An Analysis of SYN Reflection DrDoS Attacks Selected excerpts SYN reflection attacks are one of the more sophisticated distributed denial of service (DDoS) attack methods and typically require some skill to execute. However, they have recently grown in popularity as they have become available as a DDoS-as-a-Service application from the criminal underground. Now even a novice can launch a SYN reflection attack. Software developers in the criminal underground wrap web-based graphical user interfaces around sophisticated attack scripts and offer them as convenient DDoS-as-a-Service apps, some of which can even be launched from a phone. DrDoS attacks SYN reflection attacks are a type of distributed reflection and amplification denial of service (DrDoS) attack. DrDoS attacks harness the bandwidth and processing power of other peopleâ€™s networked servers and devices to amplify the power of a denial of service attack. SYN floods SYN attacks are used against targets that support TCP, a core communication protocol that enables computers to transmit data, such as web pages and email, over the Internet. Before data is transmitted between machines, the computers must first establish a connection by a multi-step handshake. If the handshake cannot be completed, the computers will keep trying to connect, as shown in Figure 1. The result is a SYN flood.
Figure 1: In a SYN flood attack, SYN connection requests are repeated in rapid succession, until the target is overwhelmed
SYN reflection overwhelms the target The addition of spoofing creates a more powerful SYN attack through the use of reflection techniques. In a SYN reflection attack, at least three systems are involved: The attackerâ€™s device, an intermediary victim (one or many), and the target, as shown in Figure 2. Spoofing allows the attacker to falsify that the target server is the source of the handshake requests. As a result, the victim tries to engage the target. Often, this continues until one or both experience an outage.
Figure 2: SYN reflection attacks misdirect communication handshakes to the victim and target until they are overwhelmed
The problem of backscatter from DDoS mitigation appliances Mitigation equipment can contribute to the damage caused by SYN reflection attacks, because DDoS mitigation appliances are programmed to challenge the connection requests to ensure the requests are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, which creates backscatter toward the victim. More sophisticated mitigation techniques, such as packet analysis, can help minimize the problem of backscatter. Get the full white paper for more details Download the DrDoS series white paper, An Analysis of SYN Reflection Attacks, for details about the SYN reflection attacks and mitigation techniques, including: Why SYN reflection attacks create so much damage How attackers misuse the TCP handshake The problem of backscatter SYN reflection attack scenario Three common SYN reflection techniques Techniques for mitigating SYN attacks Attack signature to identify and stop spoofed SYN reflection attacks The more you know about DDoS attacks, the better you can protect your network against cybercrime. Download the free white paper An Analysis of SYN Reflection Attacks at www.prolexic.com/drdos. About Prolexic Prolexic Technologies is the worldâ€™s largest and most trusted provider of DDoS protection and mitigation services. Learn more at www.prolexic.com. 2