igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How is distributed reflection denial of service different from DoS?

A jump in multi-vector attacks highlights the threat of distributed reflection denial-of-service attacks. Enterprise threats expert Nick Lewis explains how these threats differ from traditional DoS attacks and offers prevention techniques.

How is a distributed reflection denial-of-service (DrDoS) attack different from a regular denial-of-service (DoS)...

attack? Are there any additional security measures that should be put in place for distributed reflection denial-of-service threats?

There are many different ways to perform denial-of-service attacks. The oldest method for a distributed DoS attack is using spoofed IP addresses; other DDoS attacks include abusing insecurely configured devices with NTP enabled, or attacks on DNS. NTP- and DNS-based DDoS attacks can be used as force multipliers because they allow the attacker to send a small IP packet to the target victim while the intermediate server sends a large IP packet to the target.

When it comes to DoS prevention, enterprises should focus first on BCP38 to prevent IP spoofing, and then turn their sights to other mitigation strategies.

Research from security firm Black Lotus concluded that applying patches and upgrading systems likely accounted for a large reduction in the number of attacks abusing NTP. A significant reduction in NTP-related DoS attacks was likely due to the disabling of NTP when it wasn't needed, along with the implementation of firewall rules to prevent access to the NTP port.

But a growing type of denial-of-service attack may be the distributed reflection denial of service. It involves an attacker who first uses the IP address of a target to masquerade as that target, and then tricks any number of DNS servers into flooding the actual target IP address with DNS traffic.

Unfortunately, DrDoS attacks abusing DNS are more difficult to prevent. Prolexic Technologies Inc. wrote a white paper last year about how distributed reflection denial-of-service attacks abuse insecurely configured networks and DNS servers, but the attack technique is actually enabled by fundamental design flaws in DNS and subsequent extensions.

The first steps enterprises should take to mitigate these attacks are outlined in my article on securing DNS from being used in DDoS attacks and then use Google's or Cisco's guide to DNS security. In short, securing DNS resolvers is critical. Enterprises can also implement other DDoS strategies for more comprehensive protection from DDoS attacks.

The information security community can help improve the overall state of the Internet by identifying misconfigured DNS servers and contacting network operators to get them secured or removed. Hopefully, in the long term, issues like this will encourage more knowledgeable security professionals to get involved in Internet standards processes early and build better security capabilities into future versions of DNS.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)

Next Steps

Check out the latest advice on denial-of-service attack prevention and detection.

This was last published in March 2015

Dig Deeper on DDoS attack detection and prevention