Distributed Reflection Denial of Service: A Bandwidth Attack
A bandwidth attack floods a network with large volume of bogus packets in order to overwhelm the network bandwidth. The aim is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The packets that get dropped also include legitimate traffic, thus causing denial of service to valid users.
Normally, a large number of machines are required to generate the volume of traffic to flood a network. This is called a distributed denial of service (DDoS), as the attack is carried out by multiple machines which combined together can generate that traffic. Furthermore, to diffuse the source of the attack, these machines are part of different networks, so that a single network cannot be identified as the source and blocked.
In a typical DDoS attack, bogus packets - simple web server requests or other random packets- are sent by large number of machines to the target network or machine. A Distribution Reflection Denial of Service (DRDoS) attack generates the same amount of traffic but uses a more efficient and stealthy method to achieve that.
First, let’s review some TCP basics. A server receiving a SYN packet replies with a SYN/ACK packet – those are the first two steps to establish a connection. (In the third and final step, the client sends an ACK, but that’s not important for this attack.) DRDoS exploits the first two steps. An attacking machine can send a SYN packet to any of the publicly available servers, mail, web or any other, with a spoofed source IP – in this case, the IP of the victim. Now the recipient of the SYN will generate a SYN/ACK and send it to the victim. This way the server is used by the attacker to reflect packets to the target network, rather than sending packets directly to the target network as is the case in DDoS.
Similar to a DDoS, a large number of machines can be used to send SYN packets, with the source IP of the targeted machine, to multiple reflection servers, which will in turn generate large number of SYN/ACK packets that flood the victim. Compared to DDoS, a DRDoS is a more intelligent attack and can be used to cause more damage with less number of machines.
How is that possible?
TCP, being a reliable protocol, resends the packet for which it does not receive an acknowledgement, thinking the packet may have got lost. The SYN/ACK sent by the reflection server to the targeted machine will not receive any acknowledgement, causing the reflection server to retransmit the packet till a time-out occurs. Hence, by using one SYN packet, an attacker is able to generate more than one SYN/ACK to be sent to the victim. This way, using the same number of machines, more traffic can be generated to flood the target with DRDoS than by DDoS.
In a DRDoS attack, the reflection servers used will belong to different networks. Machines belonging to a single network or smaller number of networks than a DDoS can be used to carry out the attack, since the reflection servers belong to various different networks.
A DRDoS attack is so carried out that it does not flood the reflection servers, but the combined bandwidth of several reflection servers is used to choke the targeted network. That’s another intelligent technique.
If the victim is really a server, then there is no real reason for it to receive SYN/ACK packets from any other machine. Remember servers receive only SYNs or ACKs. Filtering out all SYN/ACK packets having the destination IP of the targeted machine, by the ISP, will prevent the reflection data from flooding the targeted network’s bandwidth. However, if the targeted machine also initiates TCP connections to external servers, such as a web server connecting to a mail server, then the valid SYN/ACK packets sent by the those servers will also get dropped, until SYN/ACK packets are allowed specifically for them.
More information on other forms of reflection attacks and solutions to defend against them can be found out on:
- An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks
- Distributed Denial of Service (DDoS) Attacks/tools