The State of TCP Reflection Attacks

• TCP refection attacks are fairly old and fell out of the picture with mitigations and other attacks popping up.
• But in a change of trend, these attacks seem to be getting popular again.

What are TCP reflection attacks?

Reflection attacks involve the attacker sending forged packets with spoofed source IP addresses to a reflector service.

• The address is set to the victim’s IP address, consequently overwhelming the victim with response packets from the reflector service.
• Generating SYN packet reflectors and finding the ports that will cause massive levels of amplification are quite easy, especially for skilled hackers.
• This type of attack also has a secondary victim, the reflector services. These may be randomly selected small services that may not have the capability to deal with such large numbers of requests pouring in.
• This may result in these secondary victims facing unexpected spikes in traffic and outages.

Then vs Now

One of the earliest reflection attacks was authored in the early 90s, called a Smurf Attack.

• As time passed, a number of other attacks came up and the TCP reflection attack became less common.
• UDP attack vectors became quite popular, causing severe impact and outage of services.
• However, this attack seems to be rediscovered by criminals after about 20 years as a result of changing trends.

Mitigating TCP reflection attacks

Defending against TCP reflection attacks is quite a challenge. Although you can block the attacker’s IP address, it isn’t very effective because the attacker spoofs legitimate addresses.

Expert opinion

“We expect this attack vector to be included in the DDoS landscape going forward. Expect to see TCP amplification used in parallel with UDP amplification as part of a multi-vector campaign designed to defeat mitigation defenses,” say security experts.