DDoS Attack Overview
Even though a DoS attack can devastate a system, it can be easily stopped when proper protection is deployed. However, things get more difficult when thousands of attackers initiate the same attack simultaneously.
This type of DoS is called a Distributed Denial of Service (DDoS) attack and is generated from networks consisting of compromised systems, also known as botnets. A botnet consists of a group of devices, also known as zombies (because they run bots in the background), and a master control mechanism used to provide instructions to the zombie machines.
Then, usually by using IRC, the attacker controls the zombie machines through a command and control (C&C) server to which they are connected. Besides listening for instructions and executing the requested actions, the bots have a worm-like ability to self-propagate, gather passwords, capture packets, and even open back doors on the infected hosts.
Based on the figure above, the attacker plans to launch a DDoS attack against the victim’s infrastructure using thousands of zombie computers infected with bots. Since they are connected to the C&C server and always ready to attack, they initiate the DDoS attack when the attacker provides instruction commands over IRC or another type of communication, such as a bot-specific P2P network or even Twitter.
DDoS attacks are a popular method used by cybercriminals to disrupt online services, extort money from businesses, or even as a form of protest.
Reflection Attacks
A reflection attack is a type of DoS attack in which an attacker uses a network of internet-connected devices to send a large amount of traffic to a victim's system, trying to heavily overwhelm it and force it to slow down or even crash.
In a reflection attack, the attacker sends a flood of request packets (which can be of any protocol) to many random hosts called reflectors. The unique part about this type of attack is that all the packets the attacker sends actually spoof the victim’s IP address.
Using the victim’s IP address as a traffic source allows the attacker to amplify the return traffic toward the victim. This amplification effect is what makes reflection attacks particularly effective and dangerous. When the reflectors reply with response packets, they flood the victim because of the spoofed IP address instead of the attacker.
As a result, the victim might experience high resource consumption, slow network behavior, or simply not have access to the public internet.
Amplification Attacks
An amplification attack is nothing more than just a boosted reflection attack. The idea behind this type of DoS attack is the same; however, here, packets that the attacker sends produce a much larger response.
With this attack, just a small spoofed packet can simultaneously initiate a large reply from all reflectors. As a result, not just the reflectors will flood the victim but also a large quantity of data.
The only difference between a reflection and an amplification attack is that a reflection attack needs a lot of reflectors to be successful, while the amplification attack can easily use many reflectors or just a single one.
A classic example of a reflection and amplification attack is the Smurf attack, which was very popular and deadly back in the day. Although the Smurf attack is no longer a threat to networks today, it is an excellent example of how these attacks function in real life.
As you can see in the image above, the attacker sends numerous ICMP echo-request packets to the broadcast IP addresses of large networks, and each packet uses the victim's IP address as a source IP.
Upon receipt, each network host replies with an ICMP echo-reply packet to the victim. As a result, for each spoofed echo-request packet sent by the attacker, the victim gets bombarded with a large quantity of echo-reply packets.