Events associated with this classification taxonomy are related to incidents where the availability of the system or service was affected.

The cause can range widely. Some examples are technical attacks like DoS on network or application level, local incidents like disruption of the power supply, spontaneous failures or human error, without malice or gross neglect being involved.

Some examples for typical DoS attacks are ICMP and TCP SYN floods, Teardrop attacks and mail-bombing. DDoS are often based on DoS but performed by many attackers or a botnet simultaneously, but also other scenarios exist like DNS Amplification attacks.

Some attacks like TCP SYN flooding or UDP based attacks, where the source IP address can easily spoofed, are known to have a very high probablity to be a false positive. Therefore, in many cases SWITCH-CERT decides to not report these events.


  • Scan the system for malicious software. Offline scan from CD or USB if possible.
  • Check the logs for suspicious activity.
  • Update the software running on the system.
  • Check for known vulnerabilities for any service running on the system. Apply the patches and/or configuration changes.

Events with this classification type identify a system that was likely involved in a Distributed Denial of Service (DDoS) attack. This is usually done by either filling up the network link and therefore making it unreachable for legitimate usage. This can also be achieved by sending many requests on application level directly attacking the service or by making many very slow network connections forcing the service to keep the connection open until the maximum open connections are reached.

The system identified by source was most likely instructed to attack the targeted system or service in collaboration with other attacking systems. The system should be regarded as compromised, until further investigation has proven otherwise.


  • see Availability