Instead of hitting a target's IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim's IP address and could trigger large responses from those servers to that address.
In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection, it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.
DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.
SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.
However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.
"NTP contains a command called monlist (or sometimes MON_GETLIST), which can be sent to an NTP server for monitoring purposes," CloudFlare explained in January. "It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent, making it ideal for an amplification attack."
Organizations can use the Open NTP Project to identify vulnerable NTP servers in their IP address ranges and can follow instructions provided by security research outfit Team Cymru to secure them on different OSes.
The U.S. Computer Emergency Response Team recommends updating NTP servers to at least ntpd (Network Time Protocol daemon) version 4.2.7, which addresses the monlist issue by default. Older versions need to be manually configured to restrict the functionality.