CONCEPT Cited by 1 source
UDP reflection + amplification¶
UDP reflection+amplification is a volumetric-DDoS technique that exploits three properties of many legacy UDP protocols:
- UDP is connectionless — no TCP 3-way handshake, so the source IP in an incoming packet is trivially spoofable by a sender on a network that doesn't filter egress spoofing (BCP-38 non-compliance).
- A reflecting server responds to the spoofed source — the server replies to the forged sender IP instead of the real attacker.
- The reply is bigger than the query — amplification factor
1 means the attacker's outbound bandwidth is multiplied by the reflector onto the victim.
Put together: an attacker on a spoofing-capable network sends a small query with the victim's IP as the forged source to a public UDP server that speaks the vulnerable protocol. The server sends a larger reply to the victim. Repeat at scale against tens of thousands of such servers → multi-Tbps flood. The attacker never sends a packet to the victim.
Key protocols (from the 2025-06-20 Cloudflare writeup)¶
All of these are variously exploited in the 7.3 Tbps attack described in Cloudflare's 2025 writeup, though 99.996% of that attack was direct UDP flood and only 0.004% / 1.3 GB was reflection-amplified.
| Protocol | Port | Amplification shape | Operator fix (don't be a reflector) |
|---|---|---|---|
| QOTD | UDP/17 | Short "Quote of the Day" reply to a small query | Disable service, block UDP/17 at firewall |
| Echo | UDP+TCP/7 | Server echoes whatever payload you send | Disable Echo, block port 7 |
| NTP monlist | UDP/123 | Old NTP servers return list of recent ~600 clients in response to a small monlist query |
Disable monlist, upgrade NTP, restrict queries |
| Portmap | UDP/111 | RPC portmapper enumerates registered services; reply larger than query | Disable if not needed, ACL to trusted internal |
| RIPv1 | UDP/520 | Unauthenticated routing-info-protocol replies routing tables | Disable RIPv1 (use RIPv2 with auth) |
| Memcached (not in this writeup but notable) | UDP/11211 | Historical record amplifier (~51,000×, disabled in newer versions) | Disable UDP on memcached |
| DNS | UDP/53 | Large responses to small queries (ANY queries, DNSSEC); ~50× | Rate-limit, restrict recursive service |
| SSDP | UDP/1900 | UPnP discovery replies | Block UPnP on Internet-exposed interfaces |
| CLDAP | UDP/389 | Active-Directory directory ~50× | Filter Internet-exposed CLDAP |
QOTD, Echo, Portmap, and RIPv1 all share a shape: decades-old diagnostic / routing protocols that predate spoof-aware design and have no legitimate reason to be Internet-reachable today. The operator fix is almost always disable the service; there is no modern use case to break.
Why this is still a problem in 2025¶
- IoT + mis-configured hosts at scale — the Internet has millions of exposed hosts running these obsolete services, often because nobody has touched the device since deployment. Even a low amplification factor across a very large reflector pool is terabit-scale.
- BCP-38 is aspirational — if all networks dropped outbound packets with source IPs outside their allocated ranges, spoofing would fail and this entire class of attack would collapse. Adoption is partial; Cloudflare's DDoS Botnet Threat Feed is a practical workaround — telling each ASN which of its hosts are currently flooding so the ASN can take them down.
- Vector blending — real attacks mix reflection-amplification vectors with direct-flood vectors; the 2025 7.3 Tbps attack was 99.996% UDP flood + a long tail of 6 reflection vectors, carpet- bombing 21,925 destination ports on a single IP. The attacker's goal is volume; the defender must be resilient to any blend.
- Mirai-class botnets supply direct-flood capacity out of compromised IoT devices; no reflection needed when you control 122,145 hosts directly.
Defender fix (common across vectors)¶
- Cloud-based volumetric DDoS protection — absorb + scrub at a scale the origin cannot — Cloudflare Magic Transit, AWS Shield Advanced, Akamai Prolexic, etc.
- Anycast scrubbing — distribute the flood across many POPs.
- Kernel-level drops at the edge — XDP/eBPF rules compiled from live fingerprints (see systems/dosd) to drop matching packets before they touch user space.
- Smart rate-limiting on UDP that excludes known legitimate UDP services (VoIP, gaming, VPN, QUIC) — aggressive blanket rate-limiting of UDP impacts legitimate traffic; the tuning requires knowing the customer's traffic shape.
- Block / rate-limit specific UDP ports that have no legitimate inbound use (UDP/17, UDP/7, UDP/111, UDP/520).
Don't-become-a-reflector checklist¶
Every protocol above gives the same operator recipe:
- Disable the service if obsolete (QOTD, Echo, Portmap when not needed, RIPv1).
- Restrict to trusted source IPs (NTP, Portmap when used internally).
- Upgrade the protocol (NTP without
monlist, RIPv2 with authentication). - Block the port at the Internet edge if it has no external use case.
- Monitor outbound traffic for reflection-reply spikes that indicate a local service is being abused.
Per Cloudflare: "All recommendations here should be taken into consideration with the context and behavior of each unique network or application to avoid any unintended impact to legitimate traffic." QOTD / Echo / RIPv1 are safe to disable; NTP / Portmap / DNS need context.
Seen in¶
- sources/2025-06-20-cloudflare-how-cloudflare-blocked-a-monumental-7-3-tbps-ddos-attack — 7.3 Tbps attack: 99.996% UDP flood, remaining 0.004% / 1.3 GB split across QOTD / Echo / NTP monlist / Mirai UDP / Portmap / RIPv1 reflection-amplification vectors; carpet-bombing 21,925 destination ports on a single IP.