Amplification Detection: Determining DDoS Abuse Potential of Your Network

Abstract

Amplification Distributed Denial of Service attacks require networks that do not drop packets with spoofed IP addresses and servers open to the Internet running UDP protocols with amplification potential. These attacks have the potential to overwhelm large network links and disrupt the availability of the largest network infrastructures. While multiple studies exist addressing vulnerable protocols and exploring solutions for collaborative mitigation of such attacks, there is the unaddressed issue of stopping exploitable servers from being deployed in the first place. In this paper, we investigate such servers located in Sweden running DNS, NTP, and Memcached services to learn what makes them vulnerable. After analyzing thousands of servers, we give insights into the current state of the Swedish network and find multiple DNS recursive resolvers amplifying bandwidth more than 100 times, authoritative DNS servers hosting domains with huge amounts of data, and NTP servers patched against old attacks but still providing significant amplification. We find that important parameters that shape the large DNS amplifiers include the choice of the EDNS buffer size, the truncation of responses exceeding it, and a lack of the “ANY” query limitation. NTP servers with debug commands accessible from the Internet have amplification potential, and no vulnerable Memcached servers were found in Sweden.