Analysing the DDOS-Threat-Landscape, Part 1: UDP Amplification/Reflection

This analysis will shed some light on the DDoS-Threat-Landscape and is dedicated to all technicians and interested people in this field. A basic knowledge on the subject is manadatory, so if you are new to the case, feel welcome'd as well, but please check the links in the reference-section first.

This analysis deals with the problem of UDP/Amplification/Reflection, additional articles for Botnets or HTTP/Amplification/Reflection will follow.

We wanted to know, how big a threat for each vector is. The biggest factors of influence for measuring are:

  • amplification-factor
  • numbers of potential misusable servers/devices available

Based on these facts we are able to evaluate, which vector poses the biggest threat, either based on max expected volume (unskilled attack), but also for skilled attacks, where an attacker doenst go full-force, but a low profile for each amplifier-source (max output 1 mbit/s) to fly as much under the radar as possible. for a skilled attacker, 100.000 amplifiers with 1mbit/s firepower is more valuable than 1.000 amplifiers with 100 mbit.

Amplifier-Source Factor Open Servers AttackScore Expected Volume out/server mbps in/sized attack out total sized attack

;;;;;;;; ;;;;;;;; ;;;;A/Score;Number of Servers * Factor / 1 Mio;;; ;;;;A/Volume ;when in 1k and out all; in GB;; ;;;;A/Out per Server;traffic our per server; in mbps; when in 1k; ;;;;SA/In;input; when sized attack (out max 1mbps), in k;; ;;;;SA/Total Volume;how many traffix; all servers; sized attack; in GB