omniture

How DDoS Attackers Turn Mitigation Devices Against You

Prolexic Technologies
2013-06-26 15:00 1696

- Backscatter from mitigation devices can cause collateral damage in SYN reflection attacks

HOLLYWOOD, Fla., June 26, 2013 /PRNewswire/ -- Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, today shared information on a popular cyber attack technique, SYN reflection attacks, which can leverage the defense mechanisms of DDoS mitigation devices to increase the strength of the attacks.

SYN reflection attacks are one of the more sophisticated DDoS attack methods and typically require some skill to execute. However, they have recently grown in popularity as they've become available on a DDoS-as-a-Service basis via the criminal underground.

"SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it," said Stuart Scholly, President of Prolexic. "Malicious actors wrap web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone."

SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet, such as web pages and email.

However, before data is transmitted between machines, the computers must establish a connection in the form of a multi-step handshake. If a handshake cannot be completed successfully, the computers repeatedly attempt connections. SYN reflection attacks misdirect these communication handshakes to other machines until they are overwhelmed with a flood of communication requests.

"What most people don't realize is that mitigation equipment can contribute to the problem of SYN reflection attacks," Scholly explained. "The equipment is programmed to challenge these connection requests to ensure they are legitimate. The mitigation equipment will keep challenging the request from the spoofed IP address, thus creating backscatter toward the spoofed server.

"It's an unfortunate side effect of DDoS mitigation. Some backscatter is inevitable. However, it can be overcome using more sophisticated mitigation techniques once the attack is understood to be a SYN reflection attack," Scholly explained. "At Prolexic, we actively try to minimize backscatter. This is why it is so important to do packet analysis, and not just rely on equipment alone."

SYN reflection attacks, also known as spoofed SYN attacks, are discussed in detail in a new white paper from the Prolexic Security Engineering & Response Team (PLXsert).

The white paper explains:

  • Why SYN reflection attacks expand upon the damage created by SYN floods
  • How misuse of the TCP handshake is used by malicious actors to confuse and slow down servers
  • How DDoS mitigation equipment can contribute to the problem
  • How three types of SYN reflection techniques work
  • How to identify SYN reflection attacks
  • How cyber criminals offer SYN reflection attacks as DDoS-as-a-Service

The white paper is the third in the Distributed Reflection Denial of Servicer (DrDoS series), and is available free of charge at www.prolexic.com/drdos.

About the Prolexic Security Engineering & Response Team (PLXsert)

PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through data forensics and post attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.

Details of Prolexic's DDoS mitigation activities and insights into the latest tactics, types, targets and origins of global DDoS attacks are provided in quarterly reports published by the company. A complimentary copy of Prolexic's most recent Global DDoS Attack Report is available at www.prolexic.com/attackreports.

About Prolexic

Prolexic is the world's largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world's largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world's first in-the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida, and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit www.prolexic.com, follow us on LinkedIn, Facebook, Google+, YouTube, and @Prolexic on Twitter.

Contact:

Michael E. Donner
SVP, Chief Marketing Officer
Prolexic
media {at} prolexic {dot} com
+1-954-620-6017

Source: Prolexic Technologies
collection