Amplification Attack
An amplification attack exploits a server’s functionality and protocol vulnerabilities to amplify the amount of traffic sent to a victim’s network.
What is an Amplification Attack?
In an amplification attack, the attacker sends a large number of small DNS queries from a spoofed source IP address to a targeted server. Unaware of the forgery, the server then replies with a huge volume of responses. The victim’s network capacity is overwhelmed by the amplified response.
Types of Amplification Attacks
There are two primary types of amplification attacks, UDP and TCP amplification attacks.
UDP amplification attacks: UDP is a vector of choice for amplification attacks because it is a less secure protocol. Designed to provide fast, efficient data transfer across networks, it does not require confirmation of receipt or check for errors and does not store information about packets sent, so it lacks reliability and flow control. The attacker exploits these characteristics to exhaust server resources and saturate internet connections with a large volume of UDP packets.
TCP amplification attacks: TCP is a more secure protocol than UDP because it requires a three-way handshake to request, confirm, and open a connection so that data can be exchanged. However, TCP amplification attacks have started emerging because attackers are using weaponized middleboxes to bypass the handshake and send requests that generate a large response from the target’s DNS servers. They also use carpet bombing to attack many destinations at the same time but at levels below the radar of many detection mechanisms.
How to Detect and Mitigate Amplification Attacks
Tools such as traffic analysis, behavioral detection, and anomaly monitoring can help organizations detect advanced DDoS threats. While load balancers and failover mechanisms can distribute traffic across different resources to help mitigate the impact of an attack and assist with continuity of service.
However, to stop attacks before damage is done, use an advanced DDoS protection that monitors the network for suspicious activity while using multi-site resiliency and intelligent traffic management to keep legitimate traffic flowing. When coupled with AI-assisted threat intelligence, it can continually learn from new data and adapt in real time to stay ahead of emerging threats, counter evolving methods, and keep defenses sharp against follow-on malicious activity and threats to your operations.
Get in Touch
It’s important to stay vigilant against the ever-present and evolving threat of advanced DDoS attacks. Visit our threat intelligence research center for more information on DDoS defense in depth.
