If not redirected, please click here https://www.thesecuritybuddy.com/dos-ddos-prevention/authentication-reflection-attack-and-dos-reflection-attack/
In this article, we will discuss about
Authentication Reflection Attack and Denial of Service
Reflection Attack.
What is Authentication Reflection Attack ?
Two hosts over the network use
Challenge-Response-Authentication system to authenticate each other.
In this system, one host throws a challenge to another host and the
other host sends the response back to the first host. If the response
matches, the other host is authenticated.
But, sometimes same protocol is used to
authenticate hosts in either direction. That is, the same
challenge-response protocol is used to authenticate either of the
hosts. To authenticate any host, the first host encrypts the
challenge C with encryption key K and sends E(K, C) to the other
host.
But, as the same challenge-response
authentication protocol is used in either direction, the other host
can open another connection to the first host and throw the same
challenge E(K, C) to the first host. At this point, if the first host
sends a response to the challenge to the second host, the second host
can use the same response in the first connection and send it back to
the first host. As a result, the second host will be able to
fraudulently authenticate it to the first host though it is not
authorized to do so. And the attackers use this vulnerability to
attack a system and steal data. This is called Authentication
Reflection Attack.
How to prevent Authentication Reflection Attack ?
With a few modifications with the authentication protocol this vulnerability can be eliminated :
- The first host can include its identifier in the response to the second host. So, if the second host sends the same response to the first host back, the first host can easily identify that and reject the response.
- If the second host opens a second connection to the first host, while the first connection from the first host to the second host is already open, the first host can delay its response to the second host over the second connection until the second host is done with responding to the first challenge over the first connection.
- We can also use different key or protocol between the two directions.
What is DoS Reflection Attack ?
In DoS Reflection Attack, an
attacker spoofs
his IP address, and sends lots of request messages to other hosts
of the network. As the attacker uses the victim machine's IP address
as the source IP address of the outgoing request messages, all the
other hosts sends a response to the victim machine. At this point, if
the attacker has much higher bandwidth than the victim machine, the
victim machine gets lots of reponses which uses up all its network
bandwidth. As a result, victim machine becomes no longer available
for legitimate requests. This is called DoS Reflection Attack.
DNS
Amplification Attack is also a type of Reflection Attack.
In
this attack, the attacker sends lots of DNS query to a DNS server,
but forges the IP address of the victim machine as source IP. As a
result, the DNS server ends up sending all the responses to the
victim machine. As the DNS responses are much larger in size, the
victim machine ends up getting flooded with the responses which use
up all its bandwidth.
So, beware of various security vulnerabilities, so that you can protect your systems in a better way and stay safe, stay protected.
Read More
What is Web Application Firewall ?
What is Deep Packet Inspection ?
What is Next Generation Firewall ?
How to prevent DDoS attacks ?
What is IoT Botnet ?
How does Network Segmentation improve security ?
Read More
What is Web Application Firewall ?
What is Deep Packet Inspection ?
What is Next Generation Firewall ?
How to prevent DDoS attacks ?
What is IoT Botnet ?
How does Network Segmentation improve security ?
No comments:
Post a Comment