Reflection Attack Tools and the DDoS Marketplace

Published November 11, 2013

Reflection Attack Tools and the DDoS Marketplace

Reflection attacks have two victims: the unwilling third-party server that is compelled to launch distributed denial of service (DDoS) attack traffic and the attackers’ intended DDoS target. For both victims the effect is similar – slow performance or an outage that prevents legitimate users from accessing the targeted site.

Learn how the powerful tools, methods and services in the underground DDoS marketplace can launch devastating reflection attacks targeting your organization

What You Need to Know

  • Slick user interfaces and convenient payment methods have democratized the DDoS marketplace.
  • The addition of amplification modules to DDoS-for-hire sites makes it much less expensive to generate an attack than to mitigate one.
  • Malicious actors can easily inflict damage on small-to-medium businesses for as little as US$5.
  • The cybersecurity community must promote cleanup efforts for obsolete protocols such as CHARGEN and make it more difficult to send money to the criminals offering DDoS-for-hire.


In 2013, Distributed Reflective Amplification Denial of Service (DrDoS) attacks against enterprises in multiple industries increased significantly. These attacks inundate the target with floods of Layer 3 requests that make use of network protocols such as DNS, SNMP and CHARGEN, a protocol that many consider to be obsolete.

The use of DDoS attacks that take advantage of reflection techniques can be attributed to the increase in the number of misconfigured servers. In addition, the DDoS-as-a-Service marketplace makes acquiring lists of misconfigured services simple for would-be attackers.

  • New tools can scan large IP address ranges to discover vulnerable servers that can be utilized as unwilling participants in amplified reflection DDoS attacks.
  • Attackers build lists of these victim servers from which to reflect and amplify attack traffic towards their primary targets.
  • Such scanner tools were previously only available for sale privately within underground forums, but many have been leaked into the public realm. Free scanner tools are also available.
  • Underground vendors have also sold lists of vulnerable servers from completed scans.
  • DDoS-as-a-Service has expanded to include the development and resale of custom attack tools to develop and exploit these lists.
  • Reflection attack methods have also been integrated into ready-to-use DDoS-as-a-Service stressor suites.

The commodification of lists of vulnerable servers 
is not a new phenomenon within the underground. However, the surge in availability and demand for lists of servers specifically vulnerable to reflection attacks was first observed in 2013.

Contact Us