What is DrDoS?

DrDoS stands for Distributed Reflection Denial of Service attack. DrDoS techniques usually involve multiple victim machines that unwittingly participate in a DDoS attack on the attacker’s target. Requests to the victim host machines are redirected, or reflected, from the victim hosts to the target. Usually they also elicit an amplified amount of attack traffic.

Why do attackers like DrDoS attacks?

Anonymity is one advantage of the DrDoS attack method. In a DrDoS attack, the target site appears to be attacked by the victim servers, not the actual attacker. This approach is called spoofing. It involves faking the source of the request.

Amplification is another advantage of the DrDoS attack method. By involving multiple victim servers, an attacker’s initial request yields a response that is larger than what was sent, thus increasing the attack bandwidth, making it more likely to cause a denial of service outage.

What Internet protocols are used in DrDoS attacks?

DDoS attackers have been abusing the following protocols on Internet-exposed devices and servers to launch attacks that generate floods of traffic and cause website and network outages at enterprise targets:

  • Character Generator Protocol (CHARGEN) intended for network testing and debugging. CHARGEN is rarely used in production environments and often legacy systems or misconfigured servers are the sources of unwanted CHARGEN traffic;
  • Domain Name Service (DNS) is used to translate between numerical IP addresses and domain names, allowing users to type web addresses into browsers;
  • Network Time Protocol (NTP) is used for time synchronization by Internet servers;
  • Simple Network Machine Protocol (SNMP) is used to manage Internet devices such as printers, switches, firewalls and routers;
  • Simple Service Discovery Protocol (SSDP) is used by Universal Plug and Play (UPnP) devices, such as home and office devices, including routers, media servers, web cams, smart TVs and printers.

How does a DrDoS attack work?

In Figure 1, a malicious actor is shown making a DrDoS attack. The malicious actor makes it appear to a victim host server that the primary target is contacting them with a request. The victim host servers therefore respond back to the target, which they mistakenly think made the initial request (a spoof). The reflected denial of service attack is called distributed because of the involvement of multiple victim host servers. The attacker may be a single actor or multiple actors.

What is a malicious actor?

The originating source of spoofed requests that generate the DrDoS attack traffic. The bad guy.

What is a victim in a DrDoS attack?

A server with an application service that responds to the actor’s spoofed requests and thus participates in the attack is called a victim. The victim is not the ultimate target, but just a resource for the attacker to abuse. By unwittingly participating in the attack, however, the victim server or device can be overwhelmed, reducing its ability to respond to legitimate communications from other users.

What is the target in a DrDoS attack?

The final destination of the attack traffic is the target.

What is spoofing?

Spoofing is the deliberate act of hiding the source of a DrDoS attack by creating TCP/IP packets using a third party’s IP address (typically the destination IP) instead of the true source IP address.

Learn more about DrDoS attacks

  • Crafted DNS TXT Attack, a threat advisory;
  • SSDP Reflection DDoS Attacks, a threat advisory;
  • SNMP Reflector, a threat advisory;
  • NTP Amplification, a threat advisory;
  • Domain Name System (DNS) Flooder, a threat advisory;
  • Reflection Attack Tools and the DDoS Marketplace, a white paper;
  • Multiplayer video gaming attacks, a DrDoS white paper;
  • SYN reflection attacks, A DrDoS white paper;
  • SNMP, NTP and CHARGEN attacks, a DrDoS white paper;
  • DNS Reflection, a DrDoS white paper;
  • SNMP Amp (SAD), a threat advisory.