www.prolexic.com

Denial of Service: SYN Reflection Attacks

How to protect your network

www.prolexic.com2 CONFIDENTIAL

SYN reflection attacks go mainstream

• Distributed reflection and amplification denial of service attack, or DrDoS

• Malicious use of the TCP/IP Internet communication handshake

• One of the more sophisticated DDoS attack methods

• Growing in popularity due to DDoS-as-a-Service apps

• Now even a novice can launch a SYN attack

www.prolexic.com3 CONFIDENTIAL

DDoS-as-a-Service: Even a novice can do it

• Malicious actors wrap web-based user interfaces around sophisticated scripts

• Convenient DDoS-as-a-Service apps

• Attackers can launch the DDoS app from a smartphone or computer

www.prolexic.com4 CONFIDENTIAL

SYN reflection attack: Misuse of the TCP handshake

• The attacker’s target must support the Transmission Control Protocol (TCP), a common Internet protocol

• TCP lets computers transmit data over the Internet, such as web pages and email

• Before data is transmitted between machines, the computers must first establish a connection by a multi-step SYN-ACK handshake

• If a handshake cannot be completed, the computers repeat the attempt

www.prolexic.com5 CONFIDENTIAL

What is a SYN flood?

• SYN connection requests are repeated in rapid succession, until the target is overwhelmed

www.prolexic.com6 CONFIDENTIAL

Spoofing misdirects the handshakes

• At least three systems are involved: – The attacker’s– An intermediary victim – one or many– The target

• Spoofing allows the attacker to pretend the target server is the source of the handshake requests

• The attacker gets the victim to try to connect to the target

• Excessive connection requests overwhelm the victim and the target

www.prolexic.com7 CONFIDENTIAL

What is a SYN reflection attack?

• A malicious actor bounces SYN requests off an intermediary victim machine

www.prolexic.com8

SYN attack mitigation:Minimize backscatter from mitigation devices

• Automated mitigation devices challenge SYN attacks to ensure they are legitimate

• But unmanned DDoS mitigation devices can create backscatter, compounding the effects of an attack

• The mitigation equipment will keep challenging the request from the spoofed IP address

• The result is backscatter toward the target server• Packet analysis can minimize backscatter

www.prolexic.com9

Learn more in the white paper

• Download the DrDoS white paper: Analysis of SYN Reflection Attacks

• In this white paper, you’ll learn:– Why SYN reflection attacks create so much damage– How attackers misuse the TCP handshake – The problem of backscatter– SYN reflection attack scenario– Three common SYN reflection techniques– SYN mitigation techniques– Attack signature to identify and stop spoofed SYN

reflection attacks

www.prolexic.com10

About Prolexic

• Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services.

• Prolexic has successfully stopped DDoS attacks for more than a decade.

• We can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers.