Analysis of a Hybrid DDoS Attack Leveraging TCP Reflection on Cloud Gaming Services

Recently, Tencent Cloud mitigated a hybrid DDoS attack targeting a cloud‑based gaming service. The attack lasted 31 minutes and reached a traffic peak of 194 Gbps. While the overall volume is not unprecedented, the analysis revealed a rare TCP‑based reflection component mixed with typical SYNFLOOD, RSTFLOOD, and ICMPFLOOD traffic.

The mixed traffic included a 1.98 Gbps (≈194 wpps) stream of SYN/ACK packets—small packets where both SYN and ACK flags are set. These packets were directed to common TCP service ports (80, 8080, 23, 22, 443) while the destination port was the targeted game service port 80, indicating a deviation from normal client behavior where source ports are usually >1024.

Further investigation showed that many source IPs exhibited TCP stack timeout retransmissions, suggesting a deliberate TCP reflection attack rather than random spoofed‑source DDoS.

Statistical analysis of the 912,726 observed attack sources revealed that over 95% of them had at least one of the following open TCP ports: 21, 22, 23, 80, 443, 8080, 3389, 81, 1900. The distribution of these ports is shown in the table below:

Port

Count

Percentage

1900

11,951

1.3

8080

99,206

10.9

21

95,703

10.5

23

209,240

22.9

3389

105,002

11.5

443

294,983

32.3

80

375,888

41.2

81

55,072

6.0

22

172,026

18.8

Geographic analysis showed that more than 99.9% of the source IPs originated from China, with the top three provinces being Guangdong (16.9%), Jiangsu (12.5%) and Shanghai (8.8%). The attack sources were predominantly IDC servers (58%), followed by IoT devices (36%) and PCs (6%).

The TCP reflection attack works as follows: the attacker spoofs the victim’s IP address and sends SYN packets to publicly reachable TCP servers. Those servers reply with SYN/ACK packets to the victim, flooding it with unsolicited traffic and exhausting bandwidth and CPU resources. Although the SYN/ACK packets are not larger than the original SYN packets, the attack offers three advantages:

It disguises the traffic as legitimate IP‑based attacks, making traditional reverse‑challenge defenses ineffective.

The TCP stack retransmission behavior of SYN/ACK packets complicates detection and increases the chance of traffic passing through defenses.

Using public TCP servers blends the attack with normal business traffic, enhancing stealth.

Defense recommendations include:

Block unnecessary TCP source ports based on actual service requirements and consider deploying Tencent Cloud’s next‑generation high‑defense solution with flexible security policies.

Adopt BGP high‑defense IPs and multi‑network high‑defense IPs to hide the origin server’s IP address.

When facing high‑level DDoS threats, engage cloud‑provider industry‑specific solutions and, if needed, request expert services from DDoS protection vendors.

In summary, the analysis demonstrates that TCP reflection attacks, though less common than UDP‑based reflections, pose a significant challenge due to their stealth and difficulty of mitigation. Effective protection requires a combination of network‑level filtering, advanced cloud‑based DDoS mitigation, and continuous monitoring of TCP service exposure.