As often in security, a technique that appears as obvious deserves way more attention. Well “devil is in details”. DOS (Denial of service) and DDOS (Distributed Denial of Service) are in this category of technique. When I ask my students what a DDOS is, they are always saying something like “It is just a flood of TCP syn”. Well, it is true but it is just one form and not the most used one.
Reflection attack is a more complex and efficient form of DDOS because it use a distributed set of hosts as “bumper”. This make very hard to trace or deny such DDOS. The key idea is that it send SYN to hosts with a spoofed source (the victim) and the syn-ack or rst packets are sent back to the victim. Combine this with a random pattern and you have a pretty nasty technique. Note that as the opposite of smurf, “bumper” are not used as amplificator (well It is not completly accurate because of the probable TCP retransmission due to link congestion) but to make the source of packet to be unpredictable from the victim point of view. The advantage over simple SYN flood with source address is that the traffic is bumped via multiples routes making the process of tracking back the attack way more complex.
A very good survey about reflection attack and DDOS in general can be found here : GRC | The Distributed Reflection DoS Attack
Reflection diagrams taken from the Gibson Research Corporation paper
Latest Comments