This tutorial explains how reflection and amplification attacks work. Learn what reflection and amplification attacks are and how they work.
For some functions, a computer may use external services. For example, a computer may use an NTP server to automatically update and sync its time, or it may use an external DNS server to translate an IP address. A hacker can use this behavior to launch reflection and amplification attacks.
Reflection and amplification attacks force the target host to deal with unnecessary traffic. If the target host is directly connected to the Internet, the hacker can use any public server to send unnecessary traffic to the target. The hacker creates a request that contains the target host's IP address in the request's source address field and sends the request to a public server. The public server uses the source address of the request to send the requested information to the requestor. Since the request contains the IP address of the target host, the reply reaches the target host.
Let's take an example to understand how this attack works.
A hacker wants to launch a reflection attack on a host that is connected to the Internet. The hacker creates a query message using the target host's IP address in the source address field and sends the query message to a public NTP server. Suppose, the IP address of the hacker's system is 1.1.1.1, and the IP address of the target user's system is 2.2.2.2, then the hacker will use the IP address 2.2.2.2 in the source address field of the query message. When the NTP server receives this query message, the NTP server thinks host 2.2.2.2 wants to know the current time. The NTP server sends the current time information to the host 2.2.2.2. Host 2.2.2.2 receives the current time information.
Since host 2.2.2.2 has not made a request for the current time, host 2.2.2.2 discards the information. Although host 2.2.2.2 discards the information, yet to know whether the information is intended for it, the host has to check the information. The checking process wastes the host's time and hardware resources. In addition, the incoming information also consumes the host's network bandwidth.
Since the hacker uses a middle server to reflect unwanted traffic to the target host, the middle server is called a reflector, and the entire process is known as a reflection attack.
The following image shows how a reflection attack works.
A hacker can use multiple reflectors at the same time to send a large amount of traffic to the target host. For example, in the above example, the hacker can send the same query message to five different NTP servers. All NTP servers will reply to the target host simultaneously. The following image shows how a reflection attack works from multiple reflectors.
If the target host is not connected to the Internet, the hacker can use a server that is connected to the target host. For example, if the target host belongs to a private network, the hacker can use the server that provides services to the network. The hacker scans all available services on the server and sends spoofed packets to a service.
A spoofed packet is a packet that contains the IP address of another host in the source address field. Hackers use the target system's IP address in the source address field. To know more about this technique, you can check the following tutorial.
How IP Address Spoofing or Masquerading Works
Since the incoming packets contain the IP address of an allowed host in the source address field, the server allows them to reach the service. The service creates reply packets and sends them to the target host.
The following image shows how a reflection attack works in a private network.
Amplification attacks
An amplification attack is the next level of a reflection attack. Some services such as DNS and NTP can generate a large amount of response. If such a service is running on a server that the hacker uses to perform a reflection attack, the hacker can use the service to perform an amplification attack.
In an amplification attack, a hacker uses a feature or a bug of the service to generate a large volume of data in response to a query message. Since the data is generated in the response to a query message, the service forwards the data to the target host. By forwarding the amplified traffic towards the target, a hacker can waste a large amount of network bandwidth. A hacker can completely engage the target system in dealing with garbage traffic by launching amplified attacks from many reflectors.
The following image shows an example of an amplified attack.
That's all for this tutorial. In this tutorial, we discussed reflection and amplification attacks in detail. If you like this tutorial, please share it on Facebook and subscribe to our YouTube channel.