Reflection Attacks and Amplification Attacks

Here are two types of attacks that are intended to monopolize your system’s resources.

Reflection Attacks

Reflection attacks are attacks that use the same protocol in both directions. The attacker spoofs the victim’s IP address and sends a request for information via UDP to servers known to respond to that type of request. The server answers the request and sends the response to the victim’s IP address. From the servers’ perspective, it was the victim who sent the original request. All the data from those servers pile up, congesting the target’s Internet connectivity. With the maximized bandwidth, normal traffic cannot be serviced and clients cannot connect. Any server open to the Internet and running UDP-based services can be used as a reflector.

Amplification Attacks

Amplification attacks generate a high volume of packets to flood the target website without alerting the intermediary, by returning a large reply to a small request. The basic defense against these attacks is blocking spoofed-source packets.

amplification attacks

Amplification attacks increase the amount of data passing around.

DNS amplification attacks for example use DNS requests with a spoofed source address as the target.

As you can see, an attacker uses a modest number of machines with little bandwidth to send fairly substantial attacks. This is done by spoofing the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim. Using very simple tools the attacker can send many thousands of spoofed requests to open revolvers, and the responses — which are much larger than the request — amplify the amount of bandwidth sent to the victim.