A Next-Generation DoS Attack: ‘Distributed Reflection’

Denial-of-service (DoS) attacks just got worse - and easier! DoS is actually a grab bag of a great many techniques (such as worms and SYN flooding), all with the objective of denying legitimate clients access to services running on Internet based servers.

So, let's be specific - this next generation of DoS attacks uses the SYN flooding method but with a twist. It doesn't send millions of SYN packets to the server under attack but 'reflects' them off of any router or server connected to the Internet; and there are millions!

To understand how it works and why you should be very concerned, let's go back to the classroom. The establishment of a TCP connection typically requires the exchange of three Internet packets between two machines in an interchange known as the TCP three-way handshake. Here's how it works:

  • SYN: A TCP client (such as a web browser, ftp client, etc.) initiates a connection with a TCP server by sending a SYN packet to the server.
  • SYN/ACK: When a connection-requesting SYN packet is received at an 'open' TCP service port, the server's operating system replies with a connection-accepting SYN/ACK packet.
  • ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.

What Happens During a 'Reflection' Attack?

Traditional SYN flooding DoS attacks are either one-on-one (one machine sending out enough SYN packets to the target machine to effectively choke off access to the other machine) or many-on-one (SYN flooding 'zombie' programs loaded by the attacker into compromised machines and commanded by the attacker to send huge volumes of SYN commands to the target machine). With a reflection SYN flooding attack the attacking machines send out huge volumes of SYN packets but with the IP source address pointing to the target machine. The TCP three-way handshake requires that any TCP based service that receives a SYN packet must respond with a SYN/ACK packet. The servers and routers that receive these fraudulent SYN packets dutifully send out the SYN/ACK packet to the machine pointed to by the SYN packets IP source address. The Internet's most basic protocol and core infrastructure is used against itself!

Since we have been dealing with this for some time, how bad is it really?

Consider this, any general-purpose TCP connection-accepting Internet server could be used to reflect SYN packets. Here is a short list of the more popular TCP ports: 22 (Secure Shell), 23 (Telnet), 53 (DNS) and 80 (HTTP/web). And, virtually all of the Internet's routers will accept TCP connections on port 179. To fully comprehend the potential of this new form of DoS attack consider this:

  • it uses a fundamental Internet communications protocol;
  • machines that use this protocol exist in the millions;
  • it is extremely easy to generate a list of 'SYN packet reflectors'.

Generating and Using the 'SYN Packet Reflector' List

A simple script can be constructed to collect a large number of 'SYN packet reflection' capable routers and servers. Well-known web server farms, such as eBay and Yahoo, are easily available. Simple port scans through high bandwidth IP regions will reveal thousands, if not millions, of available TCP servers. Readily available tools such as Trace Route provide the IP address of every Internet router between the tracer and any other IP address.

Given a large list of SYN packet reflectors, each SYN spoofing attack host can distribute its fraudulent SYN packets evenly across every reflector on its list. The big win for the attacker is that since the SYN flooding machine is distributing its packets across a huge number of SYN packet reflectors, none of the innocent reflectors will experience significant levels of incomplete TCP connections. And, since routers generally do not retain any record of previously routed packets, it makes tracking an attack from the victim to the attacker extremely difficult.

Things get worse.

As if ease of attack and ubiquity of reflectors were not bad enough, it turns out that the reflectors will generate three or four times more SYN/ACK packets than the number of SYN packets they receive. Since the TCP connection that receives the SYN command is expecting to receive an ACK back from the machine it sent the SYN/ACK response to, it will send out three or four more SYN/ACK responses over the next few minutes. This TCP protocol feature essentially multiplies the number of malicious SYN/ACK packets being sent to the target machine by a factor of three or four. It also means that the flood of SYN/ACK packets will continue to disable the target site for a minute or two even after the attacker has called off the attack.

Collateral Damage

The basic connection unit in the Internet is the router. Some routers serve only a small number of machines while other 'aggregation routers' collect and disperse large amounts of packet traffic from smaller networks. During normal operations, the traffic flowing through the aggregation routers can be sorted and forwarded to the router's various lower bandwidth client networks. Now imagine a SYN/ACK flood that is so large that it starts to degrade the performance of the aggregation router. Having to process and disperse so many packets to the client networks, the router will drop and discard a portion of the packets. Legitimate Internet clients, trying to access resources that have nothing to do with the target under attack, will also experience degraded, or complete denial of, service.

What Can Be Done?

Unfortunately there is no short or easy answer. However, here are some defense tactics:

  • Routers can be configured to filter (drop) packets destined for a particular address or group of addresses. Router port 179 can be blocked as a reflector.
  • Since reflected SYN/ACK packets must bounce off a TCP server, and since almost all common service ports fall within the range from 1 to 1023, blocking all inbound packets originating from the service port range will block most of the traffic being innocently generated by reflection servers. Holes in the reflection filter may have to be created to allow legitimate traffic to pass through.
  • Block all inbound packets to high-numbered service ports. This has the undesirable effect that legitimate clients of the protected server could be generating connections from those blocked ports.
  • End-user client machines cannot be protected. Most client machines spend all of their time connecting to remote servers all over the Internet and require access to data coming back from many of the most common low-numbered service ports.
  • Servers could be programmed to recognize a SYN source IP address that never completes its connections and has an anomalous number of failed connections occurring within a period of time. The target of the reflection attack could be easily determined and the SYN/ACK response could be temporarily turned off.
  • ISPs could prevent the transmission of fraudulently addressed packets (packets with an IP source address not within their source address space) from within their controlled networks.
  • This control mechanism alone would have a major dampening effect on this type of attack.


Business and commerce continue to forge ahead with integration to the Internet. The cost of bandwidth and connected machines continues to drop. As the techniques for mounting attacks on Internet residents becomes easier and more powerful, we will undoubtedly see a continued rise in the number and ferocity of attacks. And human ingenuity virtually guarantees that we will see continued innovation in the attack techniques themselves.

Rodney Denno is principal consultant, Open Systems Security (


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.