DrDoS aka distributed reflective denial-of-service
open DNS resolver
dig ANY amiopen.openresolvers.org @x.x.x.x
Where x.x.x.x is the IP of an suspected open DNS resolver.
Checking a local host directly
dig +short amiopen.openresolvers.org TXT
> set type=TXT
Ideal results will be:
“Your resolver at ip.add.re.ss is CLOSED”
If your return comes back with results you are subject to being a DNS DDoS Amplification source.
We also recommend http://openresolverproject.org/
ntpdc -c monlist [hostname]
If you return any output you are subject to being a NTP DDoS Amplification source.
Any device using CHARGEN is subject to being a CHARGEN DDoS Amplification source.
Some of the first DrDoS attacks ever seen in 2007/2008 came from SNMP due the the ability to amplify attacks so heavily (up to 650x). Because of this most SNMP server have the ability to limit what ip can access SNMP. Furthermore it is consider best practice to keep snmp within your local network. As well, beyond limiting the snmp service to what ip can access is directly, create network rules blocking anything addition ips