What amplification means
In an amplification attack, the attacker sends a small request to a public service using the victim's source IP address. The service replies with a larger response, and that response is sent to the victim instead of the attacker.
The attacker gains leverage because the outbound attack traffic from their own systems is much smaller than the traffic ultimately delivered to the target.
Why UDP is used
UDP is connectionless. The responding server does not need to complete a handshake before sending data back. That makes source address spoofing practical when upstream networks do not filter it properly.
If a protocol also allows a small request to generate a much larger response, it becomes a useful amplification vector.
Basic attack flow
public service → larger UDP response → victim
Common amplification vectors
- DNS
- NTP
- CLDAP
- Memcached
Reflection and amplification
The traffic is reflected because it comes from third-party systems rather than directly from the attacker. It is amplified because the response is larger than the request.
Some attacks rely mostly on reflection, some mostly on amplification, and many use both at the same time.
Why these attacks are effective
The victim sees traffic from many legitimate-looking public servers, not from one obvious source. That makes crude blocking less effective and increases the total aggregate volume quickly.
The attack can also be efficient for the attacker because they do not need to generate the full attack volume themselves.
Mitigation approach
Effective mitigation usually combines protocol-aware filters, rate limiting and upstream capacity. Because the attack is often stateless and high-volume, simple fast filtering matters more than complex session logic.
Source validation on the wider internet also matters. If spoofed traffic is filtered near the source, the entire attack model becomes harder to execute.