Reflection Attack– Cisco Attacks and Threats

Reflection attacks use well-connected servers to reflect and amplify a DDoS attack. Figure 19-5 illustrates a reflection attack.

Figure 19-5 DDoS Reflection Attack

A DDoS reflection attack proceeds in two steps, as shown in Figure 19-5.

In the first step, shown as (1), the attacker instructs the members of the botnet to send large volumes of traffic to well-known servers on the Internet (for external DDoS attacks) or within an organization’s network (for internal DDoS attacks).

DNS servers are a favorite reflection target because they are almost always connected using high-speed links. DNS servers generally run on high-performance hardware and will almost always answer requests from any IP address connected anywhere on the network.

Attackers configure the botnet members to send

• Packets sourced from the victim’s IP address (the source address is spoofed).

• Small DNS queries resulting in multipart responses.

In the second step, shown as (2), the DNS server will respond to these queries by sending large packets full of information to the victim’s address, consuming link bandwidth.

Reflection attacks do not burn the botnet because the attack uses spoofed source addresses. It is nearly impossible to track down the actual source of a packet with a spoofed source address.

Attackers can use smaller botnets for reflection attacks because the attack is amplified in the reflection process. Even if part of their botnet is discovered and corrected, the odds of losing a significant portion are much lower in a reflection attack.

Resource Exhaustion

Attackers can also exhaust resources other than bandwidth.

Some examples include

• The DNS cache on a recursive server. While many servers will time cache DNS query responses out more quickly as the cache fills up, clever attackers can build a series of queries just fast enough to fill the recursive server’s cache but not so fast as to trigger cache reduction processes.

• The Transmission Control Protocol (TCP) cache of half-open sessions. A server must keep track of every TCP open message it acknowledges. Once the client acknowledges the server’s initial acknowledgment, the server can move the session into the open state and transmit data. If an attacker sends enough TCP open messages to a server quickly enough, the server can run out of room to store half-open session information and stop accepting new sessions.

• The Network Address Translation (NAT) cache on smaller routers and switches. Each NAT translation must be stored in memory; forcing a router or switch to add thousands (or even millions) of new translations quickly can overflow the NAT cache. Once a router or switch runs out of NAT translation storage, it stops accepting new connections or randomly drops old ones.

An attacker can exhaust thousands of different resources on hosts, servers, and middleboxes. There is always some new way of attacking network-connected devices no one has thought of before.

Chapter Review

This chapter began with a taxonomy of terms: what are attack surfaces, vulnerabilities, threats, exploits, and risks?

Understanding these terms gives you a good grounding in the world of security.

The next section explained how an attacker can gain access to your network. In all its many forms, social engineering is the most common way attackers gain access to a beachhead within a network. Poor configuration is the second; it is amazing how many news reports of data breaches say “an unprotected database was left on a cloud service instance” or “the attacker gained access through a network device configured with the manufacturer’s default passwords.”

We then moved to three things attackers do once they have gained access to a network, including installing C2, data exfiltration, and ransomware. The last topic of discussion was denial-of-service attacks.

This chapter has largely been “bad news”—all the different ways an attacker can access your network and what they can do once they have gained access. The next chapter discusses “good news”—how network engineers and security professionals deploy to counter many of these vulnerabilities.

One key to doing well on the exams is to perform repetitive spaced review sessions. Review this chapter’s material using either the tools in the book or interactive tools for the same material found on the book’s companion website. Refer to the online Appendix D, “Study Planner,” element for more details.

Table 19-2 outlines the key review elements and where you can find them. To better track your study progress, record when you completed these activities in the second column.

Table 19-2 Chapter Review Tracking

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post