Summary

The above analysis indicates that there are several significant reflector attack threats:

• Victims must be able to cope with loss of general access to remote services, due to the need to filter out SYN ACKs. Such filters could, however, include holes to allow access to a small number of particular remote servers.

• DNS servers can be attacked by reflectors serving recursive queries. Damage is limited only by the size of the reflector pool, i.e., how many name servers there are that support recursion and accept requests from arbitrary clients.

• TCP-based servers are for the most part somewhat protected against application-level reflection assuming that enough of the application servers keep sufficient logs that the non-spoofed connection between the slave and the reflector can be used to trace back the attack to the slave.

  Without this assumption, Web servers can be attacked by requests chained through proxies serving as reflectors, SMTP servers by mail sent through relays, and any TCP-based server by requests reflected through mechanisms such as FTP PORT directives.

• TCP-based servers running on TCP stacks with guessable sequence numbers are a severe threat. Not only do they allow application-level reflection without easy identification of the slave (unless the precursor traffic probing the sequence-number progression is logged), but they also can provide major amplification of the attack traffic due to the use of ACK-splitting techniques [SCWA99].

• Gnutella's ``push'' facility appears to be a significant threat.