DDoS Attacks That Employ TCP Amplification Cause Network Congestion, Secondary Outages

Over the past month, threat actors have been using a relatively non-conventional approach to mount a flurry of distributed denial-of-service (DDoS) attacks: through TCP amplification.

Security company Radware shared its observations on multiple campaigns involving Transmission Control Protocol (TCP) reflection attacks, specifically SYN-ACK reflection attacks, against companies across the world. The scope of the impact was said to spread on the account that the attacks did not only affect the intended targets, but the networks used to generate the DDoS flood as well.

The affected networks were flooded with SYN traffic and used as reflection services, which led to network congestion and, in some cases, secondary outages. The targets may also be at risk of being blacklisted by network administrators because of the spoofed SYN requests.

How the DDoS attacks are facilitated

In the case of this TCP SYN-ACK reflection attack, the threat actors send a SYN packet, which is designed to appear as if it originated from the target’s network IP address, to a number of random or preselected reflection IP addresses or reflection services. These addresses respond to the spoofed SYN packet through a SYN-ACK packet sent to the target network.

If the network does not respond as expected, the IP address will continue to retransmit the SYN-ACK packet in an attempt to establish a three-way handshake, ensuing in amplification. The amount of amplification depends on the number of retransmits by the reflection service, which could be determined by the attacker. The more the reflection IP sends the SYN-ACK requests to the target network, the higher the amplification gets.

IP Address Spoofing on User Datagram Protocol
UDP is a connectionless protocol and, as such, unlike Transmission Control Protocol (TCP), has no handshake phase, in which the two endpoints agree on a sequence number that identifies a connection. This means that if an attacker A sends a UDP packet with a spoofed source IP address B to an endpoint C, C will have no way to verify whether that packet comes from B or A.

DDoS attacks by way of TCP reflection is unusual since some believe that such an attack will not be able to amplify enough traffic to the extent that UDP-based reflections can, the research furthermore states. However, independent research found that many internet-connected devices can be abused for amplification up to a factor of almost 80,000x and retransmit more than 5,000 SYN-ACK packets within 60 seconds, if needed.

Preventing DDoS and TCP reflection attacks

Organizations are recommended to regularly monitor network activities and apply the latest system patches to defend against risks associated with DDoS attacks, including TCP-related malicious activities. Having a connected defense strategy and multilayered security with mechanisms such as DDoS protection and web reputation capabilities are essential in preventing such attacks.

Organizations will benefit from having inbound and outbound traffic monitoring through network intrusion tools like Trend Micro™ Deep Discovery Inspector™ and TippingPoint. Another consideration is to review if network providers have implemented anti-spoofing, such as BCP 38 & 84, to ensure spoofed packets used in DDoS reflection attacks do not get into networks. Trend Micro™ Deep Security™ also provides network security capabilities such as deep packet inspection, intrusion prevention system (IPS), and host firewall.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cyber Attacks, DDoS