Distributed Reflection Denial of Service (DRDOS)
Let us say, your server sends out a simple DNS request to a DNS resolver as an example. Your server asks "What is the IP address of beatquantum.com" to a legitimate resolver such as Cloudflare. The DNS resolver will reply with the answer "Here are the details of IP address used by BeatQuantum......". So far so good. That reply from Cloudflare is a reflection of your query. The size of the response is usually higher that that of a query and their ratio is called the Amplification factor.
What if your IP was spoofed?
What happens if a large number of servers start sending information to your servers even if you had not sent a query. This happens because the criminal has spoofed your IP address. Legitimate responses to spoofed requests is the basis of a DRDOS attack. As the Amplification factor for some requests is very high, your server can be overwhelmed easily.
How do we mitigate a DRDOS Attack?
There is very little literature to protect availability against DRDOS attacks. Here are some tips based on cybersecurity fundamentals.
- Use a robust firewall to close most ports on servers (or routers) for the incoming traffic. For example, "ufw default deny incoming". I normally keep tcp/80 and tcp/443 open on webservers. Likewise, I keep ports 25/tcp and 587/tcp for mailservers.
- Disable all protocols that you do not need e.g. DNS (port 53), ICMP, NTP (port 123), SNMP (port 161), CHARGEN (port19) and SSDP (port 1900).
- Most important: Do not run a public DNS resolver; as you will be participating in a DRDOS attack against another victim.
- Filter the destination of your outbound traffic for specific queries (e.g. NTP, DNS).
The above list is incomplete and further cybersecurity research is required.
We use a strictly necessary technical cookie (__Host-PHPSESSID) to ensure secure browsing. No consent is required under GDPR. See our Cookie Policy and Privacy Policy for details.