{"id":3194,"date":"2025-02-04T16:24:34","date_gmt":"2025-02-04T15:24:34","guid":{"rendered":"https:\/\/enthec.com\/?p=3194"},"modified":"2025-02-04T16:28:21","modified_gmt":"2025-02-04T15:28:21","slug":"drdos-main-features-and-operation","status":"publish","type":"post","link":"https:\/\/enthec.com\/en\/drdos-main-features-and-operation\/","title":{"rendered":"DrDoS: main features and operation"},"content":{"rendered":"

Distributed Denial of Service (DDoS) attacks are a constant threat in the digital world. The Distributed Reflection DDoS (DrDoS) attack<\/strong> is an exceptionally sophisticated variant.<\/p>\n

In this article, we will explain in detail a DrDoS attack, its main characteristics, and how it works<\/strong> since there are many occasions when an attacker exploits a system’s vulnerabilities and compromises some services. In addition, we will tell you how to protect yourself against these attacks through Enthec.<\/a><\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

What is a DrDoS attack?<\/h2>\n

A DrDoS attack is a form of DDoS attack that relies on mirroring and amplification. <\/strong>Instead of directly attacking the victim, the attacker sends requests to intermediary (mirror) servers, which, in turn, respond to the victim with amplified responses<\/p>\n

In this way, it is possible to overload the victim’s resources<\/strong>, causing interruptions in their services.<\/p>\n

 <\/p>\n

\"DrDoS<\/p>\n

 <\/p>\n

Main characteristics of DrDoS attacks<\/h2>\n

Among the main characteristics of DrDos attacks, we highlight the following:<\/p>\n

    \n
  1. Reflection<\/strong>. The attacker sends requests to legitimate servers but spoofs the source IP address to make it look like they’re coming from the victim. Upon receiving the request, these servers send the response directly to the victim, unaware that they are participating in an attack.<\/li>\n
  2. Amplification.<\/strong> Attackers leverage protocols that generate more significant responses than the original requests. This means that a small request can trigger a much larger response, thus amplifying the volume of traffic directed at the victim.<\/li>\n
  3. Difficulty of tracing.<\/strong> Because the responses come from legitimate servers, it is more difficult for the victim to identify and block the actual source of the attack.<\/li>\n<\/ol>\n

     <\/p>\n

    How a DrDoS attack works<\/h2>\n

    The process of a DrDoS attack<\/strong> can be broken down into the following steps:<\/p>\n

      \n
    1. Selection of mirror servers. <\/strong>The attacker identifies servers that respond to requests from specific protocols that allow amplification. These servers act as unwitting intermediaries in the attack.<\/li>\n
    2. Spoofing the IP address.<\/strong> The attacker sends requests to these servers but spoofs the source IP address to make it look like they are coming from the victim. Servers used in DrDoS attacks can have their IP reputation compromised, which can lead to blacklisted blocks, affecting their legitimate communication on the internet.<\/li>\n
    3. Amplified request submission.<\/strong> Requests are designed to take advantage of the protocol’s amplification feature so that the server’s response is much larger than the original request<\/li>\n
    4. Saturation of the victim<\/strong>. Mirror servers send the amplified responses to the spoofed IP address (the victim), flooding their bandwidth and resources, which can lead to disruption of their services<\/li>\n<\/ol>\n

       <\/p>\n

      Protocols commonly used in DrDoS attacks<\/h2>\n

      Attackers often leverage protocols that allow for high amplification.<\/strong> Some of the most common include:<\/p>\n