UDP amplification DDoS: the ports attackers reflect off

Distributed denial-of-service attacks no longer need a huge botnet. With reflection and amplification, an attacker turns ordinary, misconfigured UDP servers into a force multiplier — sending tiny requests that trigger enormous replies aimed at a victim. This post explains how the technique works, which UDP ports are abused, and how to make sure your own infrastructure is never the reflector.

How reflection and amplification work

UDP is connectionless: there is no handshake, so a server cannot verify who really sent a request. An attacker exploits this in two steps:

1. Reflection — the attacker spoofs the victim's IP address as the source of a UDP request and sends it to a public server. The server's reply goes to the victim, not the attacker.
2. Amplification — the attacker picks a protocol where a small request produces a large response. The ratio between them is the amplification factor. A request of 60 bytes that yields a 6,000-byte answer gives a 100x amplification.

Combine the two across thousands of open servers and a modest uplink becomes a multi-hundred-gigabit flood. You can browse all ports to look up any UDP service you find answering the public internet.

The UDP ports attackers reflect off

These are the classic amplifiers. Each links to its ProtocolPorts reference page:

DNS, NTP and SNMP

Port 53 (DNS) is one of the oldest reflectors: an open recursive resolver answers anyone, and a short query can return a large response. Port 123 (NTP) was devastating thanks to the monlist command, which returns the last 600 clients in one packet for a tiny request. Port 161 (SNMP) GetBulk requests can pull large tables from network gear.

SSDP, mDNS, WS-Discovery and CLDAP

Discovery protocols are everywhere on consumer and enterprise networks. Port 1900 (SSDP) leaks from exposed UPnP devices, port 5353 (mDNS) and port 3702 (WS-Discovery) from printers and cameras, and port 389 (CLDAP) from misconfigured directory servers — all of which respond with far more data than they receive.

The record holder: Memcached

Port 11211 (Memcached) produced the largest amplification ever seen — up to roughly 50,000x. A single 15-byte request could return megabytes of stored data, which is how the 1.3 Tbps attacks of 2018 were built. Memcached should never listen on UDP or face the internet at all.

CharGEN, Echo, CoAP and game servers

Legacy diagnostics like port 19 (CharGEN) and port 7 (Echo) still exist on old gear and amplify well. Newer IoT protocols such as port 5683 (CoAP) and game-server queries on port 27015 round out the list.

How to avoid being a reflector

You cannot control attackers, but you can make sure your servers are not the weapon:

• Do not expose these UDP services to the internet. Bind them to private interfaces and restrict access to trusted networks.
• Disable abusable features — turn off NTP monlist, disable DNS recursion on authoritative servers, and never run Memcached on UDP.
• Implement BCP38 / source-address validation at your network edge so spoofed packets claiming someone else's IP cannot leave your network. This kills reflection at the source.
• Rate-limit responses (for example DNS RRL) where the service must stay public.

Conclusion

Reflection and amplification turn helpful, connectionless UDP services into DDoS cannons. The ports above — from DNS and NTP to the record-breaking Memcached — are abused precisely because they answer strangers with oversized replies. Keep them off the public internet, disable the features that make them dangerous, and adopt BCP38 so your network can never spoof. Doing so protects both your would-be victims and your own bandwidth bill.