3 Feb
2014
3 Feb
'14
4:52 a.m.
On Sun, Feb 02, 2014 at 02:49:49PM -0800, Matthew Petach <mpetach@netflight.com> wrote a message of 49 lines which said:
If NTP responded to a single query with a single equivalently sized response, its effectiveness as a DDoS attack would be zero; with zero amplification, the volume of attack traffic would be exactly equivalent to the volume of spoofed traffic the originator could send out in the first place.
It is a bit more complicated. Reflection with amplification is certainly much less useful for an attacker but it has still some advantages: the attack traffic coming to the victim's AS will be distributed differently (entering via different peers), making tracking the attacker through Netflow/Ipfix more difficult.