14 DAY TRIAL // A new study has revealed that improperly configured TFTP servers can be easily abused to carry out reflection DDoS attacks that can sometimes have an amplification factor of 60, one of the highest such values.
TFTP (Trivial File Transfer Protocol) is a very simplistic file transfer protocol that was developed as an alternative to the main FTP protocol, as a simpler way to support file transfers in limited conditions.
Ever since being created in 1981, the protocol has mainly been used for transferring files over a network, usually needed for the boot process. Even if considered highly insecure, the protocol continued to be used regardless.
Multiple protocols can be abused for reflection DDoS attacks
On the other hand, reflection DDoS attacks, also known as R-DDoS, DRDoS, or Distributed Reflective Denial of Service attacks, are a more dangerous version of regular DDoS attacks.
Reflection DDoS attacks rely on an attacker sending traffic to an intermediary point with a bad return address (the victim's IP). By crafting malformed network traffic packets, and abusing flaws in a protocol or server setup, this traffic is then sent to the return address (the victim's IP) multiple times over. The number of times a packet is sent back is considered the reflection DDoS attack's amplification factor.
Most of these attacks range from a 2 to 10 amplification factor. Last summer, hackers managed to discover flaws in some of the BitTorrent protocols that provided an amplification factor of 120.
Other reflection DDoS attack methods surfaced last fall, when Akamai discovered that attackers could leverage the NetBIOS name servers, Sentinel licensing servers, and RPC portmaps.
This past February, the same Akamai team also discovered that the DNSSEC protocol could be abused in the same manner, with an amplification factor of 8. But most of the times, for launching reflection DDoS attacks, crooks tend to use the DNS protocol, due to the large number of available servers, and its hard-to-mitigate design flaws.
Internet-exposed TFTP servers are the danger
As a team of researchers from the Edinburgh Napier University has discovered, a combination of flaws in the TFTP protocol and publicly-exposed TFTP servers provides the perfect opportunity for attackers to abuse these setups for reflection DDoS attacks.
Researchers say that by running a simple scan of Internet-exposed ports (TFTP uses port 69), they were able to find 599,600 publicly open TFTP servers.
These servers could be used as intermediary points in reflection DDoS attacks that have an amplification factor of 60, way above many other protocols.
The vulnerable TFTP servers can be used to launch attacks on other Internet-available services, or used as a gateway for targets inside a closed network, because natural LAN setups dictate that the TFTP server must be available to all connected clients, and so providing the attacker with a path to previously unreachable targets.
The researchers better explain their work in their "Evaluation of TFTP DDoS amplification attack" paper, and also propose a series of possible mitigation methods.