Have you ever heard of the "Halo-drive", a method to slingshot a Laserbeam around a Black hole to gain energy and use that as interstellar propulsion system to allow relativistic spacetravel? Well, if not, and you are interested in crazy science, you should definitely read the articel "Investingating the Halo-Drive", and you also know now where our DDoS-Attack got its name from.
The reverse HTTP reflectionamplification attack, also known as upstream saturation/upstream-jamming, is a sophisticated technique. This method leverages the HTTP protocol to exploit the connection between frontend-servers and loadbalancers/upstream-connections, resulting in significant upstream-traffic from the targeted victim.
In this attack, the malicious actor sends valid requests to ressources much larger than the request itself, usually JS, CSS, Images, PDFs (hello download-area) and such. With files on an avg size of 1 MBit we were able to request 70 GB/s downstream from a single target, using a botnet with 5000 bots and executing 1 RPS, a rate that was far below any WAF-countermeasures, while saturating the upstream-connection totally (but we missed to make that cool screenshots, meh :/ )
The reverse HTTP amplification attack possesses several advantages for attackers:
- WAF/Botdefense-evasion, due to the low RPS per bot
- Amplification on the "inside" of the target-network evasion of mitigation techniques, and the ability to target specific victims.
- unsual attack, leading in problems to detect and mitigate on the victim-side
To mitigate the risk posed by reverse HTTP reflection attacks, system-operators must have a close monitoring on ingoing but also outgoing traffic with relaxed but useful alarm-thresholds. a CDN comes in handy as well.
Understanding the mechanics and implications of reverse HTTP reflection attacks is essential for organizations seeking to enhance their DDoS defense strategies. By staying informed about emerging attack techniques and implementing robust security measures, businesses can minimize the risk of falling victim to these disruptive and damaging assaults.
Member discussion: