The next generation
of distributed denial of service attack
). A distributed reflection denial of service attack (DRDoS
-- no relation to DR-DOS
) uses an ingenious variation on the traditional SYN attack
to actually trick innocent servers
and core infrastructure routers
into unknowingly executing a DDoS attack.
The attack is surprisingly simple. The first step is to execute a traditional SYN attack on a large number of servers or routers. But instead of sending SYN packets with random fake source IPs, the attacker sends SYN packets that look like they originate from the victim's IP address. This causes a "reflection"...basically, every server that recieves a SYN packet thinks that the packet came from the victim's address, so they all respond in an attempt to finish the handshake. This can flood the victim's network very effectively, and is nearly impossible to block without completely shutting out all incoming packets, since the flooding packets can originate from a vast range of standard TCP ports.