LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a Distributed Reflection Denial of Service (DRDoS) attack?

The attacker sends small requests with the victim's spoofed IP as the source to many third-party servers, which then flood the victim with their (usually amplified) replies.

This combines two ideas:

  • Reflection: the attacker bounces traffic off innocent intermediaries (DNS resolvers, NTP, memcached, …). The victim sees attack traffic from thousands of legitimate-looking sources, not from the attacker.
  • Amplification: if the chosen protocol has a small request → big reply ratio, the attacker multiplies their bandwidth. Memcached famously had a ~50,000× amplification factor and powered the 1.35 Tbps GitHub attack in 2018 — then the largest DDoS on record (a separate ~1.7 Tbps memcached attack hit another target days later).

Example numbers:

Protocol Amplification factor
DNS ~28–54×
NTP (monlist) ~556×
memcached up to ~51,000×

Mitigations:

  • BCP 38 — ISPs filtering packets with forged source IPs at the edge (preventing the spoof in the first place).
  • Reflectors should disable or rate-limit large-response commands.
  • Victims rely on upstream scrubbing services (Cloudflare, Akamai, AWS Shield).

Tip: "Reflection" hides who is attacking, "amplification" boosts how much the attack delivers — most large UDP-based DDoS attacks use both.

From Quiz: ISF / Web Application Security Basics | Updated: Jul 14, 2026