14 DAY TRIAL // The purpose of a DDoS (distributed denial-of service) attack is to disrupt the activity of a service by flooding the servers with so much junk traffic that they run out of resources to process it.
This type of attacks does not lead to loss of information, as there is no penetration of the systems; however, they can be used as a means to divert the attention so that criminals can carry out other nefarious operations, such as exfiltrating sensitive information.
An amplified DDoS attack works with protocols that can generate responses larger than the queries and are vulnerable to IP address spoofing, so the origin of the request is not verified through a handshake.
What the attacker does is send a small query request to the server spoofing the victim’s address as the return path for the response. The server than replies to the spoofed IP and all the data is directed to the victim.
Generally, cybercriminals carry out amplified distributed denial-of service attacks through publicly available servers, using UDP communication, which, unlike TCP, does not require a prior connection for establishing the source and just sends the data to the terminal address indicated in the query.
The requests are sent from infected machines that respond to the commands of the criminals, namely botnets.
DNS and NTP servers are some of the most used for this type of activity, but other types are also susceptible. Devices supporting SNMP v2 (used for monitoring network devices such as hosts, routers, hubs and switches) have also been employed for DDoS amplification, as well as devices that relay ICMP requests to all the other devices behind the network.
The Smurf Attack is known as the original example of DDoS amplification. Named so after a file from the source code of the attack program released in 1997, the Smurf Attack consisted in sending a large number of ICMP packets to a router. This would trigger a response to a spoofed address from each of the connected devices.
In a DNS amplification attack, the traffic is directed to the victim from open DNS servers, and to maximize the impact, the query requests as much information as possible. Most of the times, the requests are of the type “ANY,” designed to return details about a DNS zone; in such a case, the amplification factor can be of more than 50 times.
NTP servers, which are used for system time synchronization, can offer a much larger amplification due to the resources available, including network connectivity.
At the moment, despite efforts for raising awareness of a vulnerability that has received a fix, numerous machines capable of amplifying a request more than 700 times can be leveraged for DDoS attacks.
The flaw is in the “monlist” command that can be queried for the IP addresses of the last 600 clients that have synchronized time with the NTP server. The request appears to originate from the IP address of the intended victim, which is then hit with the response.
Not all SNMP v2 machines are public, but there are plenty of cases where the SNMP service is exposed to the Internet, both in business and home environments.
A threat advisory from the Prolexic Security Engineering Response Team provides an example of an amplification factor of more than 1,700 times for a GetBulk response.
Some of the largest DDoS attacks have been amplified by abusing NTP servers, with the most recent happening in February this year and peaking close to 400Gbps. This amount of traffic was sent from 4,529 NTP servers running on 1,298 different networks.
According to US CERT (United States Computer Emergency Readiness Team), one solution against attacks relying on UDP-based amplification is for ISPs (Internet Service Providers) to reject UDP traffic with spoofed addresses by following the specifications of the BCP 38 document.