The DDoS Context
“A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users. It temporarily or indefinitely disrupts services of a host connected to the internet’ – Wikipedia
In the case of distributed denial-of-service attack (DDoS attack), the load of the attack is originating from many different sources. It generally uses a botnet and/or bad configured services (as we will see further). Unlike DoS, that type of attack makes difficult tracking the hacker and involves enormous bandwidth consumption of the victim.
There are many reasons for this type of attack, including the following:
– Ideological: some kind of objection to a message conveyed by a company or a government (e.g.: Anonymous)
– Smokescreen: used to hide a more complex attack, involving generally impersonation or data exfiltration
– Challenge: to show a capability of a hacker to overcome or to size the security of a system
What’s more frightening is the ease of making a DDoS for cheap, even for someone with limited skills, because the artillery used is widely available for free or almost free.
What’s an amplification attack in a DDoS context?
An amplification attack is a volumetric attack trying to exhaust the bandwidth of the victim through “reflection”. An attacker will “ask” with a short message an information, in UDP, to a vulnerable service. The attacker will replace the source IP of the message with the IP of the victim, to convince the vulnerable service to “respond” directly to the victim. When the service responds with a message larger than the source message, it’s called amplification. The three-way handshake of TCP doesn’t allow that behaviour, as the source address cannot be spoofed – Wikipedia.
In this figure, we have described the specific case of a hacker sending directly a spoofed packet to several vulnerable services. In large scale attack, the hacker will use a botnet to send the initial packet from a big amount of sources, which will exponentially increase the effect of the attack.
The potential effect of an amplification attack can be measured by the Bandwidth Amplification Factor (BAF), which can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request (see below a list of known protocols and their associated BAFs.
| Protocol | Bandwidth Amplification Factor |
|---|---|
| DNS | 28 to 54 |
| NTP | 556.9 |
| SNMPv2 | 6.3 |
| NetBIOS | 3.8 |
| SSDP | 30.8 |
| CharGEN | 358.8 |
| QOTD | 140.3 |
| BitTorrent | 3.8 |
| Kad | 16.3 |
| Quake Network Protocol | 63.9 |
| Steam Protocol | 5.5 |
| Multicast DNS (mDNS) | 2 to 10 |
| RIPv1 | 131.24 |
| Portmap (RPCbind) | 7 to 28 |
| LDAP | 46 to 55 |
| CLDAP | 56 to 70 |
| TFTP | 60 |
| Memcached | 10,000 to 51,000 |
Prevention and Response
Here are some points that can help you in mitigating quickly an amplification attack:
– An up to date network/service diagram.
– A tested incident response plan with roles and contacts well defined (ideally also printed on paper, in case of unavailability of the whole network).
– A proper monitoring system that will alert you at the start of a DDoS.
– A firewall that block all traffic that is not explicitly permitted (incoming and outgoing).
– Use a properly configured load balancer and make sure it does not become a single point of failure.
– Assess regularly the security of your infrastructure and of your firewall rules.
– Ask your provider (ISP) for some temporary filtering (traffic scrubbing or traffic shaping).
– Take note of every action during an incident response (timestamp, actions, results, …).
– Escalate to a third party if no other solutions.
And … do not participate in a DDoS. Prevent open or misconfigured UDP services to avoid participating in a future DDoS.
Our statistics for Belgium
The services that can be used for an Amplification attack are widely available all around the world. To give you an idea, we have compiled statistics on some vulnerable UDP service in Belgium, coming from Threat Intelligence and passive scans at Belgian level, as of mid-March 2018, that can be used for Amplification Attack (ordered by amplification factor):
| Protocol | Bandwidth Amplification Factor | Vulnerability in Belgium |
|---|---|---|
| Memcached | 10,000 to 51,000 | 55 |
| NTP | 556.9 | 10809 |
| CharGEN | 358.8 | 26 |
| QOTD | 140.3 | 49 |
| DNS | 28 to 54 | 2743 |
| SSDP | 30.8 | 2757 |
| MS-SQL | 25 | 537 |
| Portmap (RPCbind) | 7 to 28 | 6025 |
| SNMPv2 | 6.3 | 5993 |
| Multicast DNS (mDNS) | 2 to 10 | 6093 |
| NetBIOS | 3.8 | 2683 |
Conclusion
– DDoS Amplification Attacks are not a matter of skills for a hacker, since there is a plethora of tools, more or less freely accessible.
– DDoS Amplification Attacks are difficult to mitigate since the IP of the hacker is hidden behind the reflection.
– Huge quantity of vulnerable services that can be used for the DDoS are available all around the world. At least beware to not participate yourself.
– You can the “Prevention and Response” section as inspiration for your own defence.
