http://www.prolexic.com | reflection attacks are a sophisticated distributed denial of service – or DDoS – attack method that usually requires some skill to execute. However, SYN reflection attacks have recently grown in popularity as software developers in the criminal underground have begun to offer easy-to-use applications that use SYN reflection scripts in DDoS-as-a-Service applications. Now even novices can launch SYN reflection attacks. Learn more about the threat of SYN DDoS and DrDoS attacks in this short presentation.

1. An Analysis of SYN Reflection DrDoS Attacks
Selected excerpts
SYN reflection attacks are one of the more sophisticated distributed denial of service (DDoS)
attack methods and typically require some skill to execute. However, they have recently grown in
popularity as they have become available as a DDoS-as-a-Service application from the criminal
underground. Now even a novice can launch a SYN reflection attack.
Software developers in the criminal underground wrap web-based graphical user interfaces
around sophisticated attack scripts and offer them as convenient DDoS-as-a-Service apps, some of
which can even be launched from a phone.
DrDoS attacks
SYN reflection attacks are a type of distributed reflection and amplification denial of service
(DrDoS) attack. DrDoS attacks harness the bandwidth and processing power of other people’s
networked servers and devices to amplify the power of a denial of service attack.
SYN floods
SYN attacks are used against targets that support TCP, a core communication protocol that enables
computers to transmit data, such as web pages and email, over the Internet.
Before data is transmitted between machines, the computers must first establish a connection by a
multi-step handshake. If the handshake cannot be completed, the computers will keep trying to
connect, as shown in Figure 1. The result is a SYN flood.
Figure 1: In a SYN flood attack, SYN connection requests are repeated in
rapid succession, until the target is overwhelmed
1

2. SYN reflection overwhelms the target
The addition of spoofing creates a more powerful
SYN attack through the use of reflection techniques.
In a SYN reflection attack, at least three systems are
involved: The attacker’s device, an intermediary
victim (one or many), and the target, as shown in
Figure 2.
Spoofing allows the attacker to falsify that the target
server is the source of the handshake requests. As a
result, the victim tries to engage the target. Often,
this continues until one or both experience an
outage.
Figure 2: SYN reflection attacks misdirect
communication handshakes to the victim and target
until they are overwhelmed
The problem of backscatter from DDoS
mitigation appliances
Mitigation equipment can contribute to the damage caused by SYN reflection attacks, because
DDoS mitigation appliances are programmed to challenge the connection requests to ensure the
requests are legitimate. The mitigation equipment will keep challenging the request from the
spoofed IP address, which creates backscatter toward the victim. More sophisticated mitigation
techniques, such as packet analysis, can help minimize the problem of backscatter.
Get the full white paper for more details
Download the DrDoS series white paper, An Analysis of SYN Reflection Attacks, for details about
the SYN reflection attacks and mitigation techniques, including:
Why SYN reflection attacks create so much damage
How attackers misuse the TCP handshake
The problem of backscatter
SYN reflection attack scenario
Three common SYN reflection techniques
Techniques for mitigating SYN attacks
Attack signature to identify and stop spoofed SYN reflection attacks
The more you know about DDoS attacks, the better you can protect your network against
cybercrime. Download the free white paper An Analysis of SYN Reflection Attacks at
www.prolexic.com/drdos.
About Prolexic
Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and
mitigation services. Learn more at www.prolexic.com.
2