How DDoS Attackers Turn Mitigation Devices Against You

By Peter Bernstein June 27, 2013

For those who have been following my recent postings, you are aware of my passion (some might say obsession) with security challenges being faced by service providers, enterprise IT professionals and even us everyday users when we are at home or on the go. 

Many of those articles contain recommendations that are common sense. Others go into more technical detail. It is on the latter that in what probably can be categorized as a kind of public service announcement I thought you might be extremely interested in the announcement by the good folks at Prolexic, a provider of Distributed Denial of Service (DDoS) protection services. They have made available a free whitepaper regarding an increasingly popular cyber attack technique: SYN reflection attacks. These attacks are a real nasty piece of work. They can leverage the defense mechanisms of DDoS mitigation devices to actually increase the strength of the attacks.

The Bad guys are Getting Very Sophisticated

SYN reflection attacks require skill to execute. As Prolexic explains, “They have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.

“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap Web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”

One of the reasons for the popularity, aside from the availability to launch such attacks, is that SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet.

However, before data is transmitted between machines, the computers must establish a connection in the form of a multi-step handshake. If a handshake cannot be completed successfully, the computers repeatedly attempt connections. SYN reflection attacks misdirect these communication handshakes to other machines until they are overwhelmed with a flood of communication requests. In a word, YIKES!

“What most people don’t realize is that mitigation equipment can contribute to the problem of SYN reflection attacks,” Scholly explained. “The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.

“It’s an unfortunate side effect of DDoS mitigation. Some backscatter is inevitable. However, it can be overcome using more sophisticated mitigation techniques once the attack is understood to be a SYN reflection attack,” Scholly explained. “At Prolexic, we actively try to minimize backscatter. This is why it is so important to do packet analysis, and not just rely on equipment alone.”

SYN reflection attacks, also known as spoofed SYN attacks, are discussed in detail in a new free white paper from the Prolexic Security Engineering & Response Team (PLXsert).

The whitepaper explains:

  • Why SYN reflection attacks expand upon the damage created by SYN floods;
  • How misuse of the TCP handshake is used by malicious actors to confuse and slow down servers;
  • How DDoS mitigation equipment can contribute to the problem;
  • How three types of SYN reflection techniques work;
  • How to identify SYN reflection attacks;
  • How cyber criminals offer SYN reflection attacks as DDoS-as-a-Service.

Yes the white paper is technical. However, if you are an IT professional on the front lines of trying to protect your enterprise from DDoS threats, and are either not up to speed on SYN reflection attacks or are looking for guidance on how to mitigate the risks from them, this is information that could prove invaluable. 

One of the delights of covering the security industry is the growing awareness by the vendors in the space that we truly are all in this together. It is why the fact that so many members of the community not only share vital information about threats, but also detail steps that can be taken to protect you. This is a case where you could end up as your own worst enemy if hit with a SYN reflection attack. It is the reason the whitepaper is a nice contribution to the cause.

Edited by Rory J. Thompson
Related Articles

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More

Making Connections - The Value of Data Correlation

By: Special Guest    1/5/2018

The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…

Read More

3 Ways to Improve Your VR Projects

By: Ellie Martin    1/4/2018

There is no denying that VR is here and will most likely only increase in velocity as a terminal speed is yet to be even hypothesized. That is why it …

Read More

Alphabet to See Schmidt Step Down

By: Maurice Nagle    12/21/2017

In 2001, Google brought Eric Schmidt on board as CEO. To 10 years later become executive chairman, and continue to serve in this capacity through rest…

Read More