Journal of Network Security Computer Networks

Attackers can render denial-of-service attacks more difficult to defend against by bouncing their flooding traffic off of reflectors; that is, by spoofing requests from the victim to a large set of internet servers that will in turn send their combined replies to the victim. The resulting dilution of locality in the flooding stream complicates the victim’s abilities both to isolate the attack traffic in order to block it and to use trace back techniques for locating the source of streams of packets with spoofed source addresses, such as ITRACE, probabilistic packet marking and SPIE. We discuss a number of possible defences against reflector attacks, finding that most prove impractical, and then assess the degree to which different forms of reflector traffic will have characteristic signatures that the victim can use to identify and filter out the attack traffic. Our analysis indicates that three types of reflectors pose particularly significant threats: TCP-based servers (particularly Web servers) running on TCP implementations that suffer from predictable initial sequence numbers. We argue in conclusion in support of “reverse ITRACE” and for the utility of packet trace back techniques that work even for low volume flows, such as SPIE.