Here I wish to make you understand the technical backbones of DDoS.
What are Reflection and Amplification attacks?
Reflection and amplification are mechanisms commonly used in DDoS attacks. These simple and very effective techniques gained popularity around 2013. They take advantage of publicly accessible UDP services to overload victims with response traffic. Attackers usually do not have to abuse old versions of protocols or exploit vulnerabilities. Instead, legitimate traffic is used.
Reflection occurs when an attacker forges the source address of request packets, pretending to be the victim. Servers are unable to distinguish legitimate from spoofed requests when UDP is used. Therefore, they reply directly to the victim. This technique hides the real IP address of the attacker from both the victim’s system and the abused server.
The other mechanism is traffic amplification. The attacker’s goal is to make the abused service produce as much response data as possible. The ratio between the sizes of the response and the request is called amplification factor. The attacker wants to achieve the largest possible ratio. For example, if an open CharGEN service is used to flood a victim, an amplification factor of up to 359 times can be observed. (Notice that, although CharGEN is not expected to be used these days and should never be openly exposed to the Internet, this is a legitimate service and no vulnerabilities need to be exploited to produce attacks.)
When these techniques are repeatedly used together, an attack is generated. Servers in multiple locations can be involved to produce more devastating results. It is important to realize that abused services are victims as well as those targeted by reply floods. These servers suddenly have to deal with abnormally large amounts of spoofed requests that may prevent them from serving legitimate traffic.
Many UDP protocols can be abused. Among the most common are: NTP with an amplification factor of 557 times, CharGEN with a factor of 359 times, DNS with a factor from 28 to 54 times and SSDP with a factor of 31 times.
How does a DNS amplification attack work?
A single bot in a DNS amplification attack can be thought of in the context of a malicious teenager calling a restaurant and saying
“I’ll have one of everything, please call me back and tell me my whole order.”
When the restaurant asks for a callback number, the number given is the targeted victim’s phone number. The target then receives a call from the restaurant with a lot of information that they didn’t request.
As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. In order to create a large amount of traffic, the attacker structures the request in a way that generates as large a response from the DNS resolvers as possible. As a result, the target receives an amplification of the attacker’s initial traffic, and their network becomes clogged with the spurious traffic, causing a denial-of-service.
I hope you would like this post. If you do, please let me know in comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM