• Over the past month, a number of DDoS attacks using TCP amplification have been observed impacting large organizations across the world.
  • Security experts say that using TCP amplification makes the DDoS attacks hard to mitigate.

What is happening?

Researchers have noticed a new wave of DDoS attacks that are using TCP amplification.

  • This is a unique approach, and most attackers reportedly avoid it because of inefficiency.
  • The victims of such attacks include Korea Telecom, Eurobet, Turkish-based Garanti, and South Korean SK Broadband.

The details

DDoS attacks generate an amplified volume of attack traffic by the compromised system.

  • In attacks that use TCP amplification, a SYN packet pretending to be from the target’s IP address is sent to a number of random IP addresses or reflection services.
  • These IP addresses respond by sending a SYN-ACK packet that is sent to the target network.
  • If the target network does not respond as expected, the SYN-ACK packet will continue to be retransmitted by the IP to establish a three-way handshake.
  • The number of times the reflection IP sends SYN-ACK packets to the IP determines the amplification.

“This attack is unique because it creates collateral damage. The secondary victim in this attack is actually the first to see the attack traffic,” said Daniel Smith, head of security research with Radware's emergency response team.

The consequences

These attacks impact the targeted networks as well as the networks that were used to generate the flood of requests.

  • The networks used as reflection services are flooded with SYN traffic, causing congestion.
  • The intended targets may also be blacklisted by network administrators because of spoofed SYN requests.
Cyware Publisher