Distributed Denial of Service (DDoS) attacks are a constant threat in the digital world. The Distributed Reflection DDoS (DrDoS) attack is an exceptionally sophisticated variant.

In this article, we will explain in detail a DrDoS attack, its main characteristics, and how it works since there are many occasions when an attacker exploits a system’s vulnerabilities and compromises some services. In addition, we will tell you how to protect yourself against these attacks through Enthec.

 

 

 

What is a DrDoS attack?

A DrDoS attack is a form of DDoS attack that relies on mirroring and amplification. Instead of directly attacking the victim, the attacker sends requests to intermediary (mirror) servers, which, in turn, respond to the victim with amplified responses

In this way, it is possible to overload the victim’s resources, causing interruptions in their services.

 

DrDoS Attack

 

Main characteristics of DrDoS attacks

Among the main characteristics of DrDos attacks, we highlight the following:

  1. Reflection. The attacker sends requests to legitimate servers but spoofs the source IP address to make it look like they’re coming from the victim. Upon receiving the request, these servers send the response directly to the victim, unaware that they are participating in an attack.
  2. Amplification. Attackers leverage protocols that generate more significant responses than the original requests. This means that a small request can trigger a much larger response, thus amplifying the volume of traffic directed at the victim.
  3. Difficulty of tracing. Because the responses come from legitimate servers, it is more difficult for the victim to identify and block the actual source of the attack.

 

How a DrDoS attack works

The process of a DrDoS attack can be broken down into the following steps:

  1. Selection of mirror servers. The attacker identifies servers that respond to requests from specific protocols that allow amplification. These servers act as unwitting intermediaries in the attack.
  2. Spoofing the IP address. The attacker sends requests to these servers but spoofs the source IP address to make it look like they are coming from the victim. Servers used in DrDoS attacks can have their IP reputation compromised, which can lead to blacklisted blocks, affecting their legitimate communication on the internet.
  3. Amplified request submission. Requests are designed to take advantage of the protocol’s amplification feature so that the server’s response is much larger than the original request
  4. Saturation of the victim. Mirror servers send the amplified responses to the spoofed IP address (the victim), flooding their bandwidth and resources, which can lead to disruption of their services

 

Protocols commonly used in DrDoS attacks

Attackers often leverage protocols that allow for high amplification. Some of the most common include:

  • DNS (Domain Name System). Through specific queries, a small request can generate a much larger response. Not only are misconfigured DNS servers vulnerable to DrDoS attacks, but they can also facilitate phishing campaigns and malicious redirects.
  • NTP (Network Time Protocol). By sending a “monlist” request, a list of the last IP addresses connected to the server can be received, resulting in an amplified response.
  • Memcached. Although not a network protocol, exposed Memcached servers can amplify traffic, as a small request can generate a massive response.
  • SSDP (Simple Service Discovery Protocol). Used by IoT devices and routers, it allows attackers to send minimal requests and receive huge responses.
  • SNMP (Simple Network Management Protocol). Often misconfigured, this protocol allows queries that return large volumes of information, amplifying traffic.

 

Impact of DrDoS attacks

The impact of a DrDoS attack can be devastating, both for the direct victim and for the unwitting mirroring servers:

  • Service disruption: Businesses, online services, and platforms may be inaccessible during the attack.
  • Economic losses: A prolonged attack can affect sales, advertising, and online transactions.
  • Reputational damage: customers and users can lose trust in an affected company or service.
  • Use of third-party resources: Mirror servers can suffer from performance issues and even be held liable for their vulnerable configuration.

 

Protective measures against DrDoS attacks

Protecting against DrDoS attacks requires a combination of best practices and technological solutions:

  1. Secure server configuration. Ensure that servers do not respond to requests from untrusted sources and limit responses to legitimate requests. In addition, it is essential to apply correct security patch management and update vulnerable protocols regularly, since attackers can use outdated versions to perform amplification attacks.
  2. Traffic filtering. Implement systems that detect and filter malicious traffic, especially from spoofed IP addresses.
  3. Continuous monitoring. Constantly monitor network traffic for unusual patterns that may indicate an attack in progress.
  4. Use of threat exposure management solutions. Specialized tools can help identify and mitigate threats before they cause harm.

 

Enthec Solutions for Continuous Threat Exposure Management

Tools that allow for constant and proactive vigilance are essential in today’s cybersecurity landscape. Digital threats can be classified into categories based on their impact on the network, data, and business systems. From attacks on infrastructure, such as DrDoS, to data breaches and IP reputation threats, each type of risk requires a specific security approach.

To address this challenge, Enthec offers Kartos, an advanced monitoring solution that classifies threats into distinct categories and enables companies to identify and mitigate risks proactively.

Designed for enterprises, it is an automated, non-intrusive, and continuous monitoring tool that provides data and alerts on open and exposed vulnerabilities in real-time by simply adding the company’s domain to be monitored.

This solution falls under Continuous Threat Exposure Management (CTEM), providing an additional layer of security by identifying and mitigating risks before they become real problems.

DrDoS attacks pose a significant threat in today’s digital environment. Understanding how they work and feature is the first step to implementing effective protection measures.

In addition, having specialized solutions such as the one offered by Enthec can make all the difference in proactively defending against these and other cyber threats.