Skip to main content
Blocked attacks
Last update:

Blocked attacks

You can view the history of DDoS attacks that have been blocked Selectel defense in the control panel.

Selectel's defenses operate at the network and transport layer (L3-L4). If your monitoring systems detect an application layer attack (L7) or other malicious activity, contact the following immediately support service and plug in other protections.

View attack history

  1. In control panel go to Network servicesNetwork incidents.

  2. Open the tab Blocked attacks. For each attack, the network attacked, the period of the attack, and the response from the defense system are specified:

    • block — suspicious traffic was completely discarded;
    • redirect — suspicious TCP traffic was filtered out, only legitimate requests were allowed through;
    • detect — suspicious traffic was detected but was not discarded. A new attack detection rule is being tested in the system, or traffic blocking is disabled for the IP address.
  3. To see detailed information about the attack, including type of attack In the attack bar, click on the IP address of the network, its speed, power, total number of packets sent and volume.

  4. Optional: if you observe a sustained attack that disables or reduces service availability, additionally protect the attacked server:

Types of attacks

DescriptionTarget of attack
UDP flood to service DST port 565 limitedAttack by UDP traffic on destination port 565 Whoami
  • Exhaustion of bandwidth and computational resources of the attacked host;
  • Denial of service of the attacked application
UDP flood to service DST port 1194 limitedUDP traffic attack on OpenVPN destination port 1194Exhaustion of bandwidth and computational resources of the attacked host, denial of service of the attacked application
NTP Monlist ResponseAttack by reflected and amplified UDP traffic from source port 123 (NTP Moonlist response vulnerability)Bandwidth exhaustion
SSDP ReflectionAttack by reflected and amplified UDP traffic from source port 1900 (SSDP and UPnP protocols vulnerability)Bandwidth exhaustion
Empty UDP dataAttack of client IP address with empty UDP datagrams Empty UDP FloodIncreased utilization of the victim network
MemcacheAttack by reflected and amplified UDP traffic from source port 11211 (Memcache vulnerability)Bandwidth exhaustion
SSRP ReflectionAttack with reflected and amplified UDP traffic from source port 1434 SSRP (SQL Server Resolution Protocol)Bandwidth exhaustion
WSD ReflectionAttack by reflected and amplified UDP traffic from source port 11211 (Memcache vulnerability)Bandwidth exhaustion
Net Assistant ReflectionReflected and amplified UDP traffic from source port 3283 (Apple Network Assistant vulnerability)Bandwidth exhaustion
LowShadyPorts/Reflection flood to server limited

Attack by reflected and amplified UDP traffic from source ports:

  • 19 CHARGEN (Character Generator);
  • 111 SUNRPC (Sun Remote Procedure Call);
  • 137 NETBIOS-NS (NetBIOS Name Service);
  • 161 SNMP (Simple Network Management Protocol);
  • 389 LDAP (Lightweight Directory Access Protocol);
  • 520 ROUTER (used by routing protocols such as RIP)
Bandwidth exhaustion
Custom UDP amplifications

Attack by reflected and amplified UDP traffic from source ports:

  • 37810 DHCPDiscover for DVR devices;
  • 10074 TP240PhoneHome (Mitel systems);
  • 37020 SADP (Hikvision)
Bandwidth exhaustion
Custom UDP amplifications3Attack by reflected and amplified UDP traffic from SADP source port 37021 (Hikvision)Bandwidth exhaustion
Query Response/DNS query response reflection flood to server limited

DNS Response attacks traffic from public DNS servers with source port 53 UDP DNS and flags set from the DNSSEC extension:

  • DNS Signature;
  • DNS Signature Recursive
Bandwidth exhaustion
Source Port 53/UDP source port 53 reflection flood to server limitedAttack by reflected and amplified UDP traffic from source port 53 UDP DNSBandwidth exhaustion
Source Port 4500/UDP source port 4500 reflection flood to server limitedAttack by reflected and amplified UDP traffic from source port 4500Bandwidth exhaustion
Any Source Port/UDP source port reflection flood to server limitedAttack with high volume UDP traffic from a specific source port to any destination port on the client IPBandwidth exhaustion
RST/TCP RST reflection flood to server limitedAttack TCP traffic with the TCP RST flag set from a specific source port to any destination port on the client IP
  • Exhaustion of computational resources of the attacked host;
  • disruption of TCP connection support on the attacked host (or group of hosts)
SYN/ACK/TCP SYN/ACK reflection flood to server limitedAttack TCP traffic with the TCP RST flag set from a specific source port to any destination port on the client IPExhaustion of network and computing resources of the attacked host
PSH/ACK/TCP PSH/ACK reflection flood to server limitedAttack TCP traffic with TCP RST or TCP PSH flags set from a specific source port to any destination port on the client IPExhaustion of computational resources of the attacked host
Failed Reflectors/ICMP Server flood to server limitedAttacking a client host with a large volume of ICMP response traffic from public servers, triggered by specific requests from an attacker to public servers for UDP port availability, but spoofing the source address to a client address.Exhaustion of bandwidth and computational resources of the attacked host
UDP flood to service DST port 53 limitedAttack by UDP traffic on destination port 53 DNS
  • Exhaustion of bandwidth and computational resources of the attacked host;
  • Denial of service of the attacked application
Any Destination Port/UDP service flood to a server port limitedAttack with high volume UDP traffic to any arbitrary victim port
  • Bandwidth exhaustion;
  • Denial of service of the attacked application
Any Type/ICMP/ICMPv6 service flood to server limitedAttack with arbitrary ICMP traffic (including ICMPv6) of large volume on a specific client destination portExhaustion of bandwidth and computational resources of the attacked host
SYN/TCP SYN to a server port limitedAttack by TCP traffic with TCP SYN flag set on a specific destination port of the client IP
  • Exhaustion of network and computational resources of the attacked host;
  • disruption of TCP connection establishment on the attacked host
RST/TCP RST to a server port limitedAttack by TCP traffic with TCP RST flag set on a specific destination port of the client IP
  • Exhaustion of computational resources of the attacked host;
  • disruption of TCP connection support on the attacked host or host group
PSH/ACK/TCP PSH/ACK service flood to a server port limitedAttack TCP traffic with TCP RST/PSH flags set on a specific destination port of the client IPExhaustion of computational resources of the attacked host
Any TCP/TCP to a server port limitedAttack with arbitrary TCP traffic of large volume on a specific client portExhaustion of the attacked host's computational resources and bandwidth
Fragment Under Attack/UDP server under attack fragment to server limitedAttack by fragmented UDP datagrams. Usually accompanies other types of UDP attacksBandwidth exhaustion
Any Port/UDP server flood to server limitedAttack with arbitrary UDP traffic of large volume cumulatively on any client portExhaustion of the attacked host's computational resources and bandwidth
Any Type/ICMP server flood to server limitedAttacking large amounts of arbitrary ICMP traffic, including ICMPv6, on any client destination portExhaustion of bandwidth and computational resources of the attacked host
SYN/TCP SYN to server address limitedAttack with TCP traffic with TCP SYN flag set on any destination port of client IP
  • Exhaustion of network and computational resources of the attacked host;
  • disruption of TCP connection establishment on the attacked host
RST/TCP RST to server address limitedAttack with TCP traffic with TCP RST flag set on any destination port of client IP
  • Exhaustion of computational resources of the attacked host;
  • disruption of TCP connection support on the attacked host or host group
Any TCP/TCP to server address limitedAttack with arbitrary TCP traffic of large volume in aggregate on any destination-port of the clientExhaustion of network, computational resources of the attacked host and bandwidth
IP protocol Any IP protocol server flood to server limitedAttack with arbitrary IP traffic of large volume cumulatively by all transport protocols and all portsExhaustion of network, computational resources of the attacked host and bandwidth
Flex Fragment/Flex matched IP fragment to destination IP under attackA rule that defines the blocking of IP packet fragments for hosts that are already under attack. Accompanies other types of attacks-