DrDoS aka distributed reflective denial-of-service
open DNS resolver
dig ANY amiopen.openresolvers.org @x.x.x.x
Where x.x.x.x is the IP of an suspected open DNS resolver.
Checking a local host directly
*nix systems
dig +short amiopen.openresolvers.org TXT
Windows systems
nslookup
> set type=TXT
> amiopen.openresolvers.org
Ideal results will be:
“Your resolver at ip.add.re.ss is CLOSED”
If your return comes back with results you are subject to being a DNS DDoS Amplification source.
We also recommend http://openresolverproject.org/
NTP
ntpdc -c monlist [hostname]
If you return any output you are subject to being a NTP DDoS Amplification source.
CHARGEN
Any device using CHARGEN is subject to being a CHARGEN DDoS Amplification source.
SNMP
Some of the first DrDoS attacks ever seen in 2007/2008 came from SNMP due the the ability to amplify attacks so heavily (up to 650x). Because of this most SNMP server have the ability to limit what ip can access SNMP. Furthermore it is consider best practice to keep snmp within your local network. As well, beyond limiting the snmp service to what ip can access is directly, create network rules blocking anything addition ips