How DDoS Attackers Turn Mitigation Devices Against You

By Peter Bernstein June 27, 2013

For those who have been following my recent postings, you are aware of my passion (some might say obsession) with security challenges being faced by service providers, enterprise IT professionals and even us everyday users when we are at home or on the go. 

Many of those articles contain recommendations that are common sense. Others go into more technical detail. It is on the latter that in what probably can be categorized as a kind of public service announcement I thought you might be extremely interested in the announcement by the good folks at Prolexic, a provider of Distributed Denial of Service (DDoS) protection services. They have made available a free whitepaper regarding an increasingly popular cyber attack technique: SYN reflection attacks. These attacks are a real nasty piece of work. They can leverage the defense mechanisms of DDoS mitigation devices to actually increase the strength of the attacks.

The Bad guys are Getting Very Sophisticated

SYN reflection attacks require skill to execute. As Prolexic explains, “They have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.

“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap Web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”

One of the reasons for the popularity, aside from the availability to launch such attacks, is that SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet.

However, before data is transmitted between machines, the computers must establish a connection in the form of a multi-step handshake. If a handshake cannot be completed successfully, the computers repeatedly attempt connections. SYN reflection attacks misdirect these communication handshakes to other machines until they are overwhelmed with a flood of communication requests. In a word, YIKES!

“What most people don’t realize is that mitigation equipment can contribute to the problem of SYN reflection attacks,” Scholly explained. “The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.

“It’s an unfortunate side effect of DDoS mitigation. Some backscatter is inevitable. However, it can be overcome using more sophisticated mitigation techniques once the attack is understood to be a SYN reflection attack,” Scholly explained. “At Prolexic, we actively try to minimize backscatter. This is why it is so important to do packet analysis, and not just rely on equipment alone.”

SYN reflection attacks, also known as spoofed SYN attacks, are discussed in detail in a new free white paper from the Prolexic Security Engineering & Response Team (PLXsert).

The whitepaper explains:

  • Why SYN reflection attacks expand upon the damage created by SYN floods;
  • How misuse of the TCP handshake is used by malicious actors to confuse and slow down servers;
  • How DDoS mitigation equipment can contribute to the problem;
  • How three types of SYN reflection techniques work;
  • How to identify SYN reflection attacks;
  • How cyber criminals offer SYN reflection attacks as DDoS-as-a-Service.

Yes the white paper is technical. However, if you are an IT professional on the front lines of trying to protect your enterprise from DDoS threats, and are either not up to speed on SYN reflection attacks or are looking for guidance on how to mitigate the risks from them, this is information that could prove invaluable. 

One of the delights of covering the security industry is the growing awareness by the vendors in the space that we truly are all in this together. It is why the fact that so many members of the community not only share vital information about threats, but also detail steps that can be taken to protect you. This is a case where you could end up as your own worst enemy if hit with a SYN reflection attack. It is the reason the whitepaper is a nice contribution to the cause.

Edited by Rory J. Thompson
Related Articles

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More

Putting the Flow into Workflow, Paessler and Briefery Help Businesses Operate Better

By: Cynthia S. Artin    9/14/2018

The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.

Read More

From Mainframe to Open Frameworks, Linux Foundation Fuels Up with Rocket Software

By: Special Guest    9/6/2018

Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…

Read More

Unified Office Takes a Trip to the Dentist Office

By: Cynthia S. Artin    9/6/2018

Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…

Read More

AIOps Outfit Moogsoft Launches Observe

By: Paula Bernier    8/30/2018

Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…

Read More