Tag: Reflection


DoS (Denial Of Service) attack is aimed at making a network resource such as a website unavailable for valid use. These types of attacks are a major risk to a company’s infrastructure  and also their reputation. If a company offers a service available on the internet it can be targeted by an attack(s) for a number of reasons, they mightn’t agree with the companies policies, bought a service from them that didn’t meet their expectations, ex-employee and so on. Attackers can use known vulnerabilities in networking protocols to launch an attack with, such has a TCP SYN Attack. TCP is a reliable protocol which means it will keep track to see if all packets are delivered and if not it will resend the packets that were lost along the way. When a client (host) wants to communicate with a website it will first set up a TCP connection with the server. This is called the 3-way handshake as shown below.




With a TCP SYN Attack the attacker will keep sending SYN requests towards the target in our example the web server. In return the web server will send a SYN ACK back to the client but most likely the attacker is sending hundreds of requests from spoofed IP addresses and because of this the web server will never receive the ACK back. The web server is kind enough to wait for the ACK and in doing so ties up resources on the web server and the more SYN requests the more resources are used until all resources are used up. Now legitimate users traffic can’t establish a TCP connection with the web server as it cannot process the requests, the web server is now unavailable.

DDoS (Distributed Denial Of Service) uses botnets around the internet to attack its target. So what is a botnet? A botnet is a PC or even a smartphone that has been infected with malware. Once the malware is installed on the device it becomes part of a botnet network. These botnets are controlled by the attacker from a control and command server on the internet. The attacker can command the botnets to attack a target all at the same time. Examples of attacks used by attackers are Reflection attacks and Amplification attacks. A well-known reflection and amplification attack is using open NTP (Network Time Protocol) servers on the internet that are incorrectly configured and still respond to a monlist request.


Above is the NTP attack in action. The Attacker will send a request to the Botnets to target the Web Server. The Botnets will send a small request usually Kilobytes in size to the open NTP server(s) requesting a list (monlist) of the last 600 IP addresses that requested time from the NTP server but instead of the botnets receiving the reply the botnets spoof the source IP address to be that of the Web Servers (Reflection) address meaning all replies will go towards the Web Server. The NTP reply can be 10 times the size or more of the initial request (Amplification) meaning Gbps worth of data hitting the Web Server causing it to crash or using up all the available bandwidth. DNS servers can be used in a similar way.

With the explosing of IoT devices available on the internet has seen an increase in DDoS attacks. IoT devices have poor security with many of them having the same default username/password to access the devices. A recent IP CCTV DDoS attack was launched which was 620GBs in size. Thousands of IP CCTV cameras were taken over due to weak passwords and used to attack a website. When setting up IoT devices the manufacturer should force the user to change the default password using a minmum of 8-10 characters which should include uppercase, special characters and numbers which would be a start in stopping attackers from getting access to the IoT devices on the internet.