How DDoS Attackers Turn Mitigation Devices Against You

By Peter Bernstein June 27, 2013

For those who have been following my recent postings, you are aware of my passion (some might say obsession) with security challenges being faced by service providers, enterprise IT professionals and even us everyday users when we are at home or on the go. 

Many of those articles contain recommendations that are common sense. Others go into more technical detail. It is on the latter that in what probably can be categorized as a kind of public service announcement I thought you might be extremely interested in the announcement by the good folks at Prolexic, a provider of Distributed Denial of Service (DDoS) protection services. They have made available a free whitepaper regarding an increasingly popular cyber attack technique: SYN reflection attacks. These attacks are a real nasty piece of work. They can leverage the defense mechanisms of DDoS mitigation devices to actually increase the strength of the attacks.

The Bad guys are Getting Very Sophisticated

SYN reflection attacks require skill to execute. As Prolexic explains, “They have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.

“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap Web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”

One of the reasons for the popularity, aside from the availability to launch such attacks, is that SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet.

However, before data is transmitted between machines, the computers must establish a connection in the form of a multi-step handshake. If a handshake cannot be completed successfully, the computers repeatedly attempt connections. SYN reflection attacks misdirect these communication handshakes to other machines until they are overwhelmed with a flood of communication requests. In a word, YIKES!

“What most people don’t realize is that mitigation equipment can contribute to the problem of SYN reflection attacks,” Scholly explained. “The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.

“It’s an unfortunate side effect of DDoS mitigation. Some backscatter is inevitable. However, it can be overcome using more sophisticated mitigation techniques once the attack is understood to be a SYN reflection attack,” Scholly explained. “At Prolexic, we actively try to minimize backscatter. This is why it is so important to do packet analysis, and not just rely on equipment alone.”

SYN reflection attacks, also known as spoofed SYN attacks, are discussed in detail in a new free white paper from the Prolexic Security Engineering & Response Team (PLXsert).

The whitepaper explains:

  • Why SYN reflection attacks expand upon the damage created by SYN floods;
  • How misuse of the TCP handshake is used by malicious actors to confuse and slow down servers;
  • How DDoS mitigation equipment can contribute to the problem;
  • How three types of SYN reflection techniques work;
  • How to identify SYN reflection attacks;
  • How cyber criminals offer SYN reflection attacks as DDoS-as-a-Service.

Yes the white paper is technical. However, if you are an IT professional on the front lines of trying to protect your enterprise from DDoS threats, and are either not up to speed on SYN reflection attacks or are looking for guidance on how to mitigate the risks from them, this is information that could prove invaluable. 

One of the delights of covering the security industry is the growing awareness by the vendors in the space that we truly are all in this together. It is why the fact that so many members of the community not only share vital information about threats, but also detail steps that can be taken to protect you. This is a case where you could end up as your own worst enemy if hit with a SYN reflection attack. It is the reason the whitepaper is a nice contribution to the cause.

Edited by Rory J. Thompson
Related Articles

Is 5G a Spectrum-eating Monster that Destroys Competition?

By: Fred Goldstein    6/15/2018

To hear the current FCC talk about it, 5G mobile service is the be-all and end-all of not only mobile communications, but the answer to most of the co…

Read More

FX Group Makes the Red Carpet Shoppable with Blockchain-Based mCart Marketplace-as-a-Service

By: TMCnet News    6/14/2018

mCart by Mavatar announces the launch of the world's first blockchain-based decentralized mCart marketplace by the FX Group.

Read More

Judge Gives AT&T-Time Warner Deal Green Light

By: Paula Bernier    6/12/2018

Federal judge Richard Leon gave the $85 billion deal the green light today - and without any requirements to sell off any parts of the company. He als…

Read More

A New Foundation for Evolving Blockchain As a Fundamental Network Technology

By: Arti Loftus    6/12/2018

There are now thousands of blockchains, and unless you are a cryptophile, you won't recognize most of them.

Read More