http://debianws.lexgopc.com/wiki143/index.php?action=history&feed=atom&title=Reflection_attackReflection attack - Revision history2026-05-04T21:18:59ZRevision history for this page on the wikiMediaWiki 1.43.1http://debianws.lexgopc.com/wiki143/index.php?title=Reflection_attack&diff=5419342&oldid=previmported>Neb-seneku: Added short description2025-12-22T00:41:17Z<p>Added short description</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Previous revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 00:41, 22 December 2025</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{Short description|Attack on challenge–response authentication systems}}</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{{about|the attack on authentication systems|the denial of service attack|Distributed Reflection Denial of Service}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{{about|the attack on authentication systems|the denial of service attack|Distributed Reflection Denial of Service}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l12">Line 12:</td>
<td colspan="2" class="diff-lineno">Line 13:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># The attacker sends that response back to the target on the original connection.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># The attacker sends that response back to the target on the original connection.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If the authentication protocol is not carefully designed, the target will accept that response as valid, thereby leaving the attacker with one fully authenticated channel connection (the other one is simply abandoned).</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If the <ins style="font-weight: bold; text-decoration: none;">[[</ins>authentication protocol<ins style="font-weight: bold; text-decoration: none;">]] </ins>is not carefully designed, the target will accept that response as valid, thereby leaving the attacker with one fully authenticated channel connection (the other one is simply abandoned).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Solution ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Solution ==</div></td></tr>
</table>imported>Neb-senekuhttp://debianws.lexgopc.com/wiki143/index.php?title=Reflection_attack&diff=603540&oldid=prev91.215.1.127: /* Attack */Deleted a part of attack point because it refered to DDoS reflection attack, which this article is not about2024-09-08T08:16:51Z<p><span class="autocomment">Attack: </span>Deleted a part of attack point because it refered to DDoS reflection attack, which this article is not about</p>
<p><b>New page</b></p><div>{{about|the attack on authentication systems|the denial of service attack|Distributed Reflection Denial of Service}}<br />
<br />
In [[computer security]], a '''reflection attack''' is a method of attacking a [[challenge–response authentication]] system that uses the same [[Protocol (computing)|protocol]] in both directions. That is, the same challenge–response protocol is used by each side to [[Authentication|authenticate]] the other side. The essential idea of the attack is to trick the target into providing the answer to its own challenge.<ref>''Computer Networks'' by [[Andrew S. Tanenbaum]], 4th edition, {{ISBN|0-13-038488-7}}, pages 787-790.</ref><br />
<br />
== Attack ==<br />
The general attack outline is as follows:<br />
<br />
# The attacker initiates a connection to a target.<br />
# The target attempts to authenticate the attacker by sending it a challenge. <br />
# The attacker opens another connection to the target, and sends the target this challenge as its own.<br />
# The target responds to the challenge.<br />
# The attacker sends that response back to the target on the original connection.<br />
<br />
If the authentication protocol is not carefully designed, the target will accept that response as valid, thereby leaving the attacker with one fully authenticated channel connection (the other one is simply abandoned).<br />
<br />
== Solution ==<br />
Some of the most common solutions to this attack are described below:<br />
<br />
* The responder sends its identifier within the response so, if it receives a response that has its identifier in it, it can reject it.<ref>[[Ross J. Anderson]]: <cite>[http://www.cl.cam.ac.uk/~rja14/book.html Security Engineering: A Guide to Building Dependable Distributed Systems]</cite>, 1st edition, page 21, {{ISBN|0-471-38922-6}}</ref><br />
# Alice initiates a connection to Bob.<br />
# Bob challenges Alice by sending a [[cryptographic nonce|nonce]] ''N''. {{nowrap|B → A: ''N''}}<br />
# Alice responds by sending back the MAC calculated on her identifier and the nonce using the shared key ''K''<sub>ab</sub>. {{nowrap|A → B: MAC<sub>''K''<sub>ab</sub></sub>{{mset|A, ''N''}}}}<br />
# Bob checks the message and verifies the MAC, making sure it is from Alice and not a message he had sent in the past by making sure that it verifies with A and not B, and on the nonce which is the same as the one he sent in his challenge, then he accepts the message.<br />
* Require the initiating party to first respond to challenges before the target party responds to its challenges.<br />
* Require the key or protocol to be different between the two directions.<br />
<br />
==See also==<br />
* [[Replay attack]]<br />
* [[Man-in-the-middle attack]]<br />
* [[Pass the hash]]<br />
<br />
== References ==<br />
{{reflist}}<br />
<br />
[[Category:Computer security exploits]]<br />
[[Category:Computer access control protocols]]</div>91.215.1.127