Researchers at the Universities of Maryland and Colorado Boulder were credited with the TCP development, while the second was credited to security firm NexusGuard and named Black Storm.
The TCP attack targets devices between a client and a server: firewalls, load balancers, network address translators, and deep packet inspection tools, many of which could interfere with a TCP connection.
The Kaspersky report covered DDoS attacks in the third quarter of 2021 and said a new botnet named Mēris had been found during the period.
Mēris used HTTP pipelining, allowing multiple requests to be sent to a server within a single connection without waiting for a response.
"Attacks by this botnet are notable for the huge number of requests per second. For instance, a DDoS attack on a Cloudflare customer (attributed to Mēris) clocked in at 17.2 million requests per second, despite lasting less than a minute, while Yandex reported 21.8 million requests per second," the trio wrote.
The Kaspersky report said during the quarter a number of big DDoS attacks had hit New Zealand, with some being via the Mēris botnet.
An unnamed customer of Vocus, the banks ANZ and Kiwibank, the mail service NZ Post and the weather service MetService were named as being among those affected.
VoIP providers in Britain, Canada and the US were among those hit by DDoS attackers, with the oldest cryptocurrency site, bitcoin.org also being attacked.