DRDoS

The latest variation on the DoS, the DRDoS, involves one or more hosts sending a series of TCP SYN requests or ICMP ping requests to many unsuspecting, even thoroughly secure, hosts using the “spoofed” source address of the target. When these hosts respond to what appears to be a legitimate, nonthreatening request, they collectively create an unsupportable flood of packets aimed at the target. Figure 1-4 shows a DRDoS attack. Again, even if the target device(s) can determine what’s happening, only a cooperative ISP can block the traffic before it buries the target’s Internet connection.

Figure 1-4: DRDoS attack showing the interim hosts

If the originating source continues to vary the type of packets sent to the reflectors, the filters at the ISP have only temporary or limited usefulness before they need to be changed.