1

In a DDoS amplification attack, say NTP flooding, an attacker uses a botnet network in order to query multiple NTP servers on port 123, spoofing the source address using the address of the victim/target.

To which port is the reflected traffic from these NTP servers sent? Does the attacker target a specific service on the victim host (chosen after the reconnaissance & scanning phases)? or, is he simply sending UDP traffic to the victim and doesn't care much about the port to which that traffic is being sent?

More generally, what are the ports involved in a DDoS amplification attack?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Taaha
  • 11
  • 2

2 Answers2

1

For an up to date list of protocols used for DDos applification attacks, see UDP-Based Amplification Attacks

Currently the list is

+------------------------+--------------------------------+------------------------------+
|        Protocol        | Bandwidth Amplification Factor |      Vulnerable Command      |
+------------------------+--------------------------------+------------------------------+
| DNS                    | 28 to 54                       | see: TA13-088A               |
| NTP                    | 556.9                          | see: TA14-013A               |
| SNMPv2                 | 6.3                            | GetBulk request              |
| NetBIOS                | 3.8                            | Name resolution              |
| SSDP                   | 30.8                           | SEARCH request               |
| CharGEN                | 358.8                          | Character generation request |
| QOTD                   | 140.3                          | Quote request                |
| BitTorrent             | 3.8                            | File search                  |
| Kad                    | 16.3                           | Peer list exchange           |
| Quake Network Protocol | 63.9                           | Server info exchange         |
| Steam Protocol         | 5.5                            | Server info exchange         |
| Multicast DNS (mDNS)   | 2 to 10                        | Unicast query                |
| RIPv1                  | 131.24                         | Malformed request            |
| Portmap (RPCbind)      | 7 to 28                        | Malformed request            |
| LDAP                   | 46 to 55                       | Malformed request            |
| CLDAP                  | 56 to 70                       | —                            |
| TFTP                   | 60                             | —                            |
| Memcached              | 10,000 to 51,000               | —                            |
+------------------------+--------------------------------+------------------------------+
Dijkgraaf
  • 443
  • 4
  • 10
0

For the case of the NTP amplification attacks they normally use the command MON_GETLIST with a spoofed address on port 123 that will generate short queries(spoofed) and big responses(MON_GETLIST response).

In general amplification attacks are on UDP and are tight to a specific service such as DNS, NTP, SNMP and so on.

You can find more information here Understanding and mitigating NTP-based DDoS attacks

camp0
  • 2,172
  • 1
  • 10
  • 10