An amplification attack usually uses spoofing of a target to an amplifier. This amplifier somehow increases the return packet by a certain factor.
DNS servers are often used for amplified attacks. Especially when they are recursing for everyone a lot of data can be amplified out of their cache.
Word has it that Akamai has turned off ANY replies on their DNS servers.
IPv4 Broadcast Amplifiers
Smurf used IPv4 ICMP (for UDP see fraggle) directed at broadcast addresses to amplify an attack. Due to the nature of IPv4 broadcasting a lot of hosts would respond to one single ICMP echo request.
TCP can't really be used for amplification as it's a stateful protocol. However if you send 40 bytes in a TCP SYN packet you may be able to amplify it by a few bytes, due to the adding of MSS TCP options, so not really worth it from an attackers perspective. It may be used as a deflection attack simply to hide information about the source (which is spoofing).
Solutions to prevent Amplification attacks
- UDP and ICMP are stateless protocols so they don't require a handshake to create a state between two hosts. A handshake uses large sequence numbers that are randomized to prevent an attacker from guessing the replies to a spoofed target.
- spoofing should be filtered at routers on egress.
- Perhaps turn UDP off on DNS? Other good ideas exist, like using tokens/cryptography.
- design protocols so that they don't reply large amount of data upon a single query via stateless protocls such as UDP.