Reflections and amplifications are mechanisms commonly used in DDoS attacks. These simple and very effective techniques gained popularity around 2013. They take advantage of publicly accessible UDP services to overload victims with response traffic. Attackers usually do not have to abuse old versions of protocols or exploit vulnerabilities. Instead, legitimate traffic is used.

Reflection occurs when an attacker forges the source address of request packets, pretending to be the victim. Servers are unable to distinguish legitimate from spoofed requests when UDP is used. Therefore, they reply directly to the victim. This technique hides the real IP address of the attacker from both the victim’s system and the abused server.

The other mechanism is traffic amplification. The attacker’s goal is to make the abused service produce as much response data as possible. The ratio between the sizes of the response and the request is called amplification factor. The attacker wants to achieve the largest possible ratio. For example, if an open CharGEN service is used to flood a victim, an amplification factor of up to 359 times can be observed. (Notice that, although CharGEN is not expected to be used these days and should never be openly exposed to the Internet, this is a legitimate service and no vulnerabilities need to be exploited to produce attacks.)

When these techniques are repeatedly used together, an attack is generated. Servers in multiple locations can be involved to produce more devastating results. It is important to realize that abused services are victims as well as those targeted by reply floods. These servers suddenly have to deal with abnormally large amounts of spoofed requests that may prevent them from serving legitimate traffic.

Many UDP protocols can be abused. Among the most common are: NTP with an amplification factor of 557 times, CharGEN with a factor of 359 times, DNS with a factor from 28 to 54 times and SSDP with a factor of 31 times [1].

The abuse of NTP requires that an old feature of the protocol be active. The attacker uses the debug command ‘monlist’ to trigger large amounts of data directed to the victim system. The usage of this command doesn’t require authentication or authorization. A server is supposed to return statistics about NTP clients, such as IP address, NTP version and the number of requests to the NTP server. The response is sent in up to 100 UDP datagrams with a 440 bytes payload each. The amplification factor of ‘monlist’ depends directly on the number of client IPs returned by the server but is always very high. The maximum number of table entries that ‘monlist’ returns is 600 (for Linux implementations of NTP). This means that the maximum amount of data returned for a single query can go up to 50KB. The ‘monlist’ command is not the only one with a significant amplification factor, others can be abused as well to produce attacks.

There are millions of services on the Internet that attackers can abuse, but they all can be secured to avoid participation in DDoS attacks. Some could be completely shut down, others should be put behind a firewall to prevent external access, while some require reconfiguration or upgrades to provide proper security mechanisms.

All companies running UDP services exposed to the Internet are urged to properly implement security measures to prevent them from being used in DDoS attacks.

Andre Correa

Co-Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.