Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

DDoS Attacks Abuse TFTP for Reflection and Amplification

Several months ago, security researchers at Edinburgh Napier University published a paper on a distributed denial of service (DDoS) reflection and amplification method leveraging the TFTP (Trivial File Transfer Protocol) protocol, and security researchers at Akamai now warn of real-life attacks leveraging this technique.

Several months ago, security researchers at Edinburgh Napier University published a paper on a distributed denial of service (DDoS) reflection and amplification method leveraging the TFTP (Trivial File Transfer Protocol) protocol, and security researchers at Akamai now warn of real-life attacks leveraging this technique.

Usually performed by large botnets and typically executed from many sources, DDoS attacks can result in large traffic flows, but intermediate devices called amplifiers can also be used to amplify the attacker’s traffic. What Edinburgh Napier University researchers discovered was that TFTP can be leveraged for an amplification factor of approximately 60, which rates high alongside other methods.

In their paper, researchers Boris Sieklik, Richard Macfarlane, and William J. Buchanan also revealed that this amplification technique is a global issue, mainly because the protocol is used in around approximately 599,600 publicly open TFTP servers. Their study dates 2014, but it made it to the headlines only in March this year, when it was detailed in the Computers & Security journal.

However, Sieklik, Macfarlane, and Buchanan are not the first to suggest that TFTP servers can be abused for DNS amplification attacks, with Cisco Systems Threat Research Engineer Jaeson Schultz revealing this possibility in 2013. “Amplification within this protocol isn’t optimal for attackers, but if enough TFTP servers are publicly reachable this could still be an effective attack,” Schultz said.

On Wednesday, Akamai’s Security Intelligence Response Team (SIRT) revealed that 10 attacks leveraging TFTP were spotted starting on April 20, 2016, targeting the company’s customers. In an advisory, Akamai’s Jose Arteaga notes that a weaponized version of the TFTP attack script started circulating in March, seemingly coinciding “with media publications regarding the research into the possibility of this attack method.”

According to Arteaga, most of these incidents were multi-vector attacks that included TFTP reflection and says that there is indication that at least one site offering DDoS as a service has integrated this technique. While this attack method won’t generate a high packet rate, the generated volume may be enough to consume bandwidth at the target site, researchers say. They also explain that the attack tool uses about the same code as other UDP based reflection tools, and has a similar command line.

Advertisement. Scroll to continue reading.

The profile of such an attack shows a peak bandwidth of 1.2 Gigabits per second, also peaking at 176.4 thousand packets per second. The TFTP reflection attack vector leverages port 69 as source port, researchers also say. However, it appears that these attacks usually ignored the port parameter and resulted in random ports.

This attack, however, is limited by the nature of TFTP, a protocol created to deliver files, mainly configuration files, to a limited number of hosts at a time. This means that TFTP servers might won’t be able to handle the large number of queries sent by the TFTP flood attack tool.

“Alone, TFTP has produced a 1.2 Gbps attack but multi-vector campaigns, where TFTP is just one of many vectors, have peaked at just over 44 Gbps. So far, sources of TFTP reflection attacks collected during the early stages of attacks are poorly distributed. Mostly these are originating out of Asia with later attacks adding in sources from Europe,” the researcher says.

However, the researched recommends that all those hosting TFTP servers assess the need of exposing UDP port 69 to the Internet. The port should be firewalled and allowed only to trusted sources, and admins should also use tools to detect the abuse of TFTP servers in the network.

Related: WordPress Sites Used to Power Layer 7 DDoS Attacks

Related: DDoS Attacks Continue to Rise in Power and Sophistication

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.