1

An Analysis of SYN Reflection DrDoS Attacks Selected excerpts

SYN reflection attacks are one of the more sophisticated distributed denial of service (DDoS) attack methods and typically require some skill to execute. However, they have recently grown in popularity as they have become available as a DDoS-as-a-Service application from the criminal underground. Now even a novice can launch a SYN reflection attack. Software developers in the criminal underground wrap web-based graphical user interfaces around sophisticated attack scripts and offer them as convenient DDoS-as-a-Service apps, some of which can even be launched from a phone. DrDoS attacks SYN reflection attacks are a type of distributed reflection and amplification denial of service (DrDoS) attack. DrDoS attacks harness the bandwidth and processing power of other people’s networked servers and devices to amplify the power of a denial of service attack. SYN floods SYN attacks are used against targets that support TCP, a core communication protocol that enables computers to transmit data, such as web pages and email, over the Internet. Before data is transmitted between machines, the computers must first establish a connection by a multi-step handshake. If the handshake cannot be completed, the computers will keep trying to connect, as shown in Figure 1. The result is a SYN flood.

Figure 1: In a SYN flood attack, SYN connection requests are repeated in rapid succession, until the target is overwhelmed

2

SYN reflection overwhelms the target The addition of spoofing creates a more powerful SYN attack through the use of reflection techniques. In a SYN reflection attack, at least three systems are involved: The attacker’s device, an intermediary victim (one or many), and the target, as shown in Figure 2. Spoofing allows the attacker to falsify that the target server is the source of the handshake requests. As a result, the victim tries to engage the target. Often, this continues until one or both experience an outage. The problem of backscatter from DDoS mitigation appliances Mitigation equipment can contribute to the damage caused by SYN reflection attacks, because DDoS mitigation appliances are programmed to challenge the connection requests to ensure the requests are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, which creates backscatter toward the victim. More sophisticated mitigation techniques, such as packet analysis, can help minimize the problem of backscatter. Get the full white paper for more details

Download the DrDoS series white paper, An Analysis of SYN Reflection Attacks, for details about

the SYN reflection attacks and mitigation techniques, including:

Why SYN reflection attacks create so much damage

How attackers misuse the TCP handshake

The problem of backscatter

SYN reflection attack scenario

Three common SYN reflection techniques

Techniques for mitigating SYN attacks

Attack signature to identify and stop spoofed SYN reflection attacks

The more you know about DDoS attacks, the better you can protect your network against

cybercrime. Download the free white paper An Analysis of SYN Reflection Attacks at

www.prolexic.com/drdos.

About Prolexic

Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and

mitigation services. Learn more at www.prolexic.com.

Figure 2: SYN reflection attacks misdirect communication handshakes to the victim and target until they are overwhelmed