Analysis of Emerging TCP Reflection DDoS Attack Techniques and Defense Strategies

The article introduces the concept of TCP reflection attacks, a variant of DDoS that exploits the TCP three‑way handshake. While UDP reflection is well known, the authors point out that servers do not always reply with SYN/ACK after receiving a SYN; in many real‑world cases they return SYN/ACK or even ACK, creating a new threat vector.

Two new characteristics of modern TCP reflection attacks are identified:

Attackers increasingly leverage CDN provider IP ranges to obtain large pools of open TCP servers for reflection.

The reflected traffic has shifted from SYN/ACK to pure ACK packets, making detection and mitigation more difficult.

Detailed measurements show that in some incidents over 99% of source IPs belong to a single CDN provider, and the attack traffic often consists of massive ACK flows mixed with a few SYN/ACK packets. The authors explain the underlying TCP state machine behavior: depending on the sequence numbers (SEQ) and window size (WND) of forged SYN packets, the victim server may respond with SYN/ACK, ACK, or RST, leading to three distinct reflection scenarios illustrated with packet captures.

Based on these observations, the authors propose a new TCP reflection defense algorithm. The core idea is to perform per‑connection tracking on inbound traffic to the victim IP, analyze session behavior, and accurately distinguish malicious reflection sessions from legitimate traffic. The algorithm claims to provide:

Second‑level detection of SYN/ACK, ACK, and RST reflection flows.

No impact on normal business traffic.

Automatic adaptation to most business scenarios without manual policy tuning.

The solution has been integrated into Tencent’s DDoS protection platform (DaYu), already deployed for selected customers and slated for broader release.

The article concludes with a brief introduction of the Tencent Security DaYu DDoS protection product, highlighting its BGP‑based high‑availability services, AI‑driven cleaning engine, and extensive experience protecting gaming, e‑commerce, and social platforms.