Several months ago, security researchers at Edinburgh Napier University published a paper on a distributed denial of service (DDoS) reflection and amplification method leveraging the TFTP (Trivial File Transfer Protocol) protocol, and security researchers at Akamai now warn of real-life attacks leveraging this technique.
Usually performed by large botnets and typically executed from many sources, DDoS attacks can result in large traffic flows, but intermediate devices called amplifiers can also be used to amplify the attacker’s traffic. What Edinburgh Napier University researchers discovered was that TFTP can be leveraged for an amplification factor of approximately 60, which rates high alongside other methods.
In their paper, researchers Boris Sieklik, Richard Macfarlane, and William J. Buchanan also revealed that this amplification technique is a global issue, mainly because the protocol is used in around approximately 599,600 publicly open TFTP servers. Their study dates 2014, but it made it to the headlines only in March this year, when it was detailed in the Computers & Security journal.
However, Sieklik, Macfarlane, and Buchanan are not the first to suggest that TFTP servers can be abused for DNS amplification attacks, with Cisco Systems Threat Research Engineer Jaeson Schultz revealing this possibility in 2013. “Amplification within this protocol isn’t optimal for attackers, but if enough TFTP servers are publicly reachable this could still be an effective attack,” Schultz said.
On Wednesday, Akamai’s Security Intelligence Response Team (SIRT) revealed that 10 attacks leveraging TFTP were spotted starting on April 20, 2016, targeting the company’s customers. In an advisory, Akamai’s Jose Arteaga notes that a weaponized version of the TFTP attack script started circulating in March, seemingly coinciding “with media publications regarding the research into the possibility of this attack method.”
According to Arteaga, most of these incidents were multi-vector attacks that included TFTP reflection and says that there is indication that at least one site offering DDoS as a service has integrated this technique. While this attack method won’t generate a high packet rate, the generated volume may be enough to consume bandwidth at the target site, researchers say. They also explain that the attack tool uses about the same code as other UDP based reflection tools, and has a similar command line.
The profile of such an attack shows a peak bandwidth of 1.2 Gigabits per second, also peaking at 176.4 thousand packets per second. The TFTP reflection attack vector leverages port 69 as source port, researchers also say. However, it appears that these attacks usually ignored the port parameter and resulted in random ports.
This attack, however, is limited by the nature of TFTP, a protocol created to deliver files, mainly configuration files, to a limited number of hosts at a time. This means that TFTP servers might won’t be able to handle the large number of queries sent by the TFTP flood attack tool.
“Alone, TFTP has produced a 1.2 Gbps attack but multi-vector campaigns, where TFTP is just one of many vectors, have peaked at just over 44 Gbps. So far, sources of TFTP reflection attacks collected during the early stages of attacks are poorly distributed. Mostly these are originating out of Asia with later attacks adding in sources from Europe,” the researcher says.
However, the researched recommends that all those hosting TFTP servers assess the need of exposing UDP port 69 to the Internet. The port should be firewalled and allowed only to trusted sources, and admins should also use tools to detect the abuse of TFTP servers in the network.