Computing resource service providers may offer a variety of services to customers accessible over a network, such as the Internet. Customers may transmit requests to the computing resource service provider and the computing resource service provider may response with information associated with the request. In certain situations the response may be disproportionally larger, in terms of an amount of data, than the request provided by the customer. Attackers may use this disproportionally larger response in order to flood computing resources of a target. These types of attacks are referred to as amplification attacks.
An amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open computing resources of a computing resource service provider to flood or otherwise overload a target system with response traffic. Certain attack techniques consist of an attacker sending a Domain Name Server (DNS) name lookup request to an open DNS server with the source address spoofed as the target's address. When the DNS server sends the DNS record response, it is sent to the target instead of the attacker as a result of the spoofed address. Attackers will typically submit a request for as much information as possible to maximize the amplification effect. Furthermore, attackers may transmit similar requests to multiple computing resource service providers in order to increase the amount of response traffic to the target. Since the size of the response is considerably larger than the request, attackers are able to increase the amount of traffic directed at the target with little overhead on the computing resources of the attacker. By leveraging a botnet to produce a large number of spoofed requests, attackers can create a large amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks.