Distributed Reflection and Amplification (DrDoS) DDoS Attacks White Papers

Distributed Reflection Denial of Service (DrDoS) White Paper Series

In 2012, there was a significant increase in the use of a specific distributed denial of service (DDoS) methodology known as Distributed Reflection Denial of Service attacks (DrDoS). DrDoS attacks have been a persistent and effective type of DDoS attack for more than 10 years. The technique shows no signs of obsolescence; it continues to grow in effectiveness and popularity.

Prolexic has observed many DrDoS attacks across a range of industries. The Prolexic Security Engineering and Research Team (PLXsert) is producing a series of white papers that analyze Reflection and Amplification DDoS Attacks. The four types of DrDoS attacks are:

  • DNS
  • SYN
  • Gaming server attacks

The white paper series details real-world case studies of DrDoS attacks observed by PLXsert through the Prolexic global DDoS mitigation network. Their purpose is to:

  • Bring more attention to this often overlooked DDoS attack method
  • Make system administrators aware of potential security exploits against their servers
  • Help victims of DrDoS attacks understand the technical aspects of what took place

DrDoS techniques usually involve intermediary victim machines that unwittingly participate in a DDoS attack against the attacker’s target. Requests to the intermediary victims are redirected, or reflected, from the secondary victims to the primary target.

Anonymity is one advantage of the DrDoS attack method. In a DrDoS attack, the primary target appears to be directly attacked by the victim servers, not the actual attacker. This approach is called spoofing.

Amplification is another advantage of the DrDoS attack method. By involving multiple victim servers, the attacker’s initial request yields a response that is larger than what was sent, thus increasing the attack bandwidth.

Register to download the whitepapers and the series overview.

Register to read these white papers:

  • Why DDoS attacks occur in online gaming communities
  • The history of DrDoS attacks in online gaming
  • DrDoS attack tools that use gaming servers – including Quake, Half Life, and Call of Duty – to attack non-gaming targets
  • A case study of a DrDoS attack against a financial services firm
  • The underground market for stressors, booters and other DDoS-as-a-Service tools that target online gaming communities
  • Why SYN Reflection attacks create more damage than SYN Floods
  • How attackers mis-use the TCP handshake is to confuse servers
  • How unmanned DDoS mitigation equipment can contribute to the problem
  • Three SYN Reflection techniques
  • How to identify and stop spoofed SYN Reflection attacks
  • Three common network protocols used in reflection attacks
  • How SNMP, NTP and CHARGEN are used in DrDoS attacks
  • How your printers and network devices may be used by DrDoS attackers
  • How to minimize your network’s exposure and mitigate protocol attacks
  • What the internet community could do to reduce the risk
  • How DNS enables users to type in domain names instead of numeric URLs
  • Why the protocol contributes to the problem of DrDoS attacks
  • Which DNS extensions are most likely to be exploited
  • What a DNS reflection attack looks like to an administrator
  • Server misconfigurations that can lead to a DNS server being used to attack
  • What the internet community can do to lower the risk to DNS servers and cyber attack targets