SYN Reflections Turn DDoS Defenses Against You

The average Distributed Denial of Service (DDoS) attack shoves a server offline for 54 minutes and costs $1,188,000, according to a November study from Ponemon Institute (PDF).

The study added that DDoS-protection features have become more common in firewall servers, as have outside services that promise to deflect an attack. Recently, a variation of DDoS called the SYN reflection attack has allowed attackers to shake things up by using a company’s DDoS defenses to carry on the attack, added a note from security-services firm Prolexic.

SYN reflection attacks take advantage of a simple authentication method often used as an initial defense against DDoS. Rather than simply flooding a site with HTTP requests, attackers target servers configured to use TCP to make direct, authenticated connections with other servers, instead of simply responding to anonymous HTTP requests as a web server is designed to do.

The multistep handshake that constitutes the authentication and verification process takes several steps to complete. To compensate for unreliable public-network connections, servers using TCP authentication will make repeated attempts to complete a connection once another server has initiated an authentication request. In a SYN reflection attack, attacking servers make authentication requests to one or more servers, and redirect the responses to the server they’re targeting, according to Stuart Scholly, president at Prolexic.

“It’s an unfortunate side effect of DDoS mitigation,” Scholly wrote in the note. “The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.”

Making a SYN reflection attack work is more complicated than attacking using DDoS, and the skills for accomplishing it are less common, Scholly added.

While DDoS isn’t a sophisticated attack method, DDoS attackers have raised their sophistication level by focusing a flood of fake requests on a specific application on a target server, rather than the server as a whole, according to an April report from Avivah Litan, VP and distinguished analyst at Gartner.

DDoS attackers stepped up their game again by boosting the volume of fake traffic by 718 percent in April compared to a year before, increasing attack rates to an average of more than 45Gbit/sec and 30 million packets per second, according to an April incident survey study from Prolexic.

 

Image: Maksim Kabakou/Shutterstock.com