This document discusses various protocols that are vulnerable to bandwidth amplification attacks, where a small request results in a disproportionately large response, which can be used to amplify the size and impact of a DDoS attack. It lists NTP, CharGEN, and QOTD as some protocols that have amplification factors of over 100, making them highly effective for amplification attacks. It also provides various URLs for further information on billion laughs attacks, massive DNS amplification attacks, and an alert from US-CERT on understanding and mitigating amplification DDoS attacks.

2. https://www.niiconsulting.com
http://securitythoughts.wordpress.com
http://twitter.com/washalsec

4. • !Availability = DoS

10. • < 1 KB input => 3 GB memory use
https://en.wikipedia.org/wiki/Billion_laughs

11. https://www.incapsula.com/blog/massive-dns-ddos-flood.html

12. • 1 KB (request) --------> 300 KB (response)

13. Protocol Bandwidth Amplification Factor Vulnerable Command
NTP 556.9 Monlist request
CharGEN 358.8 Character generation request
QOTD 140.3 Quote request
RIPv1 131.24 Malformed request
Quake Network Protocol 63.9 Server info exchange
DNS 28 to 54 Open resolution
SSDP 30.8 SEARCH request
Portmap (RPCbind) 7 to 28 Malformed request
Kad 16.3 Peer list exchange
Multicast DNS (mDNS) 2 to 10 Unicast query
SNMPv2 6.3 GetBulk request
Steam Protocol 5.5 Server info exchange
NetBIOS 3.8 Name resolution
BitTorrent 3.8 File search
https://www.us-cert.gov/ncas/alerts/TA14-017A

15. @washalsec