DDoS attacks and reflection and amplification techniques
We could say that 2020 has been the resurgence of DDoS attacks, and if 2021 continues like this, the trend will continue strongly. So it’s best to be clear on what one of the techniques being used consists of in order to be forewarned: reflection and amplification.
Reflection and amplification are mechanisms commonly used in DDoS attacks. These simple and very effective techniques gained popularity around 2013. With their use they take advantage of publicly accessible UDP services to overload victims with response traffic.
Reflection occurs when an attacker forges the source address of request packets, pretending to be the victim. Thus the servers fail to distinguish legitimate from bogus requests when using UDP. Therefore, they respond directly to the victim. This technique therefore hides the attacker’s real IP address from both the victim’s system and the malicious server.
The other mechanism is traffic amplification. The attacker’s goal is to make the abused service produce as much response data as possible. The ratio between the response and request sizes is called the amplification factor. Here the attacker wants to achieve the largest possible ratio.
When these techniques are repeatedly used together, an attack is generated. Servers in multiple locations may be involved to produce more devastating results. It is important to realize that abused services are victims as well as those affected by response floods. These servers suddenly have to deal with large numbers of requests that can prevent them from serving legitimate traffic.
What are the most common protocols for these abuses? Among the most common are: NTP with an amplification factor of 557 times, CHARGEN with a factor of 359 times, DNS with a factor of 28 to 54 times and SSDP with a factor of 31 to 31 times.
How does a DNS amplification attack work?
A single bot in a DNS amplification attack can be thought of in the context of a malicious teenager calling a restaurant and saying “I’ll order one of everything. I’m getting cut off. Please call me at X number and tell me my entire order.” When the restaurant asks for a callback number, the number given is the victim’s phone number. The target (the victim) then receives a call from the restaurant with a lot of information that he did not request. The result of each bot making requests to open DNS resolutions with an IP address that has been changed to the actual source IP address of the targeted victim, the target receives a response from the DNS resolvers. In order to create a large amount of traffic, the attacker structures the request in a way that generates as large a response as possible from DNS resolvers.
Eventually, the target receives an amplification of the attacker’s initial traffic, and its network is clogged with traffic, thus causing a denial of service.
This has been an imaginary example, but these attacks are real and are on the rise again. Today’s use of emerging technologies has made DDoS attacks even more accessible. Without good protection and security measures such as redborder solutions, any company can become a target for these attacks.