What Is a Reflection/Amplification DDoS Attack?

What Is a Reflection/Amplification DDoS Attack?
NETSCOUT

The COVID-19 pandemic has caused many organizations to accelerate digital transformation efforts in response to an exploding need for remote connectivity. But this trend also has opened the door to a greater threat from hackers and cybercriminals. In particular, distributed denial-of-service (DDoS) attacks have risen dramatically. The latest NETSCOUT Threat Intelligence Report revealed record-breaking DDoS activity in 2020, as attackers launched more than 10 million DDoS worldwide.

DDoS attackers have targeted a multitude of industries with the goal of taking critical systems offline to cause maximum disruption. These threats have put security professionals on notice, forcing them to reexamine strategies for keeping networks secure and systems protected. 

Reflection/Amplification 101

One of the more popular DDoS attack types being employed today is the reflection/amplification attack, which enables attackers to generate higher-volume attacks by combining two methods:

  • In reflection attacks, adversaries spoof a target’s IP address and send a request for information, primarily using the User Datagram Protocol (UDP), or in some cases the Transmission Control Protocol (TCP). The server then responds to the request, sending an answer to the target’s IP address. This “reflection”—using the same protocol in both directions—is why this is called a reflection attack. Any server operating UDP- or TCP-based services can be targeted as a reflector.
  • Amplification attacks generate a high volume of packets that are used to overwhelm the target website without alerting the intermediary. This occurs when a vulnerable service responds with a large reply when the attacker sends his request, often called the trigger packet. Using readily available tools, the attacker can send many thousands of these requests to vulnerable services, thereby causing responses that are considerably larger than the original request and significantly amplifying the size and bandwidth issued to the target. The amplification can include multiple response packets to a single packet, or larger packet sizes than the original. Either method results in amplification.
  • A reflection/amplification attack combines the two, enabling attackers to both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic. The most prevalent forms of these attacks rely on millions of exposed DNS, NTP, SNMP, SSDP, and other UDP/TCP-based services. 

Like all DDoS attacks, reflection/amplification attacks are designed to overwhelm the targeted systems, causing disruption or out-and-out shutdown of services. 

What makes this type of attack so dangerous is that the servers/devices used for these types of attacks can be ordinary servers or consumer devices with no clear sign of having been compromised, making it difficult to prevent them. Also, launching a reflection/amplification attack doesn’t require sophisticated tools, which means attackers can create enormous volumetric attacks by using a modest source of bots or a single robust server. 

The Best Defense Is a Good Defense 

The primary defense against reflection/amplification attacks is to block the spoofed source packets. Because attacks come from legitimate sources using trusted services such as DNS and NTP, it becomes difficult tell the difference between genuine user workloads and reflected traffic generated by attackers. Adding to the challenge, when a service comes under attack, legitimate user traffic may be forced to retry responses due to the slowdown in service, possibly causing these retries to be falsely identified as DDoS attacks in their own right. 

Organizations can take the following steps to mitigate reflection/amplification attacks: 

  • Rate limiting: This approach restricts sources based on a deviation from a previously established access policy and can be applied to destinations or to sources. Destination rate limiting may inadvertently impact legitimate traffic, making this a less desirable approach. Rate limiting the source is considered more effective. 
  • Port blocking: By blocking ports that aren’t needed, organizations can reduce vulnerability to attacks. It’s important to note that this doesn’t prevent attacks on ports that are used by both legitimate and attacker traffic.
  • Traffic signature filters: These filters can be used to identify repetitive structures that are indicative of an attack. The downside of filtering is potential impact on performance. Inspecting every packet may ultimately overwhelm defenses. 
  • Threat intelligence services: By using threat intelligence services, security professionals can identify vulnerable servers, allowing organizations to proactively block the IP addresses and cut off potential attacks.

Learn more about DDoS attacks

Read the latest DDoS attack research