1

What if a ddos attacker hits public websites (google, amazon etc) with some requests but spoofed the souce ip to the victim's ip. Now the responses will be sent to the victim's ip.

Attacker can rotate between the millions of public websites so that the site wont find anything suspicious.

This seems like an easier way than having a malware botnet to do it. The attacker is just using the websites as botnet. Anyone can just do it with the personal computer (or faster and high bandwidth aws/azure VM) and with just 10-20 lines of code.

Why ddos attackers are not doing this instead of buying botnets?

Mani Bharathy
  • 57
  • 4
  • The answer is there in your question. How do you plan to send millions of requests with this approach ? remember for it to have any chance of working, it must happen in a very short timeframe. – Shurmajee Jun 19 '20 at 17:39
  • @Shurmajee I guess 1000 requests per second would be enough to stall any average site. A 1000 rps can be done by a single aws ec2 machine I believe. Correct me if I'm wrong – Mani Bharathy Jun 19 '20 at 18:08

1 Answers1

4

What if a ddos attacker hits public websites (google, amazon etc) with some requests but spoofed the souce ip to the victim's ip. Now the responses will be sent to the victim's ip.

The protocol used for web sites is usually TCP based, i.e. HTTP/1 and HTTP/2 are both TCP based. While spoofing of TCP is theoretically possible the necessary bandwidth for this wildly exceeds what gets reflected back, i.e. it is not really usable for an DoS attack since the attacker needs much more bandwidth by its own than what the DoS target receives.

HTTP/3 instead is implemented on top of the QUIC protocol which itself is implemented on top of UDP. While UDP by itself is vulnerable to easy IP spoofing the QUIC protocol makes sure that it cannot be used for amplification. With QUIC (and thus with HTTP/3) the attacker needs at least as much bandwidth by its own than the DoS target should receive.

In other words: web based DoS using IP spoofing will work worse than what would be achievable if the attacker directly attacks the target and will work much worse than use of a Botnet.

See also Is it possible to send HTTP packet via spoofed IP?

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I might nitpick one detail: the main issue with TCP spoofing is that the handshake requires the attacker to be a MitM, which is difficult to make happen for one target, and impossible to make happen for a distributed attack. – Conor Mancone Jun 19 '20 at 18:25
  • Just curious (and apparently too lazy to google): does QUIC use a handshake like TCP does? I'm guessing no? After all, the IP protocol which TCP is built on is vulnerable to spoofing just like UDP is, but it is the TCP handshake that makes spoofing generally impractical. I'm wondering if QUIC has something built in to protect against spoofing, or if they left that part out to specifically avoid the handshake (which increases request time) and therefore put in a completely different class of mitigations – Conor Mancone Jun 19 '20 at 18:26
  • @Steffen I forgot the TCP part. TCP spoofing DoS is not worth it because the attacker need to spend more bandwidth than the target as you said. But what if it is done in a UDP request? some live video streaming like twitch? – Mani Bharathy Jun 19 '20 at 18:29
  • @ConorMancone https://blog.cloudflare.com/the-road-to-quic/ "The initial QUIC handshake combines the typical three-way handshake that you get with TCP, with the TLS 1.3 handshake, which provides authentication of the end-points as well as negotiation of cryptographic parameters. " And since TLS has 0-RTT, QUIC has it as well: https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/ – Patrick Mevzek Jun 19 '20 at 19:10
  • 1
    @ManiBharathy: I don't know what Twitch is using. But UDP based media in the browser (like in WebRTC) require a session setup first where the necessary ports etc are exchanged, i.e. an attacker cannot simply direct a UDP stream to some target with a single spoofed packet. – Steffen Ullrich Jun 19 '20 at 19:36