DDoS Amplification Reflector

High Active Attack

A DDoS amplification reflector is a misconfigured server — typically running DNS, NTP, memcached, or SSDP — that can be abused to reflect and amplify spoofed UDP requests toward a victim. An attacker sends a small request with a spoofed source IP (the victim's IP), and the reflector sends a much larger response to the victim, achieving amplification factors from 10× (DNS) to 51,000× (memcached). Open resolvers and publicly accessible NTP servers are the most common amplifiers.

High Severity

This threat is classified as high severity. Prioritize mitigation.

🔍Indicators

Receiving large volumes of unsolicited DNS, NTP, or memcached responses (not matching outbound queries)
Responses arriving from port 53 (DNS), 123 (NTP), or 11211 (memcached) to unpredictable high ports
Asymmetric traffic: small outbound query volume but large inbound response volume
Source IPs from globally distributed resolver/NTP infrastructure
NTP monlist or status responses significantly larger than the corresponding request

🛡Detection Methods

Test if your server is an open DNS resolver (amplifier)

# Query your own DNS server from an external IP — it should refuse recursive queries for external domains
dig @YOUR_SERVER_IP google.com +short
# Expected for properly configured resolver: REFUSED or empty

Test NTP monlist exposure

# Check if NTP monlist is enabled (amplification vector)
ntpdc -n -c monlist YOUR_SERVER_IP 2>&1 | head -5
# Should return: "***No association ID's returned"

tcpdump — detect amplification traffic arriving

# Watch for large UDP responses arriving on unpredictable high ports
tcpdump -i eth0 -nn 'udp and src port 53 and length > 512'
tcpdump -i eth0 -nn 'udp and src port 123 and length > 200'

Netflow — identify amplification sources

# nfdump: find top source ports sending to your IP at high volume
nfdump -r /var/cache/nfdump/nfcapd.current \
  "dst ip YOUR.IP.ADDRESS.HERE" -s srcport/bytes -n 10

✅Mitigation

Disable open DNS recursion — In BIND: allow-recursion { 192.168.0.0/24; localhost; };. In Unbound: access-control: 0.0.0.0/0 refuse with explicit allow for your subnets.
Disable NTP monlist — Add disable monitor to /etc/ntp.conf and restart ntpd; this eliminates the most common NTP amplification vector.
Restrict memcached to localhost — Bind memcached to 127.0.0.1 only: memcached -l 127.0.0.1; or firewall port 11211 from external access entirely.
Implement BCP38 anti-spoofing — Filter outbound traffic at your network edge to drop packets with spoofed source IPs — this prevents your network from being used to send amplified traffic to victims.
Enable DNS Response Rate Limiting (RRL) — In BIND 9.9+: rate-limit { responses-per-second 5; }; to prevent your resolver from being weaponised.
Audit publicly exposed UDP services regularly — Use nmap -sU -p 53,123,11211,1900,5353 against your external IPs to discover amplifiable services.
Notify abuse contacts — If your IP is listed in amplifier databases (openresolver.com, shadowserver.org), remediate and request de-listing.

📋Real-World Examples

2013 — Spamhaus 300 Gbps DNS amplification attack: In March 2013, Spamhaus was targeted by a DNS amplification attack peaking at 300 Gbps — then the largest ever recorded. Attackers spoofed Spamhaus's IP and queried thousands of open DNS resolvers for large DNS zone files, reflecting enormous responses toward Spamhaus's infrastructure and causing collateral congestion across European internet exchanges.

2018 — GitHub 1.35 Tbps memcached attack: Attackers exploited approximately 45,000 misconfigured memcached servers (port 11211, UDP) with an amplification factor of up to 51,200×. A single 203-byte request triggered 100 KB responses, enabling a handful of attack sources to generate 1.35 Tbps directed at GitHub.

Related Terms

DDoS DNS Firewall UDP