The
next generation of
distributed denial of service attack (
DDoS). A distributed reflection denial of service attack (
DRDoS -- no relation to
DR-DOS) uses an ingenious variation on the traditional
SYN attack to actually trick innocent
servers and core infrastructure
routers into unknowingly executing a DDoS attack.
The attack is surprisingly simple. The first step is to execute a traditional SYN attack on a large number of servers or routers. But instead of sending SYN packets with random fake source IPs, the attacker sends SYN packets that look like they originate from the victim's IP address. This causes a "reflection"...basically, every server that recieves a SYN packet thinks that the packet came from the victim's address, so they all respond in an attempt to finish the handshake. This can flood the victim's network very effectively, and is nearly impossible to block without completely shutting out all incoming packets, since the flooding packets can originate from a vast range of standard TCP ports.