[Pool] New participant, big question

Rob Janssen rob at knoware.nl
Mon Feb 10 17:55:37 UTC 2014

David J Taylor wrote:
> This is just a personal precaution.  I have not heard
> un-amplified reflection actually takes place.
> (If I were an attacker, I would not consider it worth the trouble.)
> But then, I don't follow those details too closely.
Unfortunately this is no longer true.

At the moment, there is a widespread reflection attack where TCP packets
are sent to webservers and the attackers hope to overwhelm the target with
the replies.

There are two different attacks going on:

1.  the kiddie arranges to send many SYN packets from port 80 to port 80 of
      any webserver, spoofed from the source address of the victim. This ran
      over this weekend, and today it was extended to also send from port 443
      to port 80.   All the SYN ACK replies are sent to the victim but they are the
      same size as the request.

2.  a similar attack where the source port cycles as if it were many incoming
      requests.   this can affect both the victim (but they of course block those
      replies at a firewall; their network can still be overwhelmed) and the reflection
      point, where many SYN_RECV sockets will appear.

Of course both these strategies, as they are now known, can easily be filtered
in a Linux system.  But who knows that will be their next one?

It certainly is not only NTP anymore, and it does not only look for amplification.
When this trend continues, we all need to implement rate limiting to survive in
this world of malicious kids and abusedesks that do not understand the problem


More information about the pool mailing list