Criminals are increasing the potency of distributed denial-of-service attacks with a technique that abuses a widely used Internet protocol that dramatically increases the amount of junk traffic directed to targeted servers.
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service for people trying to connect to the service. As DDoS mitigation services develop protections that allow targets to withstand ever-increasing torrents of traffic, criminals respond with new ways to make the most of their limited bandwidth.
Getting excited
In so-called amplification attacks, DDoSers send requests for relatively small data sizes to certain types of intermediary servers. The intermediaries then send responses to the targets tens, hundreds or thousands of times greater. Redirection works because requests replace the attacker’s IP address with the address of the targeted server.
Other well-known amplification vectors include the memcached database caching system with an impressive 51,000 amplification factor, the Network Time Protocol with a factor of 58, and incorrectly configured DNS servers with a factor of 50.
DDoS mitigation provider Netscout said on Wednesday that it has observed rental DDoS services adopting a new amplification vector. The vector is Datagram Transport Layer Security, or D / TLS, which (as its name suggests) is essentially Transport Layer Security for UDP data packets. Just as TLS prevents the listening, tampering or tampering of TLS packets, D / TLS does the same with UDP data.
DDoSes that abuse D / TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called startup services and stressors – which use common equipment to provide rental attacks – have adopted the technique. The company has identified nearly 4,300 publicly accessible D / LTS servers that are susceptible to abuse.
The largest D / TLS-based attacks that Netscout observed delivered about 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps.
Skilled attackers with their own attack infrastructure typically discover, rediscover, or enhance amplification vectors and use them against specific targets. Eventually, the word will leak to the underground through forums of the new technique. The reinforcement / stressor services then research and reverse engineer to add them to their repertoire.
Challenging to mitigate
The observed attack “consists of two or more individual vectors, orchestrated so that the target is attacked by the vectors in question simultaneously,” wrote by Netscout threat intelligence manager Richard Hummel and the company’s chief engineer , Roland Dobbins. “These multiple vector attacks are the online equivalent of a combined weapons attack, and the idea is to overwhelm defenders in terms of attack volume and present a more challenging mitigation scenario.”
The 4,300 abusive D / TLS servers are the result of incorrect settings or outdated software that causes an anti-spoofing mechanism to be disabled. Although the mechanism is integrated with the D / TLS specification, the hardware, including the Citrix Netscaller Application Delivery Controller, did not always activate it by default. Citrix most recently encouraged customers to upgrade to a software version that uses anti-spoofing by default.
In addition to posing a threat to devices on the Internet in general, abusive D / TLS servers also put organizations that use them at risk. Attacks that divert traffic from one of these machines can create total or partial disruption of mission-critical remote access services within the organization’s network. The attacks can also cause other interruptions in the service.
Hummel and Dobbins of Netscout said the attacks can be challenging to mitigate because the payload size on a D / TLS request is too large to fit into a single UDP packet and is therefore divided into an initial and not an initial packet flow .
“When large UDP packets are fragmented, the initial fragments contain source and destination port numbers,” they wrote. “Non-initial fragments are not; so, when mitigating a UDP reflection / amplification vector that consists of fragmented packets, such as DNS or CLDAP reflection / amplification, defenders must ensure that the mitigation techniques they employ can filter the initial and non-initial fragments of DDoS attack traffic. in question, without overclocking legitimate non-initial UDP fragments. “
Netscout has additional recommendations here.