Immune Systems for your Cloud - Tel: +1 (310) 402-2153    E-mail:

DDoS News, Trends & Tutorials

DDoS Reflection Attacks

DDoS Reflection Attacks are a particularly effective vector in a perpetrator’s tool chest to take your site offline, as they allow the attacker to summon a much smaller number of their zombie robots.

Other types of attacks require the perpetrator to summon a large amount of their zombie robots to take-down your site.

How it Works: Some Internet Basics

Since the early days of IP Networking, engineers have constantly been developing new ways for computers to exchange information to serve ever-evolving and increasing human needs.

At the lowest layer, the Internet Protocol provides the most basic foundation for information exchange between computers over the Internet.

At one higher layer, based on the type of information to be exchanged, computers will communicate thru one of two possible Transport Mechanisms. Picking one or the other is typically a matter of tradeoff between network efficiency and data integrity.:

  1. TCP: less efficient, data integrity guarantee
  2. UDP: very efficient, no integrity guaranteed
  3. (there are more than these two but we’re trying to keep things simple)

At yet a higher layer, Network Protocols are built on-top of either TCP or UDP based on what matters the most to serve each human need. For Example:

  • Viewing web pages happens over HTTP, which itself is built on-top of TCP. This is because nobody would like having their web-pages only partly-available to them, with missing words, phrases or entire paragraphs.
  • Certain video streaming and real-time communications such as live video conferencing and internet telephony will happen thru protocols delivered over UDP (When Possible). This is because in this specific case, each computer is able to “gracefully” handle moderate data loss, as humans can put-up with a few missing frames or words.

How it Works: Exploiting Trust

As TCP requires an extensive handshaking process between the two computers, there is no mistaking the identity of each computer, and as such, protocols built on-top of it, make a less appealing attack Vector.

UDP on the other hand is very trusting. Computers send each-other bits and pieces of information with no underlying mechanism for guaranteeing who the sender is.

Reflection attacks rely on two Vulnerability Factors:

  1. The aforementioned “trusting” nature of UDP, and most protocols built on-top of it.
  2. In the case of a UDP protocol such as NTP, the Network Time Protocol, potential asymmetry between how much data goes into a request, and how much data is being sent out of a response: Small Request resulting in Huge Response. At face value, NTP should be pretty symmetric:
    • Request: Dear Computer What Time is It? <- short
    • Response: It’s 5;43 pm <- short
    • => In this case, a small request results in a small response. Not very juicy for an attack.
    • However, NTP happens to support more than just a “What time is it?” Request. It also supports a command called “monlist“, which means “Give me a list of the last 600 machines to whom you’ve given the time”.
      • In this particular case, a very small request can result in a response weighing-in at 206 times its size. This is also known as an “Amplification Factor of 206x”.

Exploiting both factors makes things interesting:

An attacker will find hundreds of such NTP servers. Only a handful of the attacker’s zombie robots will be sufficient to send a flurry of monlist requests to those NTP servers, pretending to be the intended victim. Suddenly, the intended victim is facing an onslaught of monlist responses which it never asked for. But as a result, the victim’s bandwidth is saturated.

NTP is only one among many examples of protocols designed on top of UDP with similar vulnerabilities.


The Latest in DDoS Reflection Attacks

We covered new DDoS Reflection Attack vectors announced by CERT back in our August DDoS News . Since then, Level 3 has published detailed analysis on the Portmapper attacks, with amplification factors ranging from 7.1x to 28.4x.

A few days ago, Akamai also covered Portmapper among 3 new vectors they’re announcing:

  1. NetBIOS name server reflection DDoS attack – with amplification factors from 2.56x to 3.85x
  2. RPC portmap reflection DDoS attack – where Akamai sees 9.65x to 505x amplification factors, raising a particular attack past 100Gbps.
  3. Sentinel reflection DDoS attack – with amplification factor of 42.94x and an attack reaching up to 11.7Gbps.

Mitigating DDoS Reflection Attacks

As always, you’re better-off preparing yourself ahead of getting attacked.

If you’re hosting a web application in Amazon AWS, make sure your security groups only allow traffic on TCP ports 80 and 443, assuming you’re doing TLS/HTTPS. Any other open ports or protocols should be restricted to very specific IPs or private networks.

If you’re hosting a web application in your own data center, try to work with your upstream ISP, and their upstream ISP, to only route to your IP address or your IP block, very specific TCP ports necessary to run your business. Attempt to do everything you can to reduce your attack surface.


Leave a Reply

Your email address will not be published. Required fields are marked *