Reflection and Amplification: Multiplying Attack Power

1 min read Advanced Security Topics

Reflection and Amplification: Multiplying Attack Power

Reflection and amplification attacks exploit legitimate services to multiply attack traffic. Attackers send requests with spoofed source addresses to services that reply with larger responses. The amplification factor varies by protocol but can exceed 100x in some cases, allowing small botnets to generate massive attacks.

NTP amplification attacks exploit the Network Time Protocol's monlist command, which returns a list of recent NTP clients. A small request generates a response up to 556 times larger, creating powerful amplification. While many NTP servers have disabled monlist, vulnerable servers still exist and continue to be exploited.

SSDP amplification leverages the Simple Service Discovery Protocol used by many IoT devices. Attackers send discovery requests to devices that respond with their service descriptions, creating amplification factors around 30x. The prevalence of SSDP-enabled devices makes this an attractive vector for attackers.

Memcached amplification attacks achieved record-breaking sizes by exploiting improperly configured Memcached servers. With amplification factors exceeding 50,000x, even small requests could generate enormous response traffic. The 2018 GitHub attack, reaching 1.35 Tbps, demonstrated the devastating potential of memcached amplification.