A threat event can be elaborated in terms of tactics, techniques, and procedures (TTP). An attacker initiates a DDoS (Distributed Denial-of-Service) attack from zombies in a botnet through DNS services to attack a victim. Which of the following techniques best describes sending DNS requests with a spoofed source address from zombies to generate a large volume of DNS responses to the victim?
A. Amplification
B. Flooding
C. Reflection
D. Smurfing
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Reflection.
An attack may use one or more techniques. Reflection, amplification, and flooding are the most common techniques used in the DDoS attack.
- Reflection is a technique that sends unsolicited traffic by manipulating the source address so that the response is bounced (reflected) to the victim.
- Amplification is a technique that generates a large size of response triggered by a small size of the request. For example, the 512-byte PDU (Protocol Data Unit) of a typical DNS query can generate a DNS response around twenty times as large as the DNS query. It depends on the amplification factor.
- Flooding is a technique that renders a large volume of requests to overwhelm the victim. Flooding doesn’t necessarily employ reflection or amplification. For example, Hundreds of thousands of Zombies in a botnet can send direct traffic to the victim without using a spoofed source address.
References
- Man-in-the-middle attack
- Man-in-the-middle attack (Wikipedia)
- Smurfing
- Denial-of-service attack
- Rethinking the Scrubbing Center