[Pool] New participant, big question
rob at knoware.nl
Mon Feb 10 17:55:37 UTC 2014
David J Taylor wrote:
> This is just a personal precaution. I have not heard
> un-amplified reflection actually takes place.
> (If I were an attacker, I would not consider it worth the trouble.)
> But then, I don't follow those details too closely.
Unfortunately this is no longer true.
At the moment, there is a widespread reflection attack where TCP packets
are sent to webservers and the attackers hope to overwhelm the target with
There are two different attacks going on:
1. the kiddie arranges to send many SYN packets from port 80 to port 80 of
any webserver, spoofed from the source address of the victim. This ran
over this weekend, and today it was extended to also send from port 443
to port 80. All the SYN ACK replies are sent to the victim but they are the
same size as the request.
2. a similar attack where the source port cycles as if it were many incoming
requests. this can affect both the victim (but they of course block those
replies at a firewall; their network can still be overwhelmed) and the reflection
point, where many SYN_RECV sockets will appear.
Of course both these strategies, as they are now known, can easily be filtered
in a Linux system. But who knows that will be their next one?
It certainly is not only NTP anymore, and it does not only look for amplification.
When this trend continues, we all need to implement rate limiting to survive in
this world of malicious kids and abusedesks that do not understand the problem
More information about the pool