Criminals increase the potential of distributed denial-of-service attacks with a technique that exploits a widely used Internet protocol that dramatically increases the amount of junk traffic to targeted servers.
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service for people trying to connect to the service. As DDoS mitigation services develop safeguards that enable targets to withstand ever-increasing traffic flows, the criminals are responding with new ways to make the most of their limited bandwidth.
In so-called amplification attacks, DDoSers send requests of relatively small data size to certain types of intermediate servers. The intermediaries then send the targets that are tens, hundreds, or thousands of times larger. The redirect works because the requests replace the attacker’s IP address with the address of the server it is targeting.
Other known gain vectors include the memcached database caching system with a massive 51,000 gain, the Network Time Protocol with a factor of 58, and misconfigured DNS servers with a factor of 50.
DDoS mitigation provider Netscout said Wednesday it has observed DDoS-for-hire services using a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as the name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data.
DDoSes exploiting D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout only saw advanced attackers using special DDoS infrastructure abuse the vector. Now, so-called booter and stressor services — which use standard equipment to perform hire attacks — have adopted the technique. The company has identified nearly 4,300 publicly accessible D/LTS servers that are vulnerable to abuse.
The largest D/TLS-based attacks Netscout has observed delivered approximately 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps.
Skilled attackers with their own attack infrastructure typically discover, rediscover or enhance reinforcement vectors and then use them against specific targets. Eventually the word will leak into the underground through forums of the new technique. Booter/stressor services then research and reverse engineer it to add it to their repertoire.
Challenging to soften
The perceived attack “consists of two or more individual vectors, orchestrated to attack the target simultaneously via the respective vectors,” Netscout Threat Intelligence Manager Richard Hummel and the company’s chief engineer Roland Dobbins wrote in an email. “These multi-vector attacks are the online equivalent of a combined weapons attack, and the idea is to both overwhelm the defenders in terms of attack volume and present a more challenging mitigation scenario.”
The 4,300 exploitable D/TLS servers are the result of misconfigurations or outdated software that disables an anti-spoofing mechanism. Although the mechanism is built into the D/TLS specification, hardware, including the Citrix Netscaller Application Delivery Controller, may not always have it enabled by default. More recently, Citrix has encouraged customers to upgrade to a software version that uses anti-spoofing by default.
In addition to threatening devices on the Internet in general, exploitable D/TLS servers also endanger organizations that use them. Attacks that bounce traffic from any of these machines can cause complete or partial disruption of mission-critical remote access services within the organization’s network. Attacks can also cause other service interruptions.
Netscout’s Hummel and Dobbins said the attacks could be challenging to mitigate because the payload size in a D/TLS request is too large to fit into a single UDP packet and is therefore split into an initial and non-initial packet flow .
“When large UDP packets are fragmented, the first fragments contain source and destination port numbers,” they wrote. “Non-initial fragments don’t; thus, when mitigating a UDP reflection/amplification vector made up of fragmented packets, such as DNS or CLDAP reflection/amplification, defenders must ensure that the mitigation techniques they use include both the initial and non-initial fragments of the Be able to filter DDoS attack traffic in question, without overclocking legitimate non-initial UDP fragments.”
Netscout has additional recommendations here.