First I want to make sure everyone knows this:

DoS = Denial of Service
DDos = Distributed DoS
DrDoS = Distributed reflected DoS
SYN = The first step in a TCP connection, sent by the client.

SYN/ACK = The second step. The reply from the server after a recieved SYN.

ACK = The third step. The reply from the client after a recived SYN/ACK.

¤--The DoS attack--¤
ok, the DoS-attack is based on the concept of one computer that sends SYN:s with a false ip-source. Then the server will try to send a SYN/ACK to the false ip, but since the ip is false it won't get a reply. The server will resend the SYN/ACK several times before giving up. That means that the servers possibility to recieve and respond to connections is partially blocked. For example say a server can have 1000 connections open at the same time. When it recieves a false SYN it will only be 999 open. If you send really many false SYN:s at one time you will fill up the servers connection-spots and it will appear to valid user as if the server was offline. Most bigger servers have protection against the DoS attack nowadays.

¤--The DDoS attack--¤

This is based on the DoS attack, but now you use several computers with a good connection to the net. Then you start pumping false SYN:s to the victim server. But of course this server will have protection against false SYN:s, right? But the router don't. So if there's enough false SYN's pumping in it will occupy the servers bandwidth. And it will for valid users seem like the server is offline. But nowadays it's geting more and more usual that the routers have filters too.

¤--The DrDoS attack--¤

This is based on the DDoS attack, but this time you won't be pumping SYN:s against the victim server. Having a list of well-connected servers is a must. Then you send small amounts of SYN:s to different servers/routers with the victim servers ip as the source. That will make all the servers to respond as usual with a SYN/ACK and send it to the victim server. This will block the bandwidth of the victims server and it will pass the false SYN-filters. This can be done from many different ports on the different servers so that the router can't just block a port and then get rid of the attack. The server will appear offline to valid users. There aren't any really effective way to stop this attack so far...

¤--The thought--¤

What if you take it one step further and send the SYN/ACK to a router that will change the source ip to the victims ip and then forward it to another server. That way you could block the bandwidth of the victim with the RST/ACK that occurs when a server gets a SYN/ACK without having sent out any SYN...

// Dartur

If you think you know something completely, you probably don't know enough.