Cloudflare, hosting many customers, has handled many DDoS attacks. Sometime ago, there was DNS amplification attacks, now there is an NTP amplification DDoS attack. It so happens, there are two essential conditions for such an amplification attacks to happen:
- A large reply in response to a very small request – this allows the attacker to have a small set of hosts with only so much bandwidth to trigger a very large attack on the target.
- Source IP address spoofing. This allows an attacker to send requests from packets, apparently from the target, there by effectively re-directing all the responses to the target.
One of the fixes suggested to guard against IP address spoofing attacks is a nonce, briefly described here. If I understand it correctly, it necessitates a client to resend a nonce (a random value) sent to it as part of the reply so that further replies can be sent. If the nonce is not received (when the receiver is not interested in the reply), further replies are not sent. This will at least, mitigate the amplification effect, if not the total DDoS attack altogether.
Going forward, for protocol designers, there is a lesson to be learnt: make sure your reply for a response does not motivate a DDoS attack.