Upload
prolexic
View
68
Download
1
Embed Size (px)
Citation preview
1
An Analysis of SYN Reflection DrDoS Attacks Selected excerpts
SYN reflection attacks are one of the more sophisticated distributed denial of service (DDoS) attack methods and typically require some skill to execute. However, they have recently grown in popularity as they have become available as a DDoS-as-a-Service application from the criminal underground. Now even a novice can launch a SYN reflection attack. Software developers in the criminal underground wrap web-based graphical user interfaces around sophisticated attack scripts and offer them as convenient DDoS-as-a-Service apps, some of which can even be launched from a phone. DrDoS attacks SYN reflection attacks are a type of distributed reflection and amplification denial of service (DrDoS) attack. DrDoS attacks harness the bandwidth and processing power of other people’s networked servers and devices to amplify the power of a denial of service attack. SYN floods SYN attacks are used against targets that support TCP, a core communication protocol that enables computers to transmit data, such as web pages and email, over the Internet. Before data is transmitted between machines, the computers must first establish a connection by a multi-step handshake. If the handshake cannot be completed, the computers will keep trying to connect, as shown in Figure 1. The result is a SYN flood.
Figure 1: In a SYN flood attack, SYN connection requests are repeated in rapid succession, until the target is overwhelmed
2
SYN reflection overwhelms the target The addition of spoofing creates a more powerful SYN attack through the use of reflection techniques. In a SYN reflection attack, at least three systems are involved: The attacker’s device, an intermediary victim (one or many), and the target, as shown in Figure 2. Spoofing allows the attacker to falsify that the target server is the source of the handshake requests. As a result, the victim tries to engage the target. Often, this continues until one or both experience an outage. The problem of backscatter from DDoS mitigation appliances Mitigation equipment can contribute to the damage caused by SYN reflection attacks, because DDoS mitigation appliances are programmed to challenge the connection requests to ensure the requests are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, which creates backscatter toward the victim. More sophisticated mitigation techniques, such as packet analysis, can help minimize the problem of backscatter. Get the full white paper for more details
Download the DrDoS series white paper, An Analysis of SYN Reflection Attacks, for details about
the SYN reflection attacks and mitigation techniques, including:
Why SYN reflection attacks create so much damage
How attackers misuse the TCP handshake
The problem of backscatter
SYN reflection attack scenario
Three common SYN reflection techniques
Techniques for mitigating SYN attacks
Attack signature to identify and stop spoofed SYN reflection attacks
The more you know about DDoS attacks, the better you can protect your network against
cybercrime. Download the free white paper An Analysis of SYN Reflection Attacks at
www.prolexic.com/drdos.
About Prolexic
Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and
mitigation services. Learn more at www.prolexic.com.
Figure 2: SYN reflection attacks misdirect communication handshakes to the victim and target until they are overwhelmed