​Amplification is here to stay: Size Matters!

There is a new trend in Distributed Denial of Service (“DDoS”) attacks that has a resonating character to it: Amplification! Doesn’t it make sense that a large DDoS volume is easier to achieve with Amplification? When is a DDoS attack a Reflection and when is it Amplification, and why should I care?

First of all size matters! While a small DDoS attack can be mitigated with a simple on premise DDoS mitigation solution, attacks over 10 gbps (10 gigabits per second) may easily fill up the “pipe” into your datacenter thereby making the onsite solution superfluous as the traffic never gets there and successfully brings all services in that datacenter down.

Next line of thought: so how do malicious actors achieve DDoS attacks the size of 10 gbps and higher, and what are the key ingredients for such a truly large attack? Will it become easier for us to mitigate these attacks in the future? What can we do to slow down the growth of attack sizes, what are the holes in our infrastructure that allow such volumetric attacks? Here the key ingredients are Amplification and Reflection.

What is Amplification?

Let us have a closer look at how Reflection and Amplification actually work. The oldest known protocol based reflection is the ICMP based SMURF attack (no, not the little blue skinned creatures!):

The Attacker “spoofs” the IP address of the victim (spoofing meaning pretending to have the victim’s IP address), sending packets to the Router shown above (“The Unwitting Collaborator” or UC). Given the nature of ICMP and the unpatched and open systems of the 90s, the Router then forwards the request to all end devices in the local network. Each device responds by sending a response to the victim. The UC is acting as a reflector because the attacker’s request reflects off the UC and onto the victim. Amplification is achieved because four different machines respond. Reflection is the basis for Amplification. Note that the power is in the Amplification because a small request may result in a much larger amount of traffic being sent to the victim.

So now we understand that reflection leverages spoofing. This is something particularly easy to do with any UDP (“User Datagram Protocol”) based protocol such as DNS, SNMP and SSDP. Why is it easy with UDP (vs TCP)? UDP is connectionless, packets are sent without setting up a connection with the other side. Therefore, there is no verification of the origin of the packets. TCP (Transport Control Protocol) on the other hand, is connection oriented and requires a three-way handshake. It is very challenging to successfully spoof with TCP.

In 2014 there has been a marked increase in large-scale DDoS attacks leveraging Amplification and Reflection. So what changed in 2014? A paper was published by a German Security Researcher named Rossow in early 2014 doing a theoretical analysis of how Reflection and Amplification could lead to large-scale DDoS attacks. Nearly simultaneously large-scale attacks became prevalent leveraging exactly those protocols and associated methods found by Rossow with high “Bandwidth Amplification Factor” (BAF). n particular, the virtually hereto unheard of protocol NTP which Rossow’s work showed to have the highest amplification potential was a very popular DDoS attack vector in 2014. Coincidence? Unlikely.

Here is an overview of some of the key protocols (all UDP based) that Rossow analyzed:


DNS EDNS0 Returns all known DNS record types
NTP Monlist Returns list of all recent clients including client data like IP address, NTP version, etc.
NetBIOS Name Service Broadcast query that returns list of all machines in that local network with IP address and name
SSDP Discovery Returns list of available services
Read more: DDoS is Cloud's security Achilles heel

Note also the commonality between the above mentioned methods. They basically all return a list! So there is nothing magical about amplification per se, just use a method that returns a list, preferably a potentially very large list!

Of course there are further reflection and amplification exploits independent of protocol, e.g. RPC amplification and amplification using prevalent software systems like WordPress and Sentinel.

So what are we to do? First of all our Internet Infrastructure needs to be patched for each and every protocol and method found to have Amplification vulnerabilities. This is just catch up work though. In addition, work is needed to find further system functions like RPC and popular software like WordPress that have amplification potential and then the community working with this software have to ensure all open vulnerable interfaces are patched. So this is not simply equipping the potential victim with mitigation capabilities, but ruling out further unwitting collaborators!

For the potential victims, a sound DDoS mitigation strategy is needed. If a DDoS attack that is 10 gbps or higher has to be mitigated, only a cloud-based strategy is viable. Any onsite or ISP based solutions cannot mitigate an attack of that size and will either result in an overloaded pipe into the datacenter or blackholing the traffic (blackholing - dropping all traffic to that destination including the valid requests).

So what questions or criteria should be used to determine the vendor?

First of all determine the risk to your assets vulnerable to a 10 gbps attack. For example how much would downtime cost you per asset? This will provide a business case and help determine budget considerations.

Then consider the following questions you should use to determine a vendor’s suitability for DDoS mitigation:

  • What SLAs do you provide?
  • What is the maximum size of a DDoS attack that you can mitigate (e.g. gbps)?
  • Do you blackhole traffic if it reaches a certain threshold? If so, what is that threshold?
  • What is your accuracy or false positive rate?
  • Where are your scrubbing centres located?
  • How is my user experience / performance impacted?

We have shown how Reflection and Amplification are interrelated and how they work: simpler than may appear! Numerous mitigation strategies have been summarized, both from a global infrastructure and potential victim point of view. We have to drive harder to stay ahead of the malicious actors!

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attacksAkamai Technologiesdistributed denial of service​AmplificationReflectionCSO Australia

More about SNMPTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dr Claudia Johnson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place