Recently Spamhaus and Cloudflare was hit by a massive DDoS attack. Where the 300Gbits/s is impressive, it is worth mentioning that situation it's not as dramatic as media described.
Attackers used public DNS servers (with enabled recursive resolving) to amplify volume of data. In short it works because DNS uses UDP protocol which is stateless (there is no "handshaking") and source address can be spoofed easily. What is more DNS servers respond to spoofed IP with even 100x bytes more than they've received therefore they are widely used as a data volume "amplifiers". Keeping in mind that this method succeeded mainly because of UDP nature, internet architecture and routing, we can use other applications based on UDP to amplify volume of data. Problem is not new and back in 2000 document "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing" was created. You can read more on CNETs "How the Spamhaus DDoS attack could have been prevented"
Lets check some other possible "amplifiers". Online game servers will be a good start, because games commonly use UDP and many servers allow to query them for fetching their status, settings, players etc. Of course number of game servers can't be compared to number of "vulnerable" dns servers, which is 25 million according to Open DNS Resolver Project.
So today I've recreated my research I did couple years ago. I chose 5 popular (IMO) games and for each game I picked up 5 random empty servers from gametracker.com. Games that I've chosen are: Quake 3, Call of Duty 4, Counter Strike 1.6, Counter Strike Source and Team Fortress 2.
Here are the results:
| sent packet size | server 1 response size | server 2 response size | server 3 response size | server 4 response size | server 5 response size | average response size | % gain | ratio | servers @ gametracker | servers @ game-monitor | ||
| Q3 | 56 | 923 | 757 | 933 | 988 | 1007 | 921.6 | 1646 | 16.46 | 400 | 1290 | |
| COD4 | 56 | 450 | 448 | 538 | 585 | 523 | 508.8 | 909 | 9.09 | 5535 | 5392 | |
| CS 1.6 | 57 | 2070 | 2104 | 1730 | 2111 | 2028 | 2008.6 | 3524 | 35.24 | 30669 | 50054 | |
| CS:S | 108 | 1696 | 3525 | 1806 | 1717 | 2191 | 2187 | 2025 | 20.25 | 9696 | 16963 | |
| TF2 | 108 | 2319 | 2589 | 3723 | 2775 | 2837 | 2848.6 | 2638 | 26.38 | 6560 | 13875 |
So it is clear that the best candidate for "amplifier" from my small test set is Counter Strike 1.6 because of average 35-to-1 ratio and the biggest estimated number of public servers. Nevertheless it can't be compared to DNS open recursive resolvers.
PS. Both Q3 and COD4 use same network protocol in application layer (Quake3). Same situation is with TF2 and CS:S (Source).
PS 2. In the past there was similar issue with spoofed ICMP protocol packets and it is called Smurf attack
