Some of the most disruptive cyber attacks aren’t executed through brute force alone, but with cunning misdirection. A reflection attack is a prime example of this; it’s a sophisticated technique used to obscure the attacker’s identity and magnify their impact.
Reflection attacks use the standard operations of everyday internet services, turning regular third-party servers into unwitting accomplices in a Distributed Denial of Service (DDoS) campaign.
How do they do this? The short answer is that the attacker manipulates network protocols to flood a target with overwhelming traffic, causing service outages and operational disruption. For the longer answer, which covers the mechanics, types, and mitigation strategies for reflection attacks, read on.
What is a Reflection Attack?
A reflection attack is a type of a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack that involves three parties:
- an attacker
- A third party server (the “reflector”)
- a victim
The core principle of the attack is simple:
- The attacker sends requests to third-party servers with the victim’s IP address forged as the source
- Those servers reply to the victim rather than the attacker, multiplying traffic and sometimes amplifying traffic volume
- The victim’s network or services are overwhelmed by the traffic
This technique achieves two primary goals for the attacker:
- Laundering attack traffic: This method of attack makes it appear as if all the traffic originates from a legitimate, albeit misconfigured, server rather than from the attacker. This makes it more difficult to identify and block malicious activity.
- Theft of resources: The attacker is using the reflector’s resources to carry out an attack, allowing them to launch a significant assault with a relatively small amount of their own bandwidth.
Why Are Reflection Amplification Attacks Dangerous?
Reflection attacks are most dangerous when they are combined with amplification.
A reflection amplification specifically uses protocols where small requests trigger much larger responses.
It can work like this: the attacker sends a small, spoofed query to the reflector, which then sends a massive response to the victim. The ratio between the response size and the request size is known as the amplification factor. For some protocols, this factor can be over 500x, meaning a 100-byte request can generate a 50,000-byte response aimed at the victim.
This force-multiplying effect is what makes these attacks so devastating. It allows attackers with limited resources to generate colossal traffic volumes capable of overwhelming even the most robust networks. The result is complete service unavailability for the victim, leading to financial losses, reputational damage, and customer churn. The attack is difficult to defend against because the incoming traffic originates from legitimate servers, making it challenging to distinguish from valid user traffic without sophisticated mitigation tools.
What Are the Different Types of Reflection Attacks?
Because attackers exploit a range of internet protocols that are susceptible to IP address spoofing to produce reflection attacks, there are different types of attack. Each leverages a different service as a reflector, but the underlying principle remains the same:
DNS reflection / amplification
This is one of the most common reflection attack vectors. Attackers send small DNS queries to open DNS resolvers with the victim’s spoofed IP address. By requesting a large record, such as an “ANY” query, they can trigger a response that is 50-70 times larger than the initial request. As organizations increasingly rely on DNS, the prevalence of these attacks continues to rise, with one report noting a 90% year-over-year increase in DNS amplification attacks in Q1 2025.
NTP (Network Time Protocol) ‘monlist’
Older versions of NTP servers had a command called ‘monlist’ that would return a list of the last 600 clients that connected to the server. A small request for this list could generate a response hundreds of times larger. While many NTP servers have since been patched to disable or limit this command, vulnerable servers still exist and are actively exploited by attackers.
Memcached amplification
Memcached is a high-performance, distributed memory caching system. Misconfigured Memcached servers exposed to the internet can be abused as powerful reflectors. An attacker can store a large payload on a vulnerable server and then send a small, spoofed request to retrieve it. This can result in an amplification factor of over 50,000x, enabling some of the largest DDoS attacks ever recorded.
SNMP (Simple Network Management Protocol)
SNMP is used for managing devices on IP networks. A spoofed request using a “GetBulk” command sent to an SNMP-enabled device can elicit a response containing a large amount of data, creating a significant amplification effect. Many network devices, such as routers and printers, have SNMP enabled by default with public community strings, making them easy targets for exploitation.
CLDAP / LDAP reflection
Connectionless Lightweight Directory Access Protocol (CLDAP) is a variant of LDAP that uses UDP. Attackers can send spoofed CLDAP requests to vulnerable servers, which then respond with large data packets directed at the victim. This vector is potent due to the verbose nature of LDAP directory information, leading to a high amplification factor.
SSDP / UPnP (Simple Service Discovery Protocol)
SSDP is part of the Universal Plug and Play (UPnP) protocol suite used by millions of home and office devices, including routers, printers, and smart TVs, to discover each other on a network. Attackers can send a spoofed discovery request to these devices, causing them to respond with a flood of traffic to the victim’s IP address.
Application-layer reflection (HTTP/HTTPS)
While less common, reflection can also occur at the application layer. An attacker might use a large network of compromised devices (a botnet) to send spoofed HTTP GET requests to a web server. The server then sends the full HTTP response—including headers and content—to the victim. Though the amplification factor is typically lower, the attack can still exhaust server resources and bandwidth.
UDP and TCP Reflection Attack
Most reflection attacks leverage the User Datagram Protocol (UDP) because it is connectionless. This means there is no “handshake” process to verify the source IP address, making spoofing trivial. However, TCP-based reflection attacks are also possible, though more complex. In a TCP reflection attack, an attacker can send a spoofed SYN packet to a server, causing it to send a SYN-ACK response to the victim, contributing to a SYN flood attack.
How Does a Reflection Attack Work?
A reflection attack unfolds in a precise, three-step process designed for maximum impact and anonymity:
- Spoofing: The attacker crafts packets with a forged source IP address. Instead of their own IP, they insert the IP address of their intended target.
- Request: The attacker sends these spoofed packets to one or more intermediary servers (reflectors). These are typically public services like open DNS resolvers or NTP servers that are configured to respond to queries from any source. The request itself is often small and designed to elicit a large response.
- Reflection: The reflector servers receive the requests and, seeing the victim’s IP as the source, dutifully send their responses to the victim. The victim is suddenly inundated with unsolicited response traffic from thousands of legitimate servers, consuming its bandwidth and overwhelming its resources.
How Are Reflection and Amplification Attacks Related?
Reflection and amplification are two distinct but closely-related concepts that are almost always used together:
- Reflection is the method of bouncing traffic off an intermediary server to hide the attacker’s origin and direct unwanted traffic at a victim. A pure reflection attack without amplification would result in the victim receiving traffic roughly equal in volume to what the attacker sent.
- Amplification is the technique used to multiply the volume of that traffic. It exploits a protocol’s asymmetry, where a small query triggers a large response.
When combined, they create a reflection amplification attack: a highly efficient and powerful DDoS weapon. The synergy between the two is what makes the technique so popular among cybercriminals.
What Are the Signs of a Reflection Attack?
Detecting a reflection attack can be challenging because the traffic originates from legitimate servers. However, there are several key indicators:
- Sudden Performance Degradation: A sudden and unexplained slowdown of a single service or the entire network is a primary symptom. Legitimate users may experience high latency or be unable to access services at all.
- Anomalous Traffic Patterns: A massive influx of traffic from a single protocol (e.g., DNS, NTP, SSDP) directed at a specific port on the target system is a strong sign. The traffic will typically consist of response packets from a wide range of geographically diverse IP addresses, which are the reflectors.
- High Network Saturation: Network monitoring tools may show bandwidth utilization spiking to 100%, indicating that the network links are completely saturated with unsolicited traffic.
5 Best Practices for Mitigating Reflection Attack Risks
Defending against reflection attacks requires a multi-layered security approach focused on both prevention and response. The escalating threat, with some reports showing a 350 percent increase in DDoS attack volume, underscores the urgency of implementing robust defenses.
Deploy authoritative DNS with built-in protection
For organizations running their own DNS infrastructure, using an authoritative DNS service with integrated DDoS protection is crucial. These services are designed to absorb and filter malicious queries, handle high traffic loads, and often include rate-limiting features to prevent their servers from being used as reflectors.
Enable ingress (and egress) source-IP validation to block spoofing
The foundation of reflection attacks is IP address spoofing. Network administrators can help prevent their networks from being a source of these attacks by implementing ingress filtering (BCP38). This practice involves configuring routers to block packets that have a source IP address from outside the network’s legitimate range. Egress filtering, which checks traffic leaving the network, is also valuable for preventing internal compromised devices from participating in attacks.
Deploy always-on or on-demand DDoS mitigation with traffic scrubbing
For any organization with a critical online presence, a professional DDoS mitigation service is essential. These services operate on a massive scale, with the capacity to absorb and “scrub” malicious traffic before it reaches your network. “Always-on” services provide continuous protection, while “on-demand” services can be activated when an attack is detected. Given the increasing frequency of attacks, with the average organization facing thousands of mitigation events per quarter, this is no longer an optional investment.
Review and audit DNS settings & query patterns often
Regularly audit DNS server configurations to ensure they are not open resolvers. An open resolver will respond to queries from anyone on the internet, making it a prime candidate for use in a reflection attack. Limit recursive queries to trusted IP ranges and monitor query patterns for anomalies that might suggest the server is being abused.
Harden exposed UDP services and reduce unnecessary exposure
Conduct regular security audits to identify and secure any internet-facing services that use UDP. If a service like NTP, SNMP, or Memcached is not required to be publicly accessible, it should be placed behind a firewall and restricted to internal network access only. Disabling or rate-limiting specific commands known to be abused for amplification (like NTP monlist) can further reduce the attack surface.
How Vercara can help
Reflection amplification attacks represent a persistent and potent threat in the cybersecurity landscape. By exploiting fundamental internet protocols and leveraging the resources of unsuspecting third parties, attackers can launch devastating DDoS campaigns with minimal effort and high anonymity. The defense against these attacks is not a single solution but a strategic combination of proactive hardening, intelligent network design, and robust mitigation capabilities.
Vercara’s UltraDDoS Protect delivers a specialized approach to mitigating DDoS attacks with powerful defense mechanisms using on-premises hardware, cloud services, or hybrid solutions. Designed to accommodate various organizational requirements, Vercara offers a range of DDoS Protection services including blocking, redirecting, and cloud-based mitigation. These offerings ensure a thorough and adaptable defense against DDoS threats.
For further insights into protecting your business from cyber threats, reach out to our cybersecurity experts or exploring comprehensive mitigation solutions that cater to your organization’s specific needs.
