Usual suspects
User Datagram Protocol
• DNS
• NTP
• SSDP
• SNMP
• Chargen
Weighted
• X – absolute number of amplifiers that fall in
• Y - axis amplification multiplier
DNS
0
20000
40000
60000
80000
100000
120000
140000
160000
13 14 15 16 18 19 20 21 23 24 25 26 28 29 30 31 33 34 35 36 38 39 40 41 43 44 45 46 47 49 50 51 52 54 55 56 57 59 60
NTP
0
2000
4000
6000
8000
10000
12000
14000
35 90 145 200 255 310 365 420 475 530 585 640 695 750 805 860 915 970 1025 1080 1135 1190 1245 1300 1355
Chargen
0
50
100
150
200
250
300
350
400
12 23 34 45 56 67 78 89 100 111 122 133 144 155 166 177 188 200 211 222 233 244 255
SNMP
0
50000
100000
150000
200000
250000
300000
30 32 34 37 39 41 43 46 48 50 53 55 57 59 62 64 66 69 71 73 75 78 80
SSDP
0
50000
100000
150000
200000
250000
300000
350000
400000
60
63
66
69
72
75
78
81
84
87
90
93
96
99
10
2
10
5
10
8
11
1
11
4
11
7
12
0
12
3
12
6
12
8
13
1
13
4
13
7
14
0
14
3
14
6
14
9
15
2
15
5
15
8
16
1
16
4
16
7
17
0
17
3
17
6
17
9
and measured
• X integral multiplier in IPv4 on
• Y timeline since 1 June to 5th October 2014
Integral Multiplier
0
200000000
400000000
600000000
800000000
1E+09
1.2E+09
1.4E+09
1.6E+09
1.8E+09
Chargen
NTP
DNS
SNMP
SSDP
Total
Bottom line
Road notes:
1. 1.6B packets per one packet of a 1st stage –WOW!
2. SSDP is the king of a day.
Hypothesis:
We’re all not dead (yet) because SSDP amplifiers situated at periphery of the network.
Its not about how much packets you can generate with 2nd stage – its about how many will reach the target.
mailto:[email protected]: %ASN amp.report
Questions?