So both DNS and NTP can be abused in amplification DoS attacks. The obvious question is: which other protocols can potentially be exploited the same way?
Any protocol that rides in UDP and that will reply to an unsolicited n byte packet with a >n byte response. (But if the amplification factor is close to 1, then you might as well have your botnet just attack the target directly.)
Devices that speak SNMP and use "public" for their community could be used in an amplification attack. I don't know what the amplification factor would be, though, and I imagine there are loads more Internet-facing DNS and NTP servers than Internet-facing SNMP agents configured with a "public" community...
SNMP has a history of being horribly insecure, because it was assumed people wouldn't put their mgmt hardware on the public IPs. It should only be deployed in trusted networks. It's about as secure as nonkrb5, unencrypted telnet.
The most common attacks we have seen come from DNS, SNMP, and Chargen. You can get up to a 50k byte packet from a 64 byte response, but this is highly variable.
SNMP is more prevalent than you might think, it is present and unsecured in many firewalls, routers, and printers.
So I used to be the lead sysadmin for the largest profit-center dept at one of the most well known universities. I left due to pressure to degrade security of the network for credit card processing and cash registers. It wasn't a protest as much as wanting to keep some appearance of integrity.
On the plus side, the institution managed to deploy departmental firewalls and take Joe Sixpack's and Sally Sue's business desktops and servers off public IPs. If you wonder how many seconds it take to infect an unpatched windows box desktop, it's other the order of 60 s +- 25%. Yes, the desktop staff intentionally tried a few times just for kicks.
It's a cracker's paradise.... fast links and there are like 2 semi-security people. But their duties and tasks are so diffuse, it's almost impossible to catch anything except boxes.
Their organizational resistance even pushed away a couple of brilliant people you might have ran into at hope|ccc|bh.... Instituting a security officer and listening to them + letting them reach out to teach, influence are two different things.
