Why it matters
DDoS bugs are how a noisy outage becomes a strategic weapon.
Attackers use them to mask other activity, to coerce ransom
payment ("pay or stay offline"), to disrupt customer-facing
services during peak periods, and to soften the perimeter
before an intrusion. The amplification family
(CWE-405) is also how protocol-level bugs get
turned into reflection attacks against third parties.
Edge devices — firewalls, VPN concentrators, load
balancers — tend to concentrate the worst availability
risk because losing them takes the whole service offline.
How we identify DDoS on this site
The DDoS badge on a CVE page is deterministic. We emit it when both of the following are true:
- CVSS attack vector is Network
(
AV:N) — the attack reaches the target over a network — and at least one impact metric isHIGH; and - The CVE is mapped to a CWE in the
denial-of-service family:
CWE-400(Uncontrolled Resource Consumption),CWE-770(Allocation Without Limits),CWE-405(Asymmetric Resource Consumption / amplification),CWE-834(Excessive Iteration),CWE-674(Uncontrolled Recursion),CWE-835(Loop with Unreachable Exit), orCWE-407(Algorithmic Complexity).
Requiring both signals to agree keeps the badge meaningful.
A network-reachable bug that crashes a process without a
resource-consumption CWE doesn’t qualify, and a
resource-exhaustion bug exploitable only from a local prompt
(AV:L) doesn’t qualify either. The same CVE
can carry an RCE chip alongside DDoS when both classes of
CWE apply — Log4Shell-style vulnerabilities are the
canonical example.
What to do when you see the badge
For internet-exposed services, the first instinct should be rate-limiting and protocol-layer mitigation upstream of the vulnerable code path. Patching closes the underlying flaw; WAF / scrubbing rules, connection budgets, and request quotas buy time until patches roll. The Mitigating Controls section on the CVE page links to the NIST 800-53 r5 controls most relevant to availability defence.
See also: Remote Code Execution (RCE) · Local Privilege Escalation (LPE).