This DDoS attack abuses non-RFC-compliant middleboxes to overwhelm a victim network with HTTP response traffic. By sending a rapid succession of HTTP requests(to blocked sites) with a spoofed source IP(of the attack target) to IPs behind middleboxes, the middleboxes reply back with a large HTTP response to the spoofed IP address. The middlebox response varies, but it’s usually an HTTP block page that is way bigger than the request that initiated it, making this attack an amplified reflection DDoS attack.

When the targeted server’s network bandwidth gets saturated, other legitimate traffic cannot reach its destination, causing a denial of service.

HTTP Reflection attack is the only reflection amplification using a TCP-based protocol.

Technical Analysis

Below is an analysis of an HTTP Reflection attack running from multiple masked sources attacking a single destination target IP.

Multiple HTTP response packets are sent to the victim destination, indicated by the source port being 80 and the destination being a high port.

Image 1 – HTTP Reflection Attack – reflection

As the attack uses many different middleboxes, the traffic from each may look different regarding packet size, content, and TCP flags combinations.

Image 2 – HTTP Reflection Attack – content

The captured analyzed is around 8 seconds long and contains an average of 100 PPS (packets per second). Keep in mind that a real attack will use many sources and at much higher rates.

Image 3 – HTTP Reflection Attack Stats

Analysis of HTTP Reflection Attack in WireShark – Filters

filter for HTTP response packets by looking at traffic coming from ports 80 & 443 with “tcp.srcport == 80 || tcp.srcport == 443”

If you see many sources sending many such responses towards one or more of your IPs, it could be an HTTP Reflection Attack.

Download example PCAP of HTTP Reflection Attack

*Note: IP’s have been randomized to ensure privacy.

Download