Attackers launching distributed denial-of-service attacks are increasingly turning to the user datagram protocol, according to security researchers.
In their report on DDoS (distributed denial-of-service) attacks for the third quarter of 2013, Prolexic Technologies noted that UDP attacks totaled 29.32 percent of all attacks – a 10 percent increase compared to the previous quarter. It is also 10 percent higher than the proportion of SYN attacks detected during the third quarter (roughly 18 percent).
According to the firm, the increases in UDP and UDP fragment floods are tied to the proliferation of global attack campaigns using PHP booter web shells.
Other firms have noted an uptick in UDP-based DDoS attacks as well.
“As an availability security practice we see attacks of all types and sizes, but the largest in volume and likewise most common attacks are user datagram protocol (UDP) based,” said Jeffrey Lyon, founder of anti-DDoS firm Black Lotus. “Unlike transmission control protocol (TCP), UDP is a stateless protocol which does not require sessions to be established between two hosts. This makes it easy for attackers to spoof a target to be attacked, and send those spoofed requests to vast numbers of servers across the Internet.”
“The servers will in turn attack the spoofed target with responses substantially magnified in size,” he continued. “The result is a catastrophically large distributed denial of service (DDoS) attack consisting of malicious domain name systems (DNS), simple network management protocol (SNMP) or other UDP responses.”
The good news is that most amplification attacks – DNS, SNMP, CHARGEN, etc – rely on IP spoofing to generate the large return payloads that ramp up an attack, observed Vann Abernethy, senior product manager for NSFOCUS.
“There is a best practice that has been around for a while…which states that ingress filtering at the edge will help significantly reduce the effectiveness of spoofed address DDoS attacks,” he said. “It will not stop the attacker from also forging a source address, but mitigation of this then becomes a matter of either shutting off or rate-limiting the source address. Egress filtering is another good practice to help ensure that no packets leave your network with internal addresses. Finally, turn off services you aren’t using (e.g. SNMP, CHARGEN).”
“Another development within the last year (July 2013) is the implementation of the Response-Rate Limiting (RRL) module by the Internet Systems Consortium (ISC) into BIND software,” said Abernethy. “This is yet another step that network administrators can take to prepare themselves for a potential amplification attack. However, this is only a bandage on the much larger issue of open-resolver DNS servers – so long as attackers can bounce traffic off these, the issue will remain.”
The popularity of UDP-based attacks means it is only a matter of time before cybercriminals launch DNS amplification attacks using application protocols like Trivial File Transfer Protocol (TFTP), remote authentication dial-in user service (RADIUS) or network time protocol (NTP), blogged Cisco Systems Threat Research Engineer Jaeson Schultz.
“TFTP has limitations in that an attacker could send a read or write request to a TFTP server on port 69, but the TFTP server would respond to the spoofed source IP address (the victim) with either an acknowledgement packet or data packet (depending on the initial request),” Schultz blogged. “Amplification within this protocol isn’t optimal for attackers, but if enough TFTP servers are publicly reachable this could still be an effective attack. The TFTP server also responds from an ephemeral port potentially complicating victim mitigation efforts.”
“RADIUS (ports: 1645 / 1646 / 1812 / 1813) has the same amplification potential as TFTP, the only difference is the response type,” he continued. “RADIUS servers will respond to the “access request” with an “access reject” message. It’s unclear how many Remote Access Servers (RAS) are publicly accessible from the Internet to make this an effective attack. NTP can be leveraged much like SNMP with a larger amplification factor than either TFTP or RADIUS (though we won’t discuss how).”
NTP servers are plentiful so be aware that port 123 UDP traffic may also carry substantial risks, he added.
“It’s important for network defenders and especially security architecture groups to think through bandwidth saturation and all possible choke points for both ingress and egress traffic,” Schultz blogged. “This process needs to happen well in advance of an actual attack.”