IP Spoofing & DDoS Amplification¶
Attack Pattern¶
IP spoofing involves forging the source IP address of a packet to conceal the attacker’s identity or impersonate another system. When combined with DDoS amplification, attackers use spoofed requests to vulnerable services that generate large responses, directing massive traffic volumes toward a victim. This technique allows relatively small attack streams to generate enormous traffic volumes, overwhelming victim resources.
1. IP spoofing & DDoS amplification [OR]
1.1 Protocol exploitation [OR]
1.1.1 UDP-based amplification
1.1.1.1 DNS reflection: Small queries triggering large responses
1.1.1.2 NTP monlist: Exploiting time protocol for 556x amplification
1.1.1.3 SNMP reflection: Using SNMP GETBULK for large data returns
1.1.1.4 SSDP reflection: UPnP protocols generating 30x amplification
1.1.1.5 CLDAP reflection: Connectionless LDAP producing 50-70x amplification
1.1.2 TCP-based amplification
1.1.2.1 TCP middlebox reflection: Abusing firewalls and load balancers
1.1.2.2 SYN-ACK amplification: Exploiting TCP stack implementations
1.1.2.3 RST injection: Forcing connection resets with spoofed packets
1.1.3 ICMP-based amplification
1.1.3.1 Smurf attacks: ICMP broadcast amplification
1.1.3.2 ICMP error message generation: Triggering error responses
1.1.3.3 Ping flood: Direct ICMP amplification attacks
1.2 Service-specific attacks [OR]
1.2.1 Cloud service exploitation
1.2.1.1 Memcached amplification: 50,000x amplification from UDP 11211
1.2.1.2 Redis amplification: In-memory database amplification
1.2.1.3 Docker API abuse: Container orchestration amplification
1.2.2 Enterprise service attacks
1.2.2.1 Microsoft RDP amplification: Remote Desktop Protocol abuse
1.2.2.2 Oracle database amplification: TNS protocol exploitation
1.2.2.3 SAP router amplification: Business application abuse
1.2.3 Networking protocol abuse
1.2.3.1 QUIC protocol amplification: HTTP/3 protocol exploitation
1.2.3.2 WS-Discovery amplification: IoT device discovery abuse
1.2.3.3 CoAP amplification: Constrained Application Protocol abuse
1.3 Technique variations [OR]
1.3.1 Direct amplification
1.3.1.1 Single protocol amplification attacks
1.3.1.2 Multi-vector amplification campaigns
1.3.1.3 Protocol-specific optimisation for maximum amplification
1.3.2 Chained amplification
1.3.2.1 Multi-stage reflection through multiple services
1.3.2.2 Recursive amplification using multiple protocols
1.3.2.3 Cross-protocol amplification chains
1.3.3 Asymmetric amplification
1.3.3.1 Exploiting response size differentials
1.3.3.2 Timing-based amplification attacks
1.3.3.3 Protocol behaviour manipulation
1.4 Infrastructure abuse [OR]
1.4.1 Cloud provider exploitation
1.4.1.1 Using cloud VMs for amplification attacks
1.4.1.2 Abusing cloud load balancers as reflectors
1.4.1.3 Container orchestration platform abuse
1.4.2 ISP infrastructure attacks
1.4.2.1 Broadband modem exploitation
1.4.2.2 Core router reflection attacks
1.4.2.3 BGP route hijacking for amplification
1.4.3 IoT device recruitment
1.4.3.1 Compromised IoT devices as reflectors
1.4.3.2 Wireless access point exploitation
1.4.3.3 Network appliance abuse
1.5 Evasion techniques [OR]
1.5.1 Traffic obfuscation
1.5.1.1 Low-and-slow amplification attacks
1.5.1.2 Randomised source port spoofing
1.5.1.3 Protocol field manipulation
1.5.2 Detection avoidance
1.5.2.1 Amplification through legitimate services
1.5.2.2 Geographic distribution of reflectors
1.5.2.3 Time-shifted attack patterns
1.5.3 Mitigation bypass
1.5.3.1 Adaptive protocol switching
1.5.3.2 Multi-vector attack rotation
1.5.3.3 Resource exhaustion through persistence
1.6 Advanced attack methods [OR]
1.6.1 AI-enhanced amplification
1.6.1.1 Machine learning for optimal reflector selection
1.6.1.2 Adaptive attack patterns based on victim response
1.6.1.3 Predictive amplification targeting
1.6.2 State-aware attacks
1.6.2.1 Protocol state manipulation for amplification
1.6.2.2 Session-aware spoofing attacks
1.6.2.3 Connection-oriented amplification
1.6.3 Zero-day amplification
1.6.3.1 Novel protocol exploitation
1.6.3.2 Emerging service abuse
1.6.3.3 Unknown amplification vectors
1.7 Target-specific campaigns [OR]
1.7.1 Infrastructure targeting
1.7.1.1 DNS server amplification attacks
1.7.1.2 Network link saturation
1.7.1.3 Routing infrastructure targeting
1.7.2 Application layer attacks
1.7.2.1 Web application amplification
1.7.2.2 API endpoint targeting
1.7.2.3 Database service exhaustion
1.7.3 Service disruption
1.7.3.1 CDN and cloud service targeting
1.7.3.2 VoIP and video service attacks
1.7.3.3 Gaming infrastructure targeting
1.8 Coordination mechanisms [OR]
1.8.1 Botnet coordination
1.8.1.1 Centralised C2 for amplification campaigns
1.8.1.2 P2P-based attack coordination
1.8.1.3 Blockchain-coordinated attacks
1.8.2 Timing synchronisation
1.8.2.1 NTP-synchronised attacks
1.8.2.2 GPS-based timing coordination
1.8.2.3 Software-defined timing attacks
1.8.3 Resource pooling
1.8.3.1 Reflector pool management
1.8.3.2 Amplification resource sharing
1.8.3.3 Distributed attack resource allocation
Why It Works¶
Protocol design flaws: Many protocols respond with larger packets than requests
Open services: Misconfigured services respond to requests from any source
Source IP spoofing: Networks allowing spoofed packets enable amplification
Asymmetric responses: Small requests can trigger large responses
Global scale: Millions of vulnerable devices exist worldwide