How DDoS Attackers Turn Mitigation Devices Against You

By Peter Bernstein June 27, 2013

For those who have been following my recent postings, you are aware of my passion (some might say obsession) with security challenges being faced by service providers, enterprise IT professionals and even us everyday users when we are at home or on the go. 

Many of those articles contain recommendations that are common sense. Others go into more technical detail. It is on the latter that in what probably can be categorized as a kind of public service announcement I thought you might be extremely interested in the announcement by the good folks at Prolexic, a provider of Distributed Denial of Service (DDoS) protection services. They have made available a free whitepaper regarding an increasingly popular cyber attack technique: SYN reflection attacks. These attacks are a real nasty piece of work. They can leverage the defense mechanisms of DDoS mitigation devices to actually increase the strength of the attacks.

The Bad guys are Getting Very Sophisticated

SYN reflection attacks require skill to execute. As Prolexic explains, “They have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.

“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap Web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”

One of the reasons for the popularity, aside from the availability to launch such attacks, is that SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet.

However, before data is transmitted between machines, the computers must establish a connection in the form of a multi-step handshake. If a handshake cannot be completed successfully, the computers repeatedly attempt connections. SYN reflection attacks misdirect these communication handshakes to other machines until they are overwhelmed with a flood of communication requests. In a word, YIKES!

“What most people don’t realize is that mitigation equipment can contribute to the problem of SYN reflection attacks,” Scholly explained. “The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.

“It’s an unfortunate side effect of DDoS mitigation. Some backscatter is inevitable. However, it can be overcome using more sophisticated mitigation techniques once the attack is understood to be a SYN reflection attack,” Scholly explained. “At Prolexic, we actively try to minimize backscatter. This is why it is so important to do packet analysis, and not just rely on equipment alone.”

SYN reflection attacks, also known as spoofed SYN attacks, are discussed in detail in a new free white paper from the Prolexic Security Engineering & Response Team (PLXsert).

The whitepaper explains:

  • Why SYN reflection attacks expand upon the damage created by SYN floods;
  • How misuse of the TCP handshake is used by malicious actors to confuse and slow down servers;
  • How DDoS mitigation equipment can contribute to the problem;
  • How three types of SYN reflection techniques work;
  • How to identify SYN reflection attacks;
  • How cyber criminals offer SYN reflection attacks as DDoS-as-a-Service.

Yes the white paper is technical. However, if you are an IT professional on the front lines of trying to protect your enterprise from DDoS threats, and are either not up to speed on SYN reflection attacks or are looking for guidance on how to mitigate the risks from them, this is information that could prove invaluable. 

One of the delights of covering the security industry is the growing awareness by the vendors in the space that we truly are all in this together. It is why the fact that so many members of the community not only share vital information about threats, but also detail steps that can be taken to protect you. This is a case where you could end up as your own worst enemy if hit with a SYN reflection attack. It is the reason the whitepaper is a nice contribution to the cause.

Edited by Rory J. Thompson
Related Articles

The World is His Oyster: Connected Solutions Enable Daniel Ward to See Food

By: Paula Bernier    3/16/2018

Fresh seafood can taste great, but if it is not handled properly, people can get sick, and that can lead to business closures and lost revenues. That'…

Read More

How to Get Ready for GDPR if You've Waited Until the Last Minute

By: Special Guest    3/14/2018

With less than two months until the General Data Protection Regulations (GDPR) deadline, many companies have already started making sure that their bu…

Read More

How Fintech is Helping Create Global Businesses

By: Special Guest    3/14/2018

The growth of Fintech probably has not escaped your attention. Whether you're a customer making contactless payments or an investor weighing up CFD tr…

Read More

Are We Prepared for Automation?

By: Special Guest    3/13/2018

We are barreling toward a future of automation. A great proportion of the six million US manufacturing jobs that have disappeared over the last few de…

Read More

The Dark Web - A Hot Bed for Cybercrime

By: Special Guest    3/12/2018

There is a corner of the internet that is cloaked from every day users. Beneath the typical search engines and web browsers, an illegal marketplace is…

Read More