What are reflection and amplification attacks?

Overview

Reflection and amplification attacks breach the security of a network and put an organization's data at risk. Cyber attackers exploit loopholes in the system and flood the network with immense traffic, making the system unable to serve the regular traffic.

Reflection attack

A reflection attack falls under the category of denial-of-service (DoS) attacks.

• The attacker spoofs the victim's IP address and sends out a request for information by taking advantage of a publicly accessible User Datagram Protocol (UDP).
• The server usually cannot detect the spoofed IP address and considers the attacker's request legitimate.
• The request is served, and the response is forwarded to the victim's IP address, which the attacker forged. This is known as a reflection attack because the same protocol is used in both directions.
• The victim receives unwanted traffic on its limited bandwidth, which lowers its capacity to serve regular traffic.

Note: Any server that is open to the internet and is UDP-based can be used as a reflector by the attacker.

Amplification attack

An amplification attack also falls under the category of denial-of-service (DoS) attacks.

• The amplification factorIt is the ratio between the request and response sizes. is kept as high as possible.
• The attacker generates a high volume of packets that flood the victim's website without alerting the intermediary.
• The attacker takes advantage of a publicly accessible UDP and sends out a "trigger packet" that results in an extensive response to the request.
• Several requests are generated simultaneously, served by different vulnerable services. The attacker can do this, or a botnetA number of Internet-connected devices, affected and controlled by the same malware to perform DoS attacks. can be used.
• This amplifies the original request's response size and consumes a huge bandwidth of the victim.

Note: Requests containing the keyword "ANY" usually generate a lot of response traffic.

Reflection/amplification attack

A reflection/amplification attack is a combination of the two attacks that allows the attacker to generate an enormous amount of traffic and at the same time keep its identity hidden by spoofing the victim's IP address.

Such an attack overwhelms the victim and heavily disrupts the standard services by consuming a lot of bandwidth.

Detection

It is quite easy to identify these attacks because they generate a lot of unwanted traffic from the same source. Incoming packets rarely share a similar destination port. Therefore, we can easily identify an attack if this happens.

Prevention

We cannot block the source of the spoofed packets in reflection and amplification attacks because they depict a legitimate source. Hence, blocking that source can interfere with the normal traffic generated by that source.

We can implement the following preventive measures:

• Tighten the security of the DNS server.
• Block or close down unnecessary ports.
• Reduce the number of open DNS resolvers.
• A DNS-aware firewall ensures every response matches a request.
• A DNS Anycast distributes the traffic to different DNS servers.
• Rate limiting controls the rate of requests sent or received by NICNetwork Interface Controller.
• Threat intelligence services help organizations identify and block vulnerable servers.
• Traffic signature filters inspect every packet passing through the network and identify if they follow a repetitive structure.

Note: Reflection and amplification attacks mostly rely on exposed DNS, NTP, SNMP, SSDP, and other UDP/TCP-based services.