Reflection and amplification attacks are a class of DDoS attack where the attacker exploits protocol behavior to generate massively disproportionate traffic at a target — using third-party servers that are completely uninvolved in the attack. They require no botnet and no sustained bandwidth: a modest attacker can generate terabits from a home connection.
The Core Mechanism
Both components work together. Reflection means traffic appears to come from a legitimate server, not the attacker. Amplification means the response is much larger than the request — sometimes thousands of times larger. Together, they give attackers massive leverage with minimal resources.
Major Reflection/Amplification Protocols
- DNS (UDP/53): 28–54x amplification. Widely exploited.
- NTP (UDP/123): up to 556x via MONLIST command. Older but still in use.
- Memcached (UDP/11211): up to 51,000x. The highest known amplification factor.
- SSDP (UDP/1900): 30x. Used in Mirai-based attacks.
- CLDAP (UDP/389): 56–70x. Targets Windows LDAP services.
- WS-Discovery (UDP/3702): 300–500x. Newer attack vector targeting IoT.
Why IP Spoofing Makes This Possible
All reflection attacks depend on UDP source address spoofing. The attacker sends a packet claiming to be from the victim's IP; the amplifier sends its large response to that IP. Networks that implement BCP38 ingress filtering block spoofed packets — but a significant fraction of the internet's networks do not.
Mitigation at the Proxy Layer
Akarguard's scrubbing infrastructure identifies amplification traffic by its characteristic signatures: specific UDP source ports, response payload patterns, and traffic volume anomalies. All known amplification vectors are detected and dropped before they reach your origin. Your pipe stays clear even during multi-terabit amplification events.