Distributed Reflection Denial of Service
Description and analysis of a potent, increasingly
prevalent, and worrisome Internet attack
February 22nd, 2002
by Steve Gibson, Gibson Research Corporation
was blasted off the Internet by a new (for us)
distributed denial of service attack.
Perhaps the most startling aspect of this attack was that the apparent source was hundreds of the Internet's "core routers", web servers belonging to yahoo.com, and even a machine with an IP resolving to "gary7.nsa.gov". We appeared to be under attack by hundreds of very powerful and well-connected machines.
returned to the Internet, 1,072,519,399 blocked
packets were counted before the attack ended.
This page provides a brief tutorial on the operation of the Internet's TCP protocol, followed by explanations of the operation of traditional Internet denial of service (DoS), distributed denial of service (DDoS), and distributed reflection denial of service (DRDoS) attacks.
As was true for this January 11th attack, any sort of "distributed" attack is most often a "bandwidth consumption" attack where the combined Internet connection bandwidth of many machines is "focused", or directed, upon one or a few machines. Although the attack's individual Internet packets may be completely harmless, a flood of such packets can overwhelm the target machine's Internet connection or other packet-processing resources. The result is that valid traffic, unable to compete with the malicious flood, has little chance of obtaining useful service.
However, since companies both large and small are now being harassed and even driven out of business as a consequence of malicious packet floods, an understanding and analysis of the exact methodology of a specific attack often suggests effective countermeasures (as was true in this instance). The need for effective forensic analysis is naturally heightened in instances of repeated and relentless attacks.
Before we can study and understand the mechanics of the distributed reflection attack, we need some understanding of the operation of TCP the Transmission Control Protocol used to connect remote machines over the Internet.
|TCP Connections 101:|
I can recall many years ago, well before the Internet "happened", hearing talk of two machines "connecting" to each other over the Internet. As a software-savvy hardware engineer, I remember thinking, "Connecting? How can two machines be 'connected' to each other over a global network?" I later learned that two machines, able to address and send packets of data to each other, negotiated a "connection agreement." The result of their successful negotiation is a "Virtual TCP Connection."
Individual TCP packets contain "flag bits" which specify the contents and purpose of each packet. For example, a packet with the "SYN" (synchronize) flag bit set is initiating a connection from the sender to the recipient. A packet with the "ACK" (acknowledge) flag bit set is acknowledging the receipt of information from the sender. A packet with the "FIN" (finish) bit set is terminating the connection from the sender to the recipient.
The establishment of a TCP connection typically requires the exchange of three Internet packets between two machines in an interchange known as the TCP Three-Way Handshake. Here's how it works:
|SYN: A TCP client (such as a web browser, ftp client, etc.) initiates a connection with a TCP server by sending a "SYN" packet to the server.|
As shown in the diagram above, this SYN packet is usually sent from the client's port, numbered between 1024 and 65535, to the server's port, numbered between 1 and 1023. Client programs running on the client machine ask the operating system to "assign them a port" for use in connecting to a remote server. This upper range of ports is known as the "client" or "ephemeral" port range. Similarly, server programs running on the server machine ask the operating system for the privilege of "listening" for incoming traffic on specific port numbers. This lower port range is known as "service ports." For example, a web server program typically listens for incoming packets on port 80 of its machine, and web browsing clients generally send their web packets to port 80 of remote servers.
Note that in addition to source and destination port numbers, each packet also contains the IP address of the machine which originated the packet (the Source IP) and the address of the machine to which the Internet's routers will forward the packet (the Destination IP).
SYN/ACK: When a connection-requesting SYN packet is received at an "open" TCP service port, the server's operating system replies with a connection-accepting "SYN/ACK" packet.
ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.
|Abusing TCP: The Traditional SYN Flood|
Several years ago, a weakness in the TCP connection handling of many operating systems was discovered and exploited by malicious Internet hackers.
As shown in the TCP transaction diagram above, the server's receipt of a client's SYN packet causes the server to prepare for a connection. It typically allocates memory buffers for sending and receiving the connection's data, and it records the various details of the client's connection including the client's remote IP and connection port number. In this way, the server will be prepared to accept the client's final connection-opening ACK packet. Also, if the client's ACK packet should fail to arrive, the server will be able to resend its SYN/ACK packet, presuming that it might have been lost or dropped by an intermediate Internet router.
But think about that for a minute. This means that memory and other significant server "connection resources" are allocated as a consequence of the receipt of a single Internet "SYN" packet. Clever but malicious Internet hackers figured that there had to be a limit to the number of "half open" connections a TCP server could handle, and they came up with a simple means for exceeding those limits:
|Through the use of "Raw Sockets", the packet's "return address" (source IP) can be overridden and falsified. When a SYN packet with a spoofed source IP arrives at the server, it appears as any other valid connection request. The server will allocate the required memory buffers, record the information about the new connection, and send an answering SYN/ACK packet back to the client.
But since the source IP contained in the SYN packet was deliberately falsified (it is often a random number), the SYN/ACK will be sent to a random IP address on the Internet. If the packet were addressed to a valid IP, the machine at that address might reply with a "RST" (reset) packet to let the server know that it did not request a connection. But with over 4 billion Internet addresses, the chances are that there will be no machine at the address and the packet will be discarded.
The problem is, the server has no way of knowing that the malicious client's connection request was fraudulent, so it needs to treat it like any other valid pending connection. It needs to wait for some time for the client to complete the three-way handshake. If the ACK is not received, the server needs to resend the SYN/ACK in the belief that it might have been lost on its way back to the client.
As you can imagine, all of this connection management consumes valuable and limited resources in the server. Meanwhile, the attacking TCP client continues firing additional fraudulent SYN packets at the server, forcing it to accumulate a continuously growing pool of incomplete connections. At some point, the server will be unable to accommodate any more "half-open" connections and even valid connections will fail, since the server's ability to accept any connections will have been maliciously consumed.
This is NOT bandwidth consumption
It is important to understand that these early spoofed-source-IP SYN attacks were not bandwidth consumption attacks. Due to the susceptible nature of most operating systems' TCP/IP protocol handlers, very little inbound bandwidth was required to completely tie-up a TCP server. Rather than consuming the network's "bandwidth resource", the server's "connection resources" were consumed.
Also notice that this Denial of Service (DoS) attack was not "Distributed." It was a "DoS" attack, not any form of "DDoS" attack. A single, malicious, SYN-generating machine, hiding its Internet address and identity behind falsified source IP SYN packets, could tie-up and bring down a large web site.
Solving the SYN spoofing problem
Two complete, robust, and practical solutions were developed: The Unix community invented a clever "stateless" TCP connection system known as "SYN-cookies". Not knowing about SYN-cookies, I independently created and implemented my own different solution which was dubbed "GENESIS". The GENESIS TCP solution has been in continuous service at grc.com since September of 2000. Both of these DoS solutions arrange to stay compatible with all important aspects of the standard TCP protocol. They operate by eliminating all allocation of server resources after receiving a SYN packet and generating a SYN/ACK reply.
|The Development of Bandwidth Attacks|
As the sophistication of malicious hackers has grown, and as the available inventory of insecure and readily compromised Internet-connected host machines has skyrocketed, "bandwidth consumption" distributed denial of service (DDoS) attacks have become commonplace. As I discovered and documented in May of 2001, powerful, remote Internet attack tools are now in the hands of children who wield their disruptive power with little thought for, or remorse over, the consequences.
What happens during a bandwidth attack?
The diagram above helps clarify the consequences of a bandwidth attack. The computers and/or networks shown to the right are serviced by the central "aggregation router." This router is placed at the "customer edge" of the Internet service provider's network to collect and disperse traffic from many smaller customer networks. Thus, many lower-bandwidth Internet connections are "aggregated" into a single high-bandwidth Internet connection for routing to the public Internet.
During normal operation, the traffic coming from the Internet down the "Big Pipe" will be sorted and forwarded to the router's various lower bandwidth client networks. But imagine what happens when the Big Pipe is filled by a high volume of packets bound for just one of the router's client networks. Faced with the task of squeezing too many packets from the big pipe into the much smaller pipe, the router has no choice but to deliberately drop and discard a large percentage of the packets struggling to get through the smaller pipe.
Valid Internet clients, trying to access the resources on the far side of the smaller pipe, will resend their dropped packets. But these clients will generally give up after a few attempts. The victim's network is effectively blasted off the Internet by the flood of malicious traffic.
|DoS versus DDoS|
DoS: The traditional DoS style attack, where a single machine attacks another, can be depicted by this diagram . . .
As we saw in the routing diagram above, if the attacking machine enjoys a significantly higher speed Internet connection than the target/victim machine, it could successfully swamp the target's connection bandwidth. Thus, even one well-connected attacking machine can flood a less well-connected target to deny its access to the Internet.
DDoS: Much higher levels of flooding traffic can be generated by focusing the combined bandwidth of multiple machines onto a single target machine or network . . .
The diagram above shows the architecture commonly used in distributed denial of service attacks. The operation of a network of compromised machines, containing remotely controlled "Zombie" attack programs, is directed and coordinated by a "Zombie Master" central control agency. When the network of Zombies receives instructions from its Master, each individual Zombie begins generating a flood of malicious traffic aimed at a single target/victim machine or network.
This is the organization used by the many popular distributed attack tools, including the Windows-hosted Evilbots driven by the 13-year-old "Wicked" that originally attacked grc.com during May of 2001. The Evilgoat Evilbot employs public IRC servers as their meeting place and attack control mechanism. The Zombie Master joins a secret IRC chat room to issue real-time attack instructions.
Distributed zombie traffic aggregation
When the flood finally encounters the target network's service provider aggregation router, most of the network's traffic must be discarded. Since the router cannot differentiate valid from invalid traffic to the router, all packets are created equal the network's valid traffic will also be discarded . . . effectively cutting the network off from the rest of the Internet.
troublesome enough, now
it gets much worse. . .
A Next-Generation DDoS Attack
At 2:00 AM, January 11th 2002, grc.com was blasted off the Internet by a more advanced malicious packet flood. This new style of DDoS attack could be called a Distributed Reflection Denial of Service attack DRDoS.
A packet flood mystery
In the past, we had been hit by Evilbot's non-spoofed UDP and ICMP floods. These are easily generated by commandeered, Zombie-infected, Windows machines. We have also been blasted by many sorts of classic spoofed source IP SYN floods. So my eyebrows jumped a bit when the attack's packet capture revealed that we were being flooded by SYN/ACK packets. Of course, that fact in itself wasn't a big deal. As we saw earlier on this page, a SYN/ACK packet is just a SYN packet with its "ACK" flag bit turned on. Anyone with access to a "raw socket" capable machine can generate any sort of packet benign or malicious that they desire. So an attacker can turn on whatever "TCP flag bits" they like.
the source IPs of the flooding packets:
than TWO HUNDRED of the Internet's
core infrastructure routers.
What was going on?
BGP is the "Border Gateway Protocol" supported by intermediate routers. Routers use BGP to communicate with their immediate neighbors to exchange their "routing tables" in order to inform each other about which IP ranges the router can forward.
The details of BGP are unimportant. What is important is the fact that virtually all of the Internet's extremely well-connected (high bandwidth) intermediate routers will accept TCP connections on their port 179. In other words, a SYN packet arriving at port 179 of an Internet router will elicit a responding SYN/ACK packet.
I suddenly knew what must be happening . . .
There was no way that all, or probably any, of those hundreds of routers had been compromised or infected by any sort of Zombie. I realized that they were just ordinary, innocent, TCP servers doing their jobs. They were sending SYN/ACK packets to grc.com in the well-meaning belief that WE wanted to open a TCP connection with their built-in BGP servers.
In other words, a malicious hacker located somewhere else on the Internet, was SYN FLOODING INTERNET ROUTERS with TCP connection-requesting SYN packets. Those SYN packets carried the fraudulent (spoofed) source IP belonging to grc.com. Therefore, the routers believed that the SYN packets were coming from us, and they were replying with SYN/ACK packets as the second phase of the standard TCP three-way connection handshake.
off innocent bystanding TCP servers. Their
SYN/ACK responses were being used
to flood and attack our bandwidth.
A new type of attack
I have no idea why we were the target of this attack. Perhaps this was a test of a potent new weapon . . .
As we will see below, mounting evidence indicates that after the initial attack on us, one or more of these weapons has been in frequent use. As we will also see below, there are a number of reasons for malicious hackers to much prefer this "distributed reflection attack" mechanism over traditional distributed direct flooding approaches.
I didn't want to bother Verio, my service provider, if the attack was going to end by the time I had an engineer on the phone. So I watched the attack and waited for two hours. By 4:00 AM Pacific time, the attack showed no sign of letting up. The East coast of the United States would be waking up soon, so I made the call to Verio's 24/7 network trouble center. I summarized the problem and convinced the operator that we really were under attack and needed immediate engineering assistance. The problem ticket bounced around within Verio for two more hours and I was delighted when a sleepy-eyed Verio Security engineer returned my call.
|Blocking the reflection attack|
The good news was, this attack appeared to be relatively easy to block. Since we are not an Internet service provider ourselves, we never have any need to connect with remote BGP-equipped routers. Therefore, I asked Verio to block any inbound traffic originating from the BGP service port 179. Since the malicious hacker's SYN packets were aimed at the intermediate routers' port 179, any reflected packets would be originating from that port.
Verio's engineer added a "filter" to the aggregation router servicing our Internet connection to block (drop) any packets inbound to us from port 179. The flood of packets coming in from port 179 immediately stopped.
Whoops. A fresh packet capture revealed that we were now being actively flooded by an entirely new set of Internet servers. Since this second set of traffic appeared only after the port 179 router traffic had been blocked, it appeared that this second wave of reflection traffic had been unable to compete with the routers' flood. (You know you're in trouble when packet floods are competing to flood you.)
With the routers traffic blocked, we were now being flooded by a SYN/ACK packets pouring in from ports 22 (Secure Shell), 23 (Telnet), 53 (DNS), and 80 (HTTP/Web). There were also some packets coming from port 4001 (a proxy server port) and 6668 (IRC chat).
I am annoyed with myself because I was so surprised by this unexpected second tier of flooding packets that I failed to capture and retain a complete and accurate sampling of the non-BGP flooding traffic. However, one of my earlier capture logs did reveal some non-BGP SYN/ACK traffic that had slipped through during the original BGP flood. So I have some record of it:
were flooding us with SYN/ACK traffic
from their HTTP (web) port 80:
The partial list of port 80 SYN/ACK flooders above has a few interesting members. The servers are mostly a scattered collection, so it appears that the malicious hacker went around deliberately collecting the IP addresses of well known and presumably well-connected web servers for use in the packet reflection attack. The seven web servers belonging to YAHOO.COM are interesting, as is the one machine gary7.nsa.gov. ("Gary7" was the name of a human from the future who appeared in the original Star Trek series.)
The wide array of additional SYN/ACK flooding traffic, and the use of many Internet servers other than Internet routers, demonstrated that the malicious hackers were well aware that any general purpose TCP connection-accepting Internet server could be used as a packet reflection server. Once I saw that we needed to do more than simply block packets inbound from the BGP port 179, I developed a more comprehensive solution for this sort of attack. This is discussed below, after the analysis of the attack's probable construction and consequences.
Once our reflection attack filters were in place, we immediately popped back onto the Internet (after a relatively brief four-hour attack outage). Although I was unable to monitor the subsequent conclusion of the attack from behind our filters, it is somewhat chilling to note that . . .
discarded more than one billion (1,072,519,399)
malicious SYN/ACK packets.
I received this sobering number from Verio when I contacted them after realizing that I had failed to capture the second, non-BGP, wave of the attack. I wanted to reconfigure our defenses to deliberately put us back into denial of service so that I could collect that data. But by then the attack had stopped.
|Reflecting on the reflection attack|
Judging from the evidence collected during the 1/11 attack, and other subsequent evidence, someone, some group of people, or multiple groups of people, have accumulated and, as we'll see below, are actively accumulating a growing list of well-connected (high bandwidth) Internet servers and corresponding TCP service port numbers. Among these are several hundred routers serving the BGP (port 179) protocol and many other servers listening for connections on other common service ports including SSH, TELNET, DNS, HTTP, and IRC.
Building and maintaining the "reflection server" list
The resulting massive list of "reflection servers" can be easily and continuously maintained by bouncing a valid, non-spoofed SYN packet off the machine. The answering SYN/ACK will confirm the machine's presence and its willingness to unwittingly participate in future reflection attacks.
Using the reflection server list
Driven by a large list of innocent TCP packet reflection servers, each SYN spoofing host "sprays" its SYN packets evenly across every reflection server on its list. A fraudulent SYN packet would bounce off one of each server's open TCP ports, with the reflected packet aimed at the intended victim network.
Since the SYN flooding machine is "spraying" its packets across a huge number of intermediate reflection servers, none of the servers participating in the attack will, themselves, be unduly inconvenienced by their participation in the attack. Each reflection server will experience a low-level "SYN flux" rather than a high-level SYN flood.
|Why should we worry?|
Why is a reflection attack superior to simply having the malicious hosts directly flood and attack their victim?
Packet path diffusion
|The Internet is essentially a large network of individual, interconnected, packet routers. The specific path taken by individual packets moving between any two Internet endpoints may change as a result of local network outages, congested routers, and other factors. However, over a short period of time, most packets will travel along the "best path" which rarely changes from one packet to the next.
Since Internet routers do not retain any record of previously routed packets, "backtracking" an attack from the victim to the attacker, relies upon the feasibility of manually following a packet flood "upstream" from one router to the previous.
Diffusing the path: Even in the presence of a solid and powerful packet flow, packet path backtracking is a difficult and time consuming manual process. So, imagine what happens when a large number of widely spread packet refection servers are added to the system . . .
|As this second traffic-routing diagram demonstrates, the addition of innocent reflection servers substantially transforms the attack. Upon leaving an attacking machine, the malicious SYN packets immediately fan out. No longer aimed at the victim, these attack packets are instead being sent to widely spread TCP servers. As we know, these servers are potentially located throughout the entire Internet. Just a few "router hops" away from the attacker, the heavy packet flow will no longer be discernible because it will have diffused into neighboring routers rather than following a single path.
The situation on the receiving end is also significantly changed. Rather than being assaulted by discrete packet flows, one from each attacking machine, the victim is now under a SYN/ACK flood from hundreds, thousands, or even millions of individual, innocent, servers. Although each of those packet flows would be individually harmless to the victim (just as each one is harmless to its individual reflection server), the convergence of these packets arriving from everywhere across the entire Internet, creates an attack that will swamp the victim.
What can the victim do?
the attacker, it gets worse still:
Reflector usage phasing
This "reflector usage phasing" would have the effect of continuously changing all of the many attack paths, phasing them in and out of use, while never relenting upon the target network. Due to the manual nature of attack backtracking, following an individual trickle is much more difficult than following a flood. But nothing is more difficult than backtracking an intermittent trickle. In fact, with current router technology, it probably borders on impossible.
(As we will see below, a few attentive administrators HAVE already spotted what is very likely this abuse of their TCP servers.)
For every one SYN packet received by a TCP reflection server, up to four SYN/ACK packets will generally be sent. This will occur because the victim's aggregation router will be discarding the majority of the inbound flooding traffic. A reflection server that receives no reply to its SYN/ACK packet response will believe that its packet was lost in transit (as indeed it was, but in this case by design) and will resend the "lost" SYN/ACK packet several times (typically three retries) before giving up and discarding the aborted connection.
This phenomenon has the interesting consequence of spreading "attack intent" both physically across the Internet and temporally a few minutes into the future.
For all of these reasons, distributed reflection denial of service attacks (DRDoS attacks) can be easily engineered and maintained. They are difficult or impossible to backtrack, and they are disturbingly potent.
While I was assembling this page, a little over one month following the 1/11 reflection attack, a posting to the "Bugtraq" mailing list caught my eye:
If you have been following this discussion, you'll notice that this is PRECISELY what a sharp administrator of reflection servers would see while their servers were participating in a reflection attack. He misinterpreted his evidence a bit, because he didn't have the advantage of knowing that his servers were being used as a reflector. He saw a gentle "flux" (not a flood) of SYN packets coming in from a given IP, which might suddenly change and appear to be sourced by another IP. We know this was due to a change of the attack's target.
From the perspective of the reflection server, the apparent source of those SYN packets was actually the target of the attack, to which his servers were sending a gentle "flux" of SYN/ACK packets. His outbound bandwidth to the victim was probably about four times more than the inbound SYN flux, as demonstrated by the fact that those connections were in their "SYN_RECVD" state. This means that they were waiting for the client's answer (which was unlikely to arrive) and were therefore resending SYN/ACKs, delivering attack bandwidth multiplication.
Upon seeing this posting, I immediately replied to the list with my interpretation of what he was seeing. Before my reply was broadcast to the mailing list some other sharp-eyed network administrators chimed-in:
Remember that since this administrator was seeing reflection attack SYN traffic, the reference to "traffic coming from a limited range of IP's, maybe about a dozen. Many of them seem to be coming from universities." actually meant that these were the targets of the reflection attack to which his servers were unwittingly contributing.
That's great feedback. The fact that two different web servers located on different networks were simultaneously receiving SYN packets from the same spoofed source IP indicates that machines within different IP address regions were both on the same "reflection server inventory" and were innocently participating in the same attack.
So we have some evidence that tools to perpetrate these sorts of attacks may have started appearing at least as early as November, 2001. We won't have any real sense for how prevalent and widely spread these reflection attacks are until administrators start looking for the telltale signs of low-rate SYN floods into their servers, or until victims of SYN/ACK floods make their attacks known.
A "reflection attack honeypot"
A recent correspondent of mine, who was interested in this sort of attack, established a network to appear as a large block of web servers on a never before used IP space. The next day, this newly created network of web servers had been "discovered" by a scan across their IP space. Before long, those machines were participating in various distributed reflection denial of service attacks.
Linux honeypot, see this off-site link:
|Reflection attack defense & prevention|
There's conditional good news, and some rather bad news.
As we saw near the top of this page, machines communicating over the Internet can generally be divided into the roles of client and server. These roles may change depending upon circumstance (a web serving machine might be a client of an eMail server), but most individual TCP connections generally imply a client and server relationship. Clients generally initiate connections from high-numbered (client) ports to servers that are listening for incoming client connections on low-numbered (service) ports.
Since any reflected SYN/ACK packets must have bounced off a TCP server, and since almost all common service ports fall within the range from 1 to 1023, blocking all inbound packets originating from the service port range will block most of the traffic being innocently generated by reflection servers. However, there are several problems with doing this . . .
Protecting a server
The second problem with simply blocking all inbound traffic originating from ports below 1024, is that a server behind such a blanket filter would be unable to transact with other servers when acting as their clients. The example above, of a web server acting as a client of an SMTP (eMail) server, would be complicated because the remote SMTP server's packets, attempting to return from the SMTP server's port 25, would be blocked by the reflection attack filter. To get around this problem, exception "holes" would need to be created through the reflection filter to allow "friendly" remote server traffic to pass through the filter.
Protecting a client
Consequently, a characteristic of reflection attacks is that no sort of upstream filtering, short of full inbound connection proxying or ISP-resident NAT routing, can protect users who require access to remote servers.
Preventing reflection server exploitation
In theory, it's simple: The trick to doing this would be to recognize a SYN source IP that never completes its connections. Since a number of failed connections occurring within a short time span would be highly unusual, the target of any reflection attack could be readily determined. Dynamic reflection attack prevention would simply "black list" any SYN packets arriving from any such IPs until none had been received for some period of time, perhaps an hour.
A reflection server exploitation prevention system could be easily built into a server-resident firewall application. However, expecting (or relying upon) every server on the Internet to be running such an altruistic application is probably unrealistic. Asking, or requiring, ISP's to provide spoofed packet network egress filtering would seem to be far more feasible . . .
The ISP's responsibility
The attacking platform's responsibility
While pedantic network experts, and Microsoft themselves, correctly argue that there are other ways to produce malicious Internet traffic, there is no easier way than through the use of raw sockets. The best way to earn users' trust is to deserve it. But deliberately incorporating this unnecessary facility into every Windows XP machine and essentially enabling it, by design, to become a malicious reflection attack generator makes a mockery of Microsoft's recent "Trustworthy Computing" rhetoric. We can always hope, as I fervently do, that Microsoft will recognize that it is not too late, and will remove raw sockets from XP during one of the product's continuous flow of patches and Windows Updates.
|History and future|
Most Internet attacks exploit fundamental and original design weaknesses in the Internet's protocols, or in the operation of its many infrastructure components. Consequently, "reflection attacks" of many sorts have always been possible. Many have been known and used before, and they are not generally new. The simple TCP reflection attack discussed on this page is no exception.
The crucial fact is that the world is changing rapidly and the world's Internet of today and tomorrow is not the Internet of yesterday. As business and commerce plunge headlong onto the Internet, as the cost of Internet-bandwidth and connected machines plummets, and as the techniques for assaulting the Internet's growing resources percolate throughout the huge "script kiddie" population, that which was once old, becomes new again.
New motivations, new capabilities, new victims, and new freely available tools are resulting in the irresponsible assault and exploitation of an old network technology that was never designed for the future it faces. We ignore these realities at our own peril.
If you have managed to read this entire page, you will have a strong grasp of the essential facts and operation of this significantly worrisome and apparently increasingly prevalent "Distributed Reflection Denial of Service" (DRDoS) Internet attack.
If you started into this page without a detailed understanding of the functioning of the Internet, the operation of the TCP protocol, and the relationship of clients, servers, and port numbers, I hope you have had an enjoyable and edifying read. This page was created for you.
All the best,
|Reprinted with the author's permission April 22, 2002||Check grc.com for updates|
|The contents of this page are Copyright (c) 2002 by Gibson Research Corporation.|
SpinRite, ChromaZone, ShieldsUP, NanoProbe, the iconic cartoon character 'Moe',
and the slogan "It's MY Computer" are registered trademarks of Gibson Research