DrDoS stands for Distributed Reflection Denial of Service attack. DrDoS techniques usually involve multiple victim machines that unwittingly participate in a DDoS attack on the attacker’s target. Requests to the victim host machines are redirected, or reflected, from the victim hosts to the target. Usually they also elicit an amplified amount of attack traffic.

Anonymity is one advantage of the DrDoS attack method. In a DrDoS attack, the target site appears to be attacked by the victim servers, not the actual attacker. This approach is called spoofing. It involves faking the source of the request.

Amplification is another advantage of the DrDoS attack method. By involving multiple victim servers, an attacker’s initial request yields a response that is larger than what was sent, thus increasing the attack bandwidth, making it more likely to cause a denial of service outage.

DDoS attackers have been abusing the following protocols on Internet-exposed devices and servers to launch attacks that generate floods of traffic and cause website and network outages at enterprise targets:

• Character Generator Protocol (CHARGEN) intended for network testing and debugging. CHARGEN is rarely used in production environments and often legacy systems or misconfigured servers are the sources of unwanted CHARGEN traffic;
• Domain Name Service (DNS) is used to translate between numerical IP addresses and domain names, allowing users to type web addresses into browsers;
• Network Time Protocol (NTP) is used for time synchronization by Internet servers;
• Simple Network Machine Protocol (SNMP) is used to manage Internet devices such as printers, switches, firewalls and routers;
• Simple Service Discovery Protocol (SSDP) is used by Universal Plug and Play (UPnP) devices, such as home and office devices, including routers, media servers, web cams, smart TVs and printers.

In Figure 1, a malicious actor is shown making a DrDoS attack. The malicious actor makes it appear to a victim host server that the primary target is contacting them with a request. The victim host servers therefore respond back to the target, which they mistakenly think made the initial request (a spoof). The reflected denial of service attack is called distributed because of the involvement of multiple victim host servers. The attacker may be a single actor or multiple actors.

The originating source of spoofed requests that generate the DrDoS attack traffic. The bad guy.

A server with an application service that responds to the actor’s spoofed requests and thus participates in the attack is called a victim. The victim is not the ultimate target, but just a resource for the attacker to abuse. By unwittingly participating in the attack, however, the victim server or device can be overwhelmed, reducing its ability to respond to legitimate communications from other users.

The final destination of the attack traffic is the target.

Spoofing is the deliberate act of hiding the source of a DrDoS attack by creating TCP/IP packets using a third party’s IP address (typically the destination IP) instead of the true source IP address.

• Crafted DNS TXT Attack, a threat advisory;
• SSDP Reflection DDoS Attacks, a threat advisory;
• SNMP Reflector, a threat advisory;
• NTP Amplification, a threat advisory;
• Domain Name System (DNS) Flooder, a threat advisory;
• Reflection Attack Tools and the DDoS Marketplace, a white paper;
• Multiplayer video gaming attacks, a DrDoS white paper;
• SYN reflection attacks, A DrDoS white paper;
• SNMP, NTP and CHARGEN attacks, a DrDoS white paper;
• DNS Reflection, a DrDoS white paper;
• SNMP Amp (SAD), a threat advisory.