Askeal Logo

Amplification Attack

An amplification attack uses third party servers to multiply traffic toward a victim so a small request yields a large response.

What is an amplification attack?How it typically works?Common techniques & variantsImpactFurther reading

What is an amplification attack?

An amplification attack is a reflection based technique where attackers send requests with a spoofed source address equal to the victim. The reflector server responds to that spoofed address producing a response larger than the request. By sending many small requests to many reflectors attackers generate amplified traffic directed at the victim. Common reflectors include poorly configured DNS resolvers, NTP servers, and UDP based services. Amplification dramatically increases effective bandwidth of an attacker and is widely abused in high intensity DDoS operations.

How it typically works?

  1. Identify reflectors: attackers scan for services that respond with large payloads to small requests.
  2. Spoof source: requests are crafted with the victim IP as the source so replies go to the victim.
  3. Trigger responses: reflectors return larger responses that are directed at the victim.
  4. Aggregate amplification: many reflectors amplify traffic into a concentrated flood at the target.

Common techniques & variants

  • DNS amplification: use open DNS resolvers to return large answers to small queries.
  • NTP amplification: abuse network time protocol monlist or similar features to return large responses.
  • Memcached amplification: exploit memcached servers to return megabyte scale responses per request.
  • SSDP and CHARGEN abuse: older UDP based services still present on some networks can be used as reflectors.
  • Multi protocol reflection: combine multiple reflector types to aggregate amplified traffic.

Impact

Amplification attacks are effective at generating very large traffic volumes that overwhelm links and scrubbing capacity. They are particularly dangerous because they can be launched by attackers with minimal bandwidth. SecOps teams must detect reflected traffic patterns, work with providers to block or null route attacking flows, and harden infrastructure to reduce available reflectors. Disabling or rate limiting vulnerable services and ensuring source address validation at network edges reduces the pool of potential reflectors.

Further reading

  • Cloudflare: Amplification attacks explained. Read more
  • Arbor Networks: Reflection and amplification threat analysis. Read more
  • CERT: Guidance on reflector based attacks. Read more
  • CISA: DDoS and amplification advisories. Read more

Related topics

Volumetric AttackDDoS AttackBotnet