Alert (Ta14-017A) – Udp Based Amplification Attacks

 

This is something I would similar to move on track, thence posting it here. Very useful too scary that how easily it tin happen.

 

Alert (TA14-017A)

Following diagram shows how UDP based Amplification Attacks are carried out. Very simple, a 4MB ADSL connectedness tin amplify upto 400MB traffiic easily. Take banking firm complaint of the Bandwidth amplification ingredient tabular array below.

 

 

Systems Affected

Certain UDP protocols bring been identified every bit potential assault vectors.

Following listing is what I’ve flora useful too interesting reading material, roughly are to a greater extent than mutual due to recent action too DOS nation of war betwixt CloudFlare, SpamHaus too Cyber Bunker. Rest of services are quite depression profile, merely according to U.S.A. Cert, they all bring the similar vulnerability too tin motility massive organisation outage. I volition move on adding to a greater extent than links too tools below, if you lot bring too interesting reading cloth or proof of concept tool, permit me know via comment department too I volition add together it to the list.

• DNS

Honeypot DNS too amplification attacksProof of Concept DNS Amplification assault tool from noptrix

• NTP

Understanding too mitigating NTP-based DDoS attacks

Technical Details Behind a 400Gbps NTP Amplification DDoS Attack

NTP Amplification Attack Tool posted past times anonymous user inwards github

• SNMPv2

SNMP Reflected Amplification DDoS Attack

SNMP Reflected Denial of Service

• NetBIOS

NETBIOS based pentesting tutorial past times Gaurav Kumar

Denial of Service Attack inwards NetBIOS Services

NetBIOS Attack Methods

• SSDP

Protect Yourself Against Denial-of-Service Attacks – SSDP

UPnP Networking Flaws Expose Tens Of Millions Of IPs To Hack Attacks

• CharGEN

Chargen denial of service (Chargen Denial of Service)

A Chargen-based DDoS? Chargen is yet a thing?

ECHO Chargen Loop DoS

• QOTD


• BitTorrent


• Kad


• Quake Network Protocol


• Steam Protocol

Overview

A Distributed Reflective Denial of Service (DRDoS) assault is an emerging shape of Distributed Denial of Service (DDoS) that relies on the exercise of publicly accessible UDP servers, every bit good every bit bandwidth amplification factors, to overwhelm a victim organisation amongst UDP traffic.

Description

UDP, past times design, is a connection-less protocol that does non validate origin IP addresses.  Unless the application-layer protocol uses countermeasures such every bit session initiation, it is really tardily to forge the IP package datagram to include an arbitrary origin IP address [7].  When many UDP packets bring their origin IP address forged to a unmarried address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Recently, for certain UDP protocols bring been flora to bring exceptional responses to for certain commands that are much larger than the initial request.  Where before, attackers were express linearly past times the number of packets conduct sent to the target to bear a DoS attack, instantly a unmarried package tin generate tens or hundreds of times the bandwidth inwards its response.  This is called an amplification attack, too when combined amongst a reflective DoS assault on a large scale it makes it relatively tardily to bear DDoS attacks.

To mensurate the potential consequence of an amplification attack, nosotros exercise a metric called the bandwidth amplification ingredient (BAF).  BAF tin move calculated every bit the number of UDP payload bytes that an amplifier sends to respond a request, compared to the number of UDP payload bytes of the request.

The listing of known protocols, too their associated bandwidth amplification factors, is listed below.  US-CERT would similar to offering cheers to Christian Rossow for providing this information to us.

 

Protocol	Bandwidth Amplification Factor	Vulnerable Command
DNS	28 to 54	see: TA13-088A [1]
NTP	556.9	see: TA14-013A [2]
SNMPv2	6.3	GetBulk request
NetBIOS	3.8	Name resolution
SSDP	30.8	SEARCH request
CharGEN	358.8	Character generation request
QOTD	140.3	Quote request
BitTorrent	3.8	File search
Kad	16.3	Peer listing exchange
Quake Network Protocol	63.9	Server information exchange
Steam Protocol	5.5	Server information exchange

 

Impact

Attackers tin utilize the bandwidth too relative trust of large servers that render the higher upwards UDP protocols to overflowing victims amongst unwanted traffic, a DDoS attack.

Solution

DETECTION

Detection of DRDoS attacks is non easy, due to their exercise of large, trusted servers that render UDP services.  As a victim, traditional DoS mitigation techniques may apply.

As a network operator of i of these exploitable services, await for abnormally large responses to a exceptional IP address.  This may betoken that an assailant is using your service to bear a DRDoS attack.

MITIGATION

Source IP Verification

Because the UDP requests beingness sent past times the attacker-controlled clients must bring a origin IP address spoofed to look every bit the victim’s IP, the kickoff footstep to reducing the effectiveness of UDP amplification is for Internet Service Providers to spend upwards whatsoever UDP traffic amongst spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 document inwards May 2000 too Best Current Practice 84 inwards March 2004 that describes how an Internet Service Provider tin filter network traffic on their network to spend upwards packets amongst origin addresses non reachable via the actual packet’s path [3][4].  The changes recommended inwards these documents would motility a routing device to evaluate whether it is possible to attain the origin IP address of the package via the interface that transmitted the packet. If it is non possible, thence the package nigh probable has a spoofed origin IP address. This configuration alter would substantially trim back the potential for nigh pop types of DDoS attacks. As such, nosotros highly recommend to all network operators to perform network ingress filtering if possible.  Note that it volition non explicitly protect a UDP service provider from beingness exploited inwards a DRDoS (all network providers must exercise ingress filtering inwards social club to completely eliminate the threat).

To verify your network has implemented ingress filtering, download the opened upwards origin tools from the Spoofer Project [5].

Traffic Shaping

Limiting responses to UDP requests is roughly other potential mitigation to this issue.  This may require testing to notice the optimal boundary that does non interfere amongst legitimate traffic.  The IETF released Request for Comment 2475 too Request for Comment 3260 that describes roughly methods to shape too command traffic [6] [8].  Most network devices today render these functions inwards their software.

References

• [1] DNS Amplification Attacks


• [2] NTP Amplification Attacks Using CVE-2013-5211


• [3] Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing


• [4] Ingress Filtering for Multihomed Networks


• [5] The Spoofer Project


• [6] An Architecture for Differentiated Services


• [7] SIP: Session Initiation Protocol


• [8] New Terminology too Clarifications for Diffserv

 

Source: http://www.us-cert.gov/ncas/alerts/TA14-017A

Buat lebih berguna, kongsi: