How is a distributed reflection denial-of-service (DrDoS) attack different from a regular denial-of-service (DoS)...
attack? Are there any additional security measures that should be put in place for distributed reflection denial-of-service threats?
There are many different ways to perform denial-of-service attacks. The oldest method for a distributed DoS attack is using spoofed IP addresses; other DDoS attacks include abusing insecurely configured devices with NTP enabled, or attacks on DNS. NTP- and DNS-based DDoS attacks can be used as force multipliers because they allow the attacker to send a small IP packet to the target victim while the intermediate server sends a large IP packet to the target.
When it comes to DoS prevention, enterprises should focus first on BCP38 to prevent IP spoofing, and then turn their sights to other mitigation strategies.
Research from security firm Black Lotus concluded that applying patches and upgrading systems likely accounted for a large reduction in the number of attacks abusing NTP. A significant reduction in NTP-related DoS attacks was likely due to the disabling of NTP when it wasn't needed, along with the implementation of firewall rules to prevent access to the NTP port.
But a growing type of denial-of-service attack may be the distributed reflection denial of service. It involves an attacker who first uses the IP address of a target to masquerade as that target, and then tricks any number of DNS servers into flooding the actual target IP address with DNS traffic.
Unfortunately, DrDoS attacks abusing DNS are more difficult to prevent. Prolexic Technologies Inc. wrote a white paper last year about how distributed reflection denial-of-service attacks abuse insecurely configured networks and DNS servers, but the attack technique is actually enabled by fundamental design flaws in DNS and subsequent extensions.
The first steps enterprises should take to mitigate these attacks are outlined in my article on securing DNS from being used in DDoS attacks and then use Google's or Cisco's guide to DNS security. In short, securing DNS resolvers is critical. Enterprises can also implement other DDoS strategies for more comprehensive protection from DDoS attacks.
The information security community can help improve the overall state of the Internet by identifying misconfigured DNS servers and contacting network operators to get them secured or removed. Hopefully, in the long term, issues like this will encourage more knowledgeable security professionals to get involved in Internet standards processes early and build better security capabilities into future versions of DNS.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Check out the latest advice on denial-of-service attack prevention and detection.
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading