How Reflection and Amplification Attacks work
Computers often rely on external services for specific functions. For instance, an NTP server may be used to synchronize system time, or a DNS server may be used to resolve domain names. Attackers can exploit this reliance to initiate reflection and amplification attacks.
Reflection and amplification attacks inundate the target host with superfluous network traffic. When the target host is directly connected to the Internet, an attacker can leverage any public server to redirect traffic to it. The attacker crafts a request with the target host's IP address as the source and sends it to a public server. The server, responding to the source address in the request, sends the reply to the target host.
Consider a scenario in which an attacker initiates a reflection attack against a host connected to the Internet. The attacker generates a query message with the target host's IP address as the source and sends it to a public NTP server. For example, if the attacker's IP address is 1.1.1.1 and the target's IP address is 2.2.2.2, the attacker uses 2.2.2.2 as the source address in the query. Upon receiving the query, the NTP server assumes that host 2.2.2.2 is requesting the current time and sends the response to that address. Because host 2.2.2.2 did not initiate the request, it discards the unsolicited response. However, the host must still process the incoming data to determine its relevance, which consumes computational resources and network bandwidth.
The intermediary server that redirects unwanted traffic to the target is called a reflector, and this method is known as a reflection attack.

Attackers can employ multiple reflectors concurrently to generate a substantial volume of traffic directed at the target host. For instance, the attacker may send identical query messages to several NTP servers, each of which will respond to the target host simultaneously. The following diagram demonstrates a reflection attack utilizing multiple reflectors.

If the target host lacks direct Internet connectivity, an attacker may exploit a server within the same network. For example, if the target resides on a private network, the attacker can utilize a server that offers services to that network. The attacker scans for available services and transmits spoofed packets to one of them.
A spoofed packet is a network packet whose source address field is falsified to appear that the IP originates from another host, typically the target system. Because the incoming packets display the IP address of an authorized host in the source field, the server permits them to access the service. The service then generates reply packets, which are sent to the target host.

Amplification attacks
An amplification attack represents an escalation of a reflection attack. Certain services, such as DNS and NTP, can generate disproportionately large responses. If an attacker leverages such a service during a reflection attack, the volume of traffic directed at the target can be significantly increased.
During an amplification attack, the attacker exploits a feature or vulnerability in a service to elicit a large volume of data in response to a single query. The service, upon receiving the spoofed request, forwards the amplified data to the target host. By directing substantial traffic toward the target, the attacker can consume significant network bandwidth and potentially overwhelm the target system, especially when multiple reflectors are used.

Conclusion
Reflection and amplification attacks exploit the inherent trust and operational features of network services to inundate targets with unsolicited traffic. By employing IP address spoofing and utilizing services capable of generating substantial responses, attackers can greatly amplify the effects of their attacks. Such attacks may deplete the target's resources, disrupt standard operations, and inflict considerable harm. A comprehensive understanding of these attack vectors is essential for devising effective defense strategies and safeguarding systems.
Author Laxmi Goswami Updated on 2026-01-12