DDoS: What is a Reflection and Amplification Attack?

 

 

Updated on 06/13/2022

DDoS – What is it?

A distributed denial-of-service (DDoS) attack is a type of cyber attack in which a malicious actor seeks to disrupt normal traffic of a targeted server, service, or network by overwhelming it with traffic.

Brand reputation, time, clients, and money can be be in risk in case of a DDoS attack. Depending on the severity of an attack, resources could be offline for hours, days and even more.

 

DDoS – Reflection and Amplification

Reflection and amplification are mechanisms commonly used in DDoS attacks. These simple and very effective techniques gained popularity around 2013. They take advantage of publicly accessible UDP services to overload victims with response traffic. Attackers usually do not have to abuse old versions of protocols or exploit vulnerabilities. Instead, legitimate traffic is used.

Reflection occurs when an attacker forges the source address of request packets, pretending to be the victim. Servers are unable to distinguish legitimate from spoofed requests when UDP is used. Therefore, they reply directly to the victim. This technique hides the real IP address of the attacker from both the victim’s system and the abused server.

The other mechanism is traffic amplification. The attacker’s goal is to make the abused service produce as much response data as possible. The ratio between the response and request sizes is called amplification factor. The attacker wants to achieve the largest possible ratio. For example, if an open CharGEN service is used to flood a victim, an amplification factor of up to 359 times can be observed. (Notice that, although CharGEN is not expected to be used these days and should never be openly exposed to the Internet, this is a legitimate service and no vulnerabilities need to be exploited to produce attacks.)

When these techniques are repeatedly used together, an attack is generated. Servers in multiple locations can be involved to produce more devastating results. It is important to realize that abused services are victims as well as those targeted by reply floods. These servers suddenly have to deal with abnormally large amounts of spoofed requests that may prevent them from serving legitimate traffic.

Many UDP protocols can be abused. Among the most common are: NTP with an amplification factor of 557 times, CharGEN with a factor of 359 times, DNS with a factor from 28 to 54 times, and SSDP with a factor of 31 times [1].

The abuse of NTP requires that an old feature of the protocol be active. The attacker uses the debug command ‘monlist’ to trigger large amounts of data directed to the victim system. The usage of this command doesn’t require authentication or authorization. A server is supposed to return statistics about NTP clients, such as IP address, NTP version, and the number of requests to the NTP server. The response is sent in up to 100 UDP datagrams with a 440 bytes payload each. The amplification factor of ‘monlist’ depends directly on the number of client IPs returned by the server but is always very high. The maximum number of table entries that ‘monlist’ returns are 600 (for Linux implementations of NTP). This means that the maximum amount of data returned for a single query can go up to 50KB. The ‘monlist’ command is not the only one with a significant amplification factor, others can be abused as well to produce attacks.

There are millions of services on the Internet that attackers can abuse, but they all can be secured to avoid participation in DDoS attacks. Some could be completely shut down, others should be put behind a firewall to prevent external access, while some require reconfiguration or upgrades to provide proper security mechanisms.

All companies running UDP services exposed to the Internet are urged to properly implement security measures to prevent them from being used in DDoS attacks.

 

Protect Your Business

Malware Patrol offers a wide variety of threat intelligence feeds for use within organizations of all sizes and industries, including a real-time feed of amplification and reflection DDoS attacks that have happened in the last 24 hours. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.

For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. To learn more or to request a free evaluation, you can contact us and our cybersecurity experts will get in touch with you.