What are the 11 Amplification Vectors from a recent Multi-vector DDoS Attack?
A 19-day analysis of 126,875 DDoS attacks uncovered a single Netherlands subnet absorbing 11 distinct amplification vectors and what that means for defenders everywhere.
Key Takeaways
- Attackers now cycle through 10+ amplification vectors against single targets, defeating single-protocol defenses.
- Legacy UDP services (CHARGEN, QOTD, Portmap) remain active in 2026. Any exposed port feeds tomorrow's DDoS floods.
- Persistence patterns, not burst size, reveal the real threat. Low-volume sustained campaigns hide in baseline noise.
- Multi-vector defense requires three layers: broad-spectrum UDP filtering, real-time amplifier intelligence, and behavioral anomaly detection.
Multi-vector DDoS attacks bounce traffic off vulnerable servers to overwhelm targets. Attackers combine multiple UDP/TCP reflection vectors at once, multiplying traffic volume and saturating bandwidth faster than single-vector attacks.
Between May 1 and May 20, 2026, the A10 Defend Threat Control platform observed 126,875 DDoS attacks across global infrastructure. Most victims fit a predictable profile: a single attack vector, usually DNS or NTP amplification, launched in short bursts. But one target broke the pattern. A /24 IP range hosted by a Western European hosting provider in the Netherlands (185.242.3.0/24) was targeted by at least eleven distinct amplification vectors during this window often within minutes of one another.
That is not a coincidence. It is the signature of a deliberate, multi-vector DDoS campaign – the kind of attack pattern that defeats single-purpose mitigation and demands a layered defense.
Why a Single Subnet Drew Eleven Vectors
In a typical amplification attack, an attacker spoofs the victim’s IP address and sends small queries to vulnerable third-party servers. Those servers reply with much larger responses, all directed at the spoofed victim. The math favors the attacker: a few megabits of outbound query traffic can produce gigabits of inbound flood at the victim.
Many amplification campaigns rely on only one or two dominant vectors. The campaign against this Netherlands subnet cycled through 11. The vectors observed targeting it, in order of appearance:
The Eleven Vectors Observed
| Attack Vector | Protocol Type | Why Attackers Use It |
|---|---|---|
| DNS | UDP/53 | Massive amplification factor (28x to 54x), widely exposed resolvers |
| NTP | UDP/123 | MONLIST command yields up to 556x amplification |
| CLDAP | UDP/389 | Up to 70x amplification from misconfigured LDAP servers |
| MSSQL | UDP/1434 | SQL browser service responds with server enumeration data |
| CHARGEN | UDP/19 | Legacy protocol returns up to 358 bytes per request byte |
| QOTD | UDP/17 | Quote-of-the-day service abused for small-scale amplification |
| TFTP | UDP/69 | File transfer error responses inflate reply size |
| NetBIOS | UDP/137 | Name service queries trigger large response packets |
| SNMP | UDP/161 | GetBulk requests amplify community-string responses |
| Portmap | UDP/111 | RPC enumeration replies used for reflection |
| Ubiquiti | UDP/10001 | Device discovery service abused on exposed routers |
Several of these – CHARGEN, QOTD, Portmap – are protocols most defenders consider obsolete. Their continued use in 2026 signals two things. First, vulnerable amplifiers are still exposed on the public internet in large enough numbers to be useful. Second, attackers will keep rotating through every working vector until one slips past whatever the target is filtering.
What this Pattern Means for Defenders
Single-vector mitigation is no longer sufficient
Many organizations deploy DNS-specific or NTP-specific rate limiting and consider themselves protected. The multi-vector pattern shows attackers will simply switch to MSSQL or Ubiquiti or CHARGEN the moment one channel is blocked. Effective protection requires baseline filtering across every UDP reflection vector, not just the popular ones.
Legacy protocols are still in play
CHARGEN dates to 1983. QOTD is even older. Yet, both appeared in this dataset. Any infrastructure exposing these ports inbound or outbound even as a misconfigured legacy service is a participant in tomorrow’s amplification flood. Auditing for forgotten UDP services is no longer optional.
Sustained campaigns hide behind the average
Across the broader dataset, a UK consumer broadband /24 (2.27.173.0/24) received persistent CLDAP attacks roughly every minute for the entire 19-day window. Two Bangladeshi fixed-broadband ISPs absorbed continuous NTP attacks at a similar cadence. These slow-burn campaigns rarely make headlines because no single burst is large enough to make news, but the cumulative load is significant, and the pattern of persistence is itself the threat indicator.
Building a Defense that Matches the Threat
The multi-vector case offers a useful blueprint for defensive priorities. Three capabilities are essential to neutralize a multi-vector campaign:
- Broad-spectrum reflection filtering. Rate limit and validate every UDP service known to be exploitable for amplification, not just the high-profile ones.
- Real-time threat intelligence. Signature feeds that update as new amplifiers come online let mitigation devices block reflected traffic at the source.
- Behavioral anomaly detection. When one IP sees protocol traffic, it has never previously received, that itself is the alert. Patterns matter more than payloads.
The Bottom Line
The Netherlands subnet was not the largest DDoS target in the May 2026 dataset, nor the most frequently hit. It was the most diversely attacked. That distinction matters because it shows where DDoS is heading, away from single-vector volumetric floods and toward orchestrated, multi-protocol campaigns designed to find and exploit whichever defensive gap exists.
Explore the free dashboard version at threats.a10networks.com or sign up for a free trial to see what attackers are doing right now.
FAQs
A multi-vector DDoS attack uses two or more distinct attack methods against the same target, often within minutes of one another. Instead of relying on one technique like DNS amplification, attackers cycle through multiple protocols – DNS, NTP, CLDAP, MSSQL, Ubiquiti, and others – to bypass single-purpose defenses.
DNS amplification exploits open DNS resolvers. The attacker sends small queries spoofed to appear from the victim’s IP address, and the resolver replies with much larger DNS responses directed at the victim. Amplification factors reach 28x to 54x, meaning a few megabits of attacker query traffic can produce gigabits of inbound flood at the target. This makes DNS one of the most consistently exploited amplification vectors today.
CHARGEN dates to 1983 and QOTD is older still, yet both appeared in May 2026 attack data. Attackers use them because exposed legacy UDP services remain on the public internet in usable numbers, and most defenders have stopped monitoring these ports. CHARGEN can return up to 358 bytes per request byte, making it a reliable amplifier whenever a target’s defenses focus only on modern protocols.
Single-vector mitigation focuses on one attack type at a time, for example, DNS-specific rate limiting. Multi-vector mitigation applies baseline filtering across every UDP reflection vector known to be exploitable. Attackers will switch from DNS to MSSQL to Ubiquiti the moment one channel is blocked. Effective protection requires broad-spectrum coverage, not protocol-by-protocol patches.
Early detection depends on behavioral anomaly detection rather than payload inspection alone. When a subnet suddenly receives protocol traffic it has never previously seen, that change itself is the alert. Real-time threat intelligence feeds surfacing newly active amplifiers also help, allowing mitigation devices to block reflected traffic at the source before it consolidates into a measurable flood at the victim.
Reconnaissance attacks are small probes under 1 Gbps that map defenses. They fly under alert thresholds and test response patterns. Once attackers find gaps, they launch full multi-vector campaigns cycling through 10+ protocols. The initial probes and follow-up attacks both require detection to stay protected.
