Quiz Entry - updated: 2026.07.14
What is a Distributed Reflection Denial of Service (DRDoS) attack?
The attacker sends small requests with the victim's spoofed IP as the source to many third-party servers, which then flood the victim with their (usually amplified) replies.
This combines two ideas:
- Reflection: the attacker bounces traffic off innocent intermediaries (DNS resolvers, NTP, memcached, …). The victim sees attack traffic from thousands of legitimate-looking sources, not from the attacker.
- Amplification: if the chosen protocol has a small request → big reply ratio, the attacker multiplies their bandwidth. Memcached famously had a ~50,000× amplification factor and powered the 1.35 Tbps GitHub attack in 2018 — then the largest DDoS on record (a separate ~1.7 Tbps memcached attack hit another target days later).
Example numbers:
| Protocol | Amplification factor |
|---|---|
| DNS | ~28–54× |
NTP (monlist) |
~556× |
| memcached | up to ~51,000× |
Mitigations:
- BCP 38 — ISPs filtering packets with forged source IPs at the edge (preventing the spoof in the first place).
- Reflectors should disable or rate-limit large-response commands.
- Victims rely on upstream scrubbing services (Cloudflare, Akamai, AWS Shield).
Tip: "Reflection" hides who is attacking, "amplification" boosts how much the attack delivers — most large UDP-based DDoS attacks use both.