TA14-017A:UDP-Based Amplification AttacksOriginal release date: January 17, 2014 | Last revised: April 13, 2016 Systems AffectedCertain application-layer protocols that rely on User Datagram Protocol (UDP) have been identified as potential attack vectors:
OverviewA Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic. DescriptionUDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation in VOIP (voice over IP), it is very easy to forge the IP packet datagram to include an arbitrary source IP address [1]. When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected Denial of Service (DoS) Attack. Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. Previously, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale using multiple amplifiers and targeting a single victim, DDoS attacks can be conducted with relative ease. To measure the potential effect of an amplification attack, a metric called the bandwidth amplification factor (BAF) is used. BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [2] [3]. The list of known protocols—and their associated bandwidth amplification factors—are listed below. US-CERT offers thanks to Christian Rossow for providing this information. For more information on bandwidth amplification factors, please see Christian’s blog and associated research paper.
In March 2015, Software Engineering Institute CERT issued Vulnerability Note (VU#550620) describing the use of mDNS in DRDoS attacks. Attackers can leverage mDNS by sending more information than can be handled by the device, thereby causing a DoS. [6] In July 2015, Akamai Technologies’ Prolexic Security Engineering and Research Team (PLXsert) issued a threat advisory describing a surge in DRDoS attacks using the Routing Information Protocol version one (RIPv1). Malicious actors are leveraging the behavior of RIPv1 for DDoS reflection through specially crafted request queries [7]. In August 2015, Level 3 Threat Research Labs reported a new form of DRDoS attack that uses portmap. Attackers leverage the behavior of the portmap service through spoofed requests and flood a victim’s network with UDP traffic. [8] ImpactAttackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack. SolutionDETECTIONDetection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. Network operators of these exploitable services may apply traditional DoS mitigation techniques. To detect a DRDOS attack, watch out for abnormally large responses to a particular IP address, which may indicate that an attacker is using the service. If you are a victim of DRDoS attack, there are a few things you can do to detect such activity and respond:
In general, network and server administrators for Internet service providers (ISPs) should use the following best practices to avoid becoming amplifier nodes:
MITIGATIONIf you are a victim of DRDoS attack there are a few things you can do to mitigate this attack:
In general, network and server administrators for Internet service providers (ISPs) should use the following as best practices to avoid becoming amplifier nodes:
As a service provider, to avoid any misuse of Internet resources
References
Revisions
|