Criminals are increasing the power of distributed denial-of-service attacks with a technique that exploits a widely used Internet protocol that dramatically increases junk traffic to target servers.
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service for people trying to connect to the service. While DDoS mitigation services develop protective measures that enable targets to withstand increasing traffic flows, criminals are reacting with new methods to make the most of their limited bandwidth.
In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. The intermediaries then send the target's responses that are tens, hundreds, or thousands of times larger. The redirect works because the requests replace the attacker's IP address with the address of the targeted server.
Other well-known amplification vectors include the cached database caching system with an amplification factor of a staggering 51,000, the Network Time Protocol with a factor of 58, and misconfigured DNS servers with a factor of 50.
DDoS mitigation provider Netscout announced Wednesday that it has been watching DDoS-for-hire services introduce a new amplification vector. The vector is the Datagram Transport Layer Security or D / TLS, which (as the name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, manipulation or forgery of TLS packets, D / TLS does the same for UDP data.
DDoSes that abuse D / TLS enable attackers to intensify their attacks by a factor of 37. So far, Netscout only saw advanced attackers using a dedicated DDoS infrastructure that abused the vector. Now so-called booter and stressor services, which use merchandise equipment to carry out rental attacks, have taken over the technology. The company has identified nearly 4,300 publicly accessible D / LTS servers that are susceptible to abuse.
The largest D / TLS-based attacks that Netscout has observed delivered a data traffic of around 45 Gbit / s. Those responsible for the attack combined it with other amplification vectors to achieve a combined size of around 207 Gbps.
Experienced attackers with their own attack infrastructure usually discover, discover or improve reinforcement vectors and then use them against specific targets. At some point the word will get underground through forums of new technology. Booter / stressor services then do research and reverse engineering to add it to their repertoire.
Challenging to mitigate
The observed attack "consists of two or more individual vectors orchestrated in such a way that the target is hit over the vectors concerned at the same time," wrote Richard Hummel, manager of Netscout Threat Intelligence, and Roland Dobbins, principal engineer of the company, in one E-mail. "These multi-vector attacks are the online equivalent of a combined arms attack. The idea is to both overwhelm the defenders in terms of attack volume and present a more challenging damage control scenario."
The 4,300 abusive D / TLS servers are the result of misconfigurations or outdated software that lead to an anti-spoofing mechanism being disabled. While the mechanism is built into the D / TLS specification, hardware including the Citrix Netscaller Application Delivery Controller has not always enabled it by default. More recently, Citrix has encouraged customers to upgrade to a software version that uses anti-spoofing by default.
Abusive D / TLS servers not only pose a threat to devices on the Internet, they also put companies that use them at risk. Attacks that ricochet traffic from one of these computers can lead to a complete or partial interruption of business-critical remote access services in the company's network. Attacks can cause other service disruptions as well.
Netscout's Hummel and Dobbins said the attacks can be difficult to mitigate because the payload in a D / TLS request is too large to fit into a single UDP packet, and therefore an initial one and a non-initial one Packet stream is split.
"When large UDP packets are fragmented, the initial fragments contain source and destination port numbers," they write. “Non-initial fragments do not; When mitigating a UDP reflection / gain vector that is made up of fragmented packets like DNS or CLDAP reflection / gain, defenders should ensure that the mitigation techniques they are using are both the initial and non-initial fragments of the DDoS attack traffic can filter out the question without overclocking legitimate UDP non-initial fragments. "
Netscout has additional recommendations here.