RAD: Reflector Attack Defense Using Message Authentication Codes

Reflector attacks are a variant of denial-of-service attacks that use unwitting, legitimate servers to flood a target. The attacker spoofs the target\´s address in legitimate service requests, such as TCP SYN packets. The servers, called "reflectors,\´\´ reply to these requests, flooding the target. RAD is a novel defense against reflector attacks. It has two variants -- locally-deployed (L-RAD) and core-deployed (C-RAD). Local RAD uses message authentication codes (MACs) to mark outgoing requests at their source, so the target of a reflector attack can differentiate between replies to legitimate and spoofed requests. MACs can be validated either at the target machine or on a gateway router at the target\´s network. Core RAD, which is deployed at the AS level, handles larger attacks that overwhelm L-RAD. The source AS marks each packet it sends with a hash message authentication code (HMAC) and core ASes filter packets that carry incorrect HMACs. C-RAD prevents reflector attacks by filtering spoofed requests, rather than filtering reflected replies. We tested both variants using the DETER testbed by replaying backbone traces from the MAWI project archive in a congestion-responsive manner. Our tests show that local RAD is better than the no-defense case, but gets overwhelmed when the attack exceeds the target\´s network capacity. Core-deployed RAD successfully handles attacks of all rates.