Attack Classification Reference
Flowtriq classifies attacks using protocol breakdown, TCP flag analysis, port evidence, packet size, IOC matching, and DNS detection. Each incident gets a family and optional subtype.
Attack Families
| Family | Trigger | Description |
|---|---|---|
| udp_flood | UDP > 45% | High-volume UDP floods including amplification and reflection. |
| syn_flood | TCP > 45%, SYN ratio > 50% | TCP SYN floods exhausting connection tables. |
| dns_flood | DNS queries + UDP > 40% | DNS query floods and amplification. Requires actual DNS content. |
| icmp_flood | ICMP > 30% | ICMP echo floods and oversized packets. |
| tcp_flood | TCP dominant, SYN < 50% | ACK, RST, FIN, PSH+ACK, XMAS, and NULL floods. |
| http_flood | L7 request rate | Application-layer HTTP floods via access log analysis. |
| multi_vector | 2+ protocols > 25% | Coordinated multi-protocol attacks. |
| protocol_flood | GRE/ESP/IPIP > 30% | Non-standard protocol floods. |
| fragment_flood | IP fragments > 50% | Fragmentation attacks exhausting reassembly buffers. |
UDP Subtypes
| Subtype | Evidence |
|---|---|
| dns_amplification | Port 53, large packets (>512B) |
| ntp_amplification | Port 123 |
| ssdp_amplification | Port 1900 |
| memcached_amplification | Port 11211 |
| cldap_amplification | Port 389 |
| chargen_amplification | Port 19 |
| snmp_amplification | Port 161 |
| wsd_amplification | Port 3702 |
| mdns_amplification | Port 5353 |
| openvpn_amplification | Port 1194 |
| rdp_amplification | Port 3389 |
| quic_flood | UDP port 443 |
| small_packet_flood | Avg size < 100B |
| amplification_generic | Avg size > 1200B |
| volumetric | Default |
TCP Subtypes
| Subtype | Evidence |
|---|---|
| syn_ack_flood | SYN > 30% and ACK > 30% |
| ack_flood | ACK > 60%, SYN < 10% |
| rst_flood | RST > 40% |
| fin_flood | FIN > 40% |
| psh_ack_flood | PSH > 40%, ACK > 30% |
| xmas_flood | FIN, PSH, URG all > 15% |
| null_flood | All flags near zero |
HTTP Subtypes (L7)
| Subtype | Evidence |
|---|---|
| h2_rapid_reset | HTTP/2, high 499 status, high RPS/IP (CVE-2023-44487) |
| h2_settings_flood | HTTP/2, RPS/IP > 200, few source IPs |
| credential_stuffing | Login path patterns |
| scraping | High unique path count |
| slow_rate | Low RPS from many IPs |
IOC Tool Detection
Payload matching identifies: Mirai, Gafgyt/Bashlite, Mozi, XorDDoS, Meris, Mantis, Fodcha, LOIC/HOIC, MHDDoS, Slowloris, GoldenEye, and more.
FAQ
Why multi_vector instead of udp_flood?
Multi-vector requires 2+ protocols each > 25%. Normal traffic (65% TCP / 30% UDP) does NOT trigger it because only TCP exceeds 25%. If classified as multi-vector, the attack genuinely uses significant volumes of multiple protocols.
Why udp_flood instead of dns_flood?
dns_flood requires actual DNS query content in packets, not just UDP on port 53. A single DNS lookup during a UDP flood will not reclassify the incident.