Can DDoS attackers turn mitigation devices against you?
SYN reflection attacks are one of the more sophisticated DDoS attack methods and typically require some skill to execute. However, they have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.
“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”
SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet, such as web pages and email.
However, before data is transmitted between machines, the computers must establish a connection in the form of a multi-step handshake. If a handshake cannot be completed successfully, the computers repeatedly attempt connections. SYN reflection attacks misdirect these communication handshakes to other machines until they are overwhelmed with a flood of communication requests.
“What most people don’t realize is that mitigation equipment can contribute to the problem of SYN reflection attacks,” Scholly explained. “The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.
“It’s an unfortunate side effect of DDoS mitigation. Some backscatter is inevitable. However, it can be overcome using more sophisticated mitigation techniques once the attack is understood to be a SYN reflection attack,” Scholly explained.
Ameen Pishdadi, CTO at GigeNET, comments for Help Net Security: “Though SYN-reflection attacks have been around for quite some time, the reason they not very well known or used as widely as other attacks is because they are very easy to filter and not nearly as effective as other attacks with significantly less resources needed. While with the right skills and tools they can do damage by amplifying an attack 3x’s over, a much larger attack could be generated using a DNS reflection attack with much less effort. As far as mitigation devices contributing to the effectiveness of the attack, I have to disagree. If configured correctly the device should recognize what’s happening and not respond.”
“It is possible there are some older, less advanced or misconfigured devices that may participate in this attack, though I doubt there is enough publicized IP space out there that is behind enough individual devices to do much damage,” Pishdadi added.