DDoS amplification attack explained: why small requests can become massive floods

What a DDoS amplification attack is

The attacker abuses protocols where a small request can trigger a larger response. DNS, NTP, SSDP, CLDAP, memcached and other UDP-based services have all been abused in different periods. The details change by vector, but the model stays the same: spoof source, ask a reflector, make the reflector answer the victim.

The victim sees traffic from many servers that may be legitimate on their own. Blocking every source one by one rarely works, because the reflector set can change quickly and the attack can combine multiple protocols.

The real problem is therefore not only malicious hosts. It is the combination of source spoofing, open or exposed services and a victim link forced to receive traffic it never requested.

Why amplification attacks are so disruptive

Amplification attacks are disruptive because they move cost away from the attacker. The attacker sends limited traffic, while the victim receives a multiplied response. When enough reflectors participate, the target link, router or firewall can saturate even before the protected application receives useful traffic.

This is especially damaging for protected IP transit buyers, hosters, dedicated server customers and gaming providers. Their users experience downtime, packet loss or failed connections, but the origin server may not show a classic application overload.

A strong mitigation plan must therefore look at the entry point of traffic, not only at the server logs. If the first saturation is the transit port, the right place to mitigate is upstream.

Possible solutions against amplification

The Internet-wide fix is source address validation: networks should prevent spoofed traffic from leaving their edge. That reduces reflection attacks globally, but a victim cannot depend on perfect filtering everywhere.

On the victim side, mitigation includes upstream scrubbing, protocol-aware ACLs, rate limits, FlowSpec where appropriate, traffic baselines and protected transit. The goal is to drop reflected noise while keeping useful traffic reachable.

Local firewall rules are useful as a last layer, but they should not be the first line of defense for a large amplification wave. They protect the server only if packets still reach the server in a manageable quantity.

How Peeryx mitigates reflected floods

Peeryx positions mitigation before the fragile layer. Traffic can enter through protected IP transit, BGP announcement, protected IPs, tunnel delivery or cross-connect. Reflected floods are reduced before they overload the customer equipment, then clean traffic is delivered in a model that fits the topology.

For very high-volume or high-PPS events, upstream relief can be used to shave attack traffic before fine filtering continues. This is not the same as blind blackholing: the goal is to keep the customer service online, not simply hide the graph.

The same design can serve a hosting provider, a dedicated server customer, a SaaS/API platform or a gaming environment. What changes is the service baseline, the allowed protocols and the return path.

Concrete use case: hosting provider under amplification

A hosting provider receives a reflected UDP flood against several protected IPs. The attack mixes DNS-like responses, NTP-looking packets and random UDP noise. The customer firewall is not designed to inspect that much unwanted traffic, and legitimate clients begin to see loss.

By moving entry through protected transit, Peeryx can filter obvious reflected traffic before the customer edge. The handoff then returns cleaner traffic through a tunnel, protected IP delivery, cross-connect or router VM.

The operational benefit is readability. The customer can still run its own firewall and application rules, but it no longer has to absorb the entire reflected wave locally.

Frequent mistakes

A common mistake is to buy only a larger port. Extra capacity helps, but amplification can grow faster than the customer link. Another mistake is to rely on blackhole as the primary response, which protects the network but makes the service unreachable.

Teams also sometimes block whole protocols without checking legitimate use. That may be acceptable for unused traffic, but dangerous for DNS, gaming, monitoring or VPN services.

Finally, amplification should not be treated as a single vector. Attackers can switch reflectors and protocols. Mitigation needs visibility, not only a static one-line rule.

Why choose Peeryx for this type of DDoS risk

Peeryx is built for exposed infrastructure that cannot be protected with a single generic firewall rule. The objective is to keep the public service reachable while reducing attack traffic before it reaches the fragile part of the topology.

The same platform can serve a hosting provider that needs protected IP transit, a company that wants clean traffic through a tunnel, a client that prefers a cross-connect, or a gaming operator that needs a specialised reverse proxy for Minecraft, FiveM or another latency-sensitive service.

• Protected IP transit with BGP, under-ASN support and several delivery models
• Clean traffic delivery through cross-connect, GRE, IPIP, VXLAN or router VM
• Filtering logic designed around the real service instead of a one-size-fits-all profile
• Commercially readable offers for transit, dedicated servers and gaming reverse proxy

FAQ