Image by Виктория Бородинова from Pixabay 

DDoS attacks are malicious attacks that cybercriminals launch to overwhelm a target system. But DDoS amplification attacks take that malevolence a step further. They take advantage of a DDoS amplifier to magnify the harm they cause.

DDoS is the acronym for “distributed denial of service.” Simply put, DDoS attacks are designed to overwhelm a target system with more traffic than it can handle. If this should ever happen to your business, your customers might not be able to contact you for a time.


Cyber criminals carry out a DDoS attack by using a number of compromised systems (a botnet). They direct the botnet to send malicious or spam requests to the target server. The botnet likely has more computational power and network bandwidth than the target system. Therefore, it can often knock the target completely offline. At least it can dramatically degrade its ability to respond to requests from legitimate users.

Basic DDoS attacks can be damaging enough. But some cybercrime groups are increasingly using DDoS amplification to maximize the effects of their attacks. Maintaining services in the face of the overwhelming amount of data that DDoS amplifiers can generate requires a robust DDoS protection solution.

Amplification Attacks Have the Advantage

A general DDoS attack takes advantage of a numerical edge over its target. That is, more attackers means that each attacker needs to send less data to a target to compromise it.

But DDoS amplification attacks add to this asymmetry. They take advantage of a DDoS amplifier, which is a service that meets two criteria. The first criteria is that it uses the User Datagram Protocol (UDP). This is a stateless protocol that has a client send a single request, to which the server provides a single response. The other requirement is that the DDoS amplifier service produces responses that are much larger than the corresponding request.

This combination of features enables an attacker to use a DDoS amplifier service to send much more data to the target than the attacker sends to the service. To exploit a DDoS amplifier, an attacker sends a request with the source IP address spoofed to that of the intended target. Upon receiving the request, the service sends a response. This results in a much larger volume of data being sent to the attacker’s intended target.

An attacker gains a few benefits by using a DDoS amplifier. One is the much greater size of the attack. For example, some services send responses more than 1,600 times larger than the corresponding request.

A second advantage is that the amplified DDoS attack traffic is not obviously malicious. In fact, many organizations routinely receive DNS traffic from external, unknown sources. This is how they find the IP addresses of different websites.

Finally, the only traffic that reaches the target network is coming from the DDoS amplifier. Moreover, the traffic to the amplifier service has a spoofed source IP address, making attribution difficult.

The FBI Warns About DDoS Amplification Threats

DDoS amplification has become an increasingly popular tool for cybercriminals. In fact, the FBI recently issued a warning highlighting the use of built-in network protocols for DDoS amplification by cybercriminals.

DDoS amplification attacks are a growing threat to organizations’ cybersecurity. This is because the number of protocols that cybercriminals can hijack to use as potential DDoS amplifiers has grown significantly in recent years.  Since December 2018, security researchers have discovered several new potential DDoS amplifiers. These include:

Jenkins Servers

Security researchers discovered that Jenkins can be used for DDoS amplification in February 2020. They estimate they can provide an amplification factor of more than 100.

Apple Remote Management Service (ARMS)

Cybercriminals actively exploited ARMS in October 2019 with an amplification factor of 35.5.

Web Services Dynamic Discovery (WS-DD)

More than 130 DDoS attacks in May and August 2019 used the WS-DD protocol in vulnerable Internet of Things (IoT) devices for amplification attacks. At the time, more than 630,000 publicly accessible IoT devices had WS-DD enabled.

Constrained Application Protocol (CoAP)

In December 2018, cybercriminals exploited CoAP in DDoS amplification attacks. It provided an amplification factor of 34.

With amplification factors of 34 and above, these protocols can dramatically increase the size and effect of a DDoS attack. Disabling these protocols is the best way to protect against exploitation. However, this is unlikely to occur since it can impair a company’s ability to provide services. What’s more, service owners may not know to do so.

Additionally, the threat of DDoS amplification would not be eliminated, even by disabling these protocols or making them inaccessible to the public Internet. Protocols like DNS are potential DDoS amplifiers, but they’re also essential. However, attackers can customize DNS records to maximize their amplification factors for DDoS attacks. This is because domain owners, not the DNS server operator, configure DNS records.

Protecting Systems Against DDoS Amplification Attacks

DDoS attacks in general, and DDoS amplification attacks in particular, pose a serious threat to the availability of an organization’s web-facing services. Malicious traffic can easily overwhelm an unprotected system. This is especially true if the attacker uses a DDoS amplifier to increase its effect and evade simple detection rules.

Cybersecurity best practices—and FBI guidance—dictates protecting Internet-facing applications with a robust DDoS protection solution. Such a tool can identify and filter out attack traffic before it reaches an organization’s network. This enables it to continue providing services to legitimate users.