Attackers can render distributed denial-of-service attacks more difficult
to defend against by bouncing their flooding traffic off of
reflectors;
that is, by spoofing requests from the victim to a large set of Internet
servers that will in turn send their combined replies to the victim.
The resulting dilution of locality in the flooding stream complicates
the victim's abilities both to isolate the attack traffic in order to block it,
and to use traceback techniques for locating the source of
streams of packets with spoofed source addresses, such as ITRACE [
Be00a],
probabilistic packet marking [
SWKA00,
SP01], and SPIE [
S+01].
We discuss a number of possible
defenses against reflector attacks, finding that most prove impractical,
and then assess the degree to which different forms of reflector traffic
will have characteristic signatures that the victim can use to identify
and filter out the attack traffic. Our analysis indicates that three
types of reflectors pose particularly significant threats: DNS and Gnutella
servers, and TCP-based servers (particularly Web servers) running on TCP
implementations that suffer from predictable initial sequence numbers.
We argue in conclusion in support of ``reverse ITRACE'' [
Ba00]
and for the utility of packet traceback techniques that work even for
low volume flows, such as SPIE.