machines on edge devices.
- TCP RST flood RST RST packets forcibly reset connections. A flood can disrupt established sessions and test how quickly infrastructure recovers.
- TCP PSH flood PSH PSH (push) flagged packets force immediate delivery to the application layer, increasing per-packet processing overhead.
- TCP PSH-ACK flood PSH-ACK Combined PSH+ACK flags mimic in-window data segments at high rate, testing stateful parser and IPS rule paths.
- Malformed & exotic TCP flag floods Flag anomaly Invalid or rare TCP flag combinations (Xmas, ALL flags, URG-ACK-RST-SYN-FIN, etc.) probe how filters handle non-RFC-compliant packets.
- TCP carpet bombing Carpet bombing Spreads attack traffic across many IPs in a subnet instead of one victim IP. Tests whether defenses cover the full advertised prefix.
- Multi-source TCP flood (TCPM) TCPM Distributed TCP flood from many Engarde nodes simulates botnet-like source diversity against a single target port.
- Invalid SYN flood Invalid SYN SYN packets with deliberately malformed TCP headers (invalid_flag preset). Tests whether edge devices drop anomalies or spend CPU on deep inspection.
- Invalid flag floods (ACK, FIN, RST, PSH, PSH-ACK) Invalid flags Malformed variants of common TCP flags — same flag letter as valid floods but invalid_flag set. Useful for regression-testing IPS signatures after firmware updates.
- TCP Xmas flood Xmas Classic Xmas scan style: FIN, PSH, and URG flags set together (FPU). Probes how filters classify “lit up” Christmas tree packets at high PPS.
- ALL TCP Flags flood ALL TCP Flags FPU flag combination without invalid_flag — Engarde “ALL TCP Flags Flood” preset. Stresses parsers that must evaluate every flag bit on each segment.
- Exotic TCP flag preset library Exotic combos Engarde includes 30+ predefined multi-flag TCP floods (URG combinations, ACK-SYN, PSH-RST-FIN, etc.) — all invalid_flag presets from the attack library.
- TCP ACK-SYN flood ACK-SYN ACK and SYN flags together (AS preset, invalid_flag). Probes state machines that expect SYN-only during handshake initiation.
- TCP URG flood URG Urgent pointer flag floods and URG-heavy combo presets. Legacy stacks and deep inspection engines may handle URG differently than modern Linux.
- TCP ACK-PSH-RST-SYN-FIN flood APRSF Five-flag combo preset (APRSF) — maximum “everything set” handshake chaos for parser and IPS regression testing.
- TCP URG-ACK-PSH-RST-SYN-FIN flood UAPRSF Six-flag UAPRSF preset — the largest standard combo in Engarde library. Ultimate parser stress test for lab firewalls.
- TCP RST-SYN flood RST-SYN RST and SYN together (RS preset) — contradictory signals that confuse session tracking and teardown logic.
L4 UDP 2 articles
L4 Mixed vectors 2 articles
- Mixed TCP + UDP multi-source flood TCP-UDPM Combines TCP and UDP floods from distributed nodes — closer to real multi-vector attacks.
- Combined multi-vector test (combined_id) Combined test Engarde can run multiple attack types in one coordinated test window — reports roll up under combined_id for multi-vector resilience validation.
L3 ICMP 1 articles
DNS DNS 4 articles
- DNS query flood DNS Query High-volume DNS queries against resolvers or authoritative servers. Stresses query parsing, cache, and recursive resolution paths.
- DNS NXDOMAIN-heavy query flood NXDOMAIN Queries for non-existent names bypass resolver cache and force full lookup work — distinct from caching A-record floods.
- DNS AAAA (IPv6) query flood AAAA query High QPS of AAAA lookups stresses dual-stack resolvers, larger responses, and IPv6-ready authoritative paths.
- DNS random subdomain (A) flood Random subdomain Random labels under a fixed zone force cache misses while still receiving valid A answers — distinct from NXDOMAIN pattern.