Vulnerabilities Causing DDoS Attacks
It's safe to say that most customers would not be part of a DDoS attack by choice. If your server is vulnerable to or currently part of a DDoS attack it will require action on your part to correct the issue to prevent it from happening or to stop it and prevent it from happening again.
There are a number of very commonly known vulnerabilities that can cause your server to be part of a DDoS attack by what's called 'reflection'. This involves sending forged requests to a very large number of computers only to have those computers reply to the forged requests. When forging the requests the target of the attack is used as the source IP address which means all the replies will go to (and flood) the target.
Some services will actually reply to requests with more data than they received which is an opportunity for the attacker to amplify the attack against their target. They will use services that not only reflect packets back to spoofed sources but services that increase the amount of data sent to the target of the attack.
Services that are subject to amplification and spoofing are:
- NTP (https://kb.iweb.com/hc/en-us/articles/230268028-Guide-to-NTP-monlist-Amplification-Issues)
- Chargen (https://kb.iweb.com/hc/en-us/articles/230268088-Guide-to-Chargen-Amplification-Issues)
- DNS (https://kb.iweb.com/hc/en-us/articles/230267428-Guide-to-DNS-Open-Recursion-Amplification-Issues)
- QOTD (https://kb.iweb.com/hc/en-us/articles/230268148-Guide-to-QOTD-Amplification-Issues)
- Quake Network Protocol
- SNMPv2 (https://kb.iweb.com/hc/en-us/articles/230268048-Guide-to-Public-SNMP-Amplification-Issues)
- Steam Protocol
The services listed above are ordered with the highest amplification possible at the top and least at the bottom. The NetBIOS and BitTorrent protocols only amplify by a factor of approximately 4 but the NTP protocol will amplify traffic up to 550 times the amount originally sent. This means that sending 10 bytes of data to a misconfigured NTP server from a spoofed source could result in 5500 bytes sent to the target of the attack. Doing this thousands of times a minute with hundreds of reflectors involved could easily affect availability of services for the target of the attack.
Compromised account running malicious program
In some less common cases, a compromised user account or even a compromised website can be used to run malicious programs to perform denial of service attacks. In such case our article to diagnose Outbound Hostile Traffic might help you.