What Are Amplification DDoS Attacks?

Exploring Amplification DDoS Attacks

An amplification DDoS attack is a type of volume-based Distributed Denial-of-Service attack where attackers exploit the functionality of third-party servers to send a larger volume of traffic to a target system than they could generate on their own.

This is done by sending spoofed requests to a massive number of servers. These servers then reply with significantly larger responses directed at the target. This overwhelms the target's resources and causes a denial of service for legitimate users. Such attacks are also called reflection DDoS attacks, as the attack traffic is reflected off legitimate servers towards the target.

The overall goal of DDoS amplification attacks is to overwhelm the target system's communication channel with a massive volume of meaningless traffic, making it unavailable for legitimate users.

How Amplification/Reflection DDoS Attacks Work

While there are some exceptions, typical DDoS amplification attacks follow the same proven pattern:

1. Choose a poorly designed application layer protocol that uses the UDP protocol as a transport. Unlike TCP, UDP doesn't require establishing a connection, which makes it perfect for amplification attacks.
2. Find a vulnerability in this application layer protocol that allows an attacker to send small requests to receive large responses.
3. Discover a significant number of open vulnerable servers that work with this application layer protocol and will respond to spoofed requests.
4. Send a large number of spoofed requests to these servers, placing the victim’s IP address in the source field.
5. As a result, these legitimate servers will send N bytes of response to the victim for every byte of the request sent by the attacker.

The number N here is called the amplification factor or amplification ratio. It varies greatly depending on the specific application layer protocol that is abused by the attack, as well as many other circumstance. On average, it’s somewhere in the ballpark of tens to hundreds of times.

However, in some cases, the amplification factor can be significantly higher. For example, for Memcached amplification DDoS attacks, it ranges from 10,000 to 51,000. And the current record belongs to the TP240PhoneHome attack with an amplification factor of 4,294,967,296:1 (yes, that's billions, with a B).

DDoS amplification attacks are classified as network layer (L3) DDoS attacks, despite the fact that they usually exploit protocols at the application layer (L7) while abusing a feature of UDP, the transport layer protocol (L4). The reason is that the targets of these attacks are core network equipment, such as routers and switches, that operate on the network layer. And the ultimate goal of amplification attacks is overwhelming the communication channel.

Common Types of Amplification DDoS Attacks

As amplification attacks rely on poorly designed application layer protocols, of which there are plenty, a wide variety of these attacks exist. The popularity of specific types among attackers at any given time depends on the availability of open servers that are ready to respond to spoofed requests.

With that said, there are all-time classic methods frequently used by attackers. Let's take a quick look at some of them.

DNS Amplification Attacks

One of the most common types is the DNS amplification DDoS attack, which abuses poorly configured open Domain Name System (DNS) resolvers. Attackers exploit them by sending DNS queries with the spoofed IP address of the target to these servers. The servers then send much larger DNS responses to the victim, overwhelming their network with a flood of data.

The amplification factor for this type of attack can be up to a 100:1, which is substantial enough for many attackers.

Additionally, the widespread availability of open DNS resolvers on the internet makes it easy for attackers to find and use these servers for their attacks. By exploiting this, attackers can generate a large volume of traffic with minimal effort. This method has been used in numerous high-profile DDoS attacks, demonstrating its persistent popularity among cybercriminals.

NTP Amplification Attacks

Another common type is the NTP amplification DDoS attack, which exploits a vulnerability in the Network Time Protocol (NTP) — a UDP-based protocol used to synchronize computer clocks over the Internet. Specifically, attackers abuse the MONLIST command, which returns a list of the last 600 IP addresses that connected to the NTP server.

Attackers send spoofed MONLIST requests to a large number of vulnerable NTP servers with the victim's IP address in the source field. The servers then reply to the victim with much larger responses. The amplification ratio in the case of NTP attacks that exploit the MONLIST vulnerability on average is about 500:1. This makes such attacks a very effective weapon for overwhelming the target, as long as there are enough vulnerable NTP servers.

SNMP Amplification Attacks

SNMP amplification DDoS attacks exploit the Simple Network Management Protocol (SNMP), which is used for network monitoring and management of network connected equipment, such at routers, switches, printers, firewalls, and more.

Attackers send small SNMP requests with the victim’s spoofed IP address to a large number of misconfigured SNMP-enabled devices. These devices respond with much larger SNMP responses to the victim, creating a flood of traffic. The amplification ratio for SNMP attacks can theoretically reach 650:1.

STUN Amplification Attacks

STUN amplification is a relatively recent technique that exploits the Session Traversal Utilities for NAT (STUN) protocol. This protocol is utilized by other protocols, such as Interactive Connectivity Establishment (ICE), the Session Initiation Protocol (SIP), and WebRTC. These protocols, in turn, are widely used by VoIP and videoconferencing services such as Microsoft Teams, FaceTime, Zoom, Skype, and more.

Despite the relatively low amplification factor of 2.32:1, the use of STUN in reflection/amplification DDoS attacks has become more common in recent years. The reason is that mitigating such attacks can be challenging, as there is a risk of excessive overblocking. This can lead to the unavailability of VoIP and videoconferencing services that businesses increasingly rely on.

Impact on Business

Amplification DDoS attacks can significantly impact business operations. A successful attack can cause extended downtime and disrupt communications, leading to substantial financial losses and interfering with regular business activities.

Additionally, frequent disruptions can erode customer trust and damage the company's reputation. Implementing robust DDoS protection is essential to ensure service availability, maintain customer confidence, and safeguard revenue streams, ultimately preserving the integrity and continuity of business operations.

How to Protect from Amplification/Reflection DDoS Attacks

One of the most effective strategies to protect your network from amplification DDoS attacks is to use a cloud anti-DDoS protection service, such as Qrator Anti.DDoS, that operates 15 traffic scrubbing centers strategically placed around the world. The main benefits include:

• Redundancy: The traffic scrubbing centers are independently connected to Tier 1 and leading regional internet providers.
• Capacity: The global filtering network is capable of effectively handling large-scale attacks.
• Reliability: If any scrubbing center goes down, traffic is seamlessly redirected to other centers, thanks to a unified control plan.
• Cost-Effectiveness: Cloud-based protection with pay-as-you-go model eliminates the need for expensive on-premise hardware and additional staff.
• Expertise: Advanced technologies and expert teams provide real-time monitoring and mitigation of even the most complex threats.