Criminals are increasing the power of distributed denial-of-service attacks with a technique that exploits a widely used Internet protocol that increases the amount of junk traffic directed to targeted servers.
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS mitigation services develop defenses that allow targets to deal with ever-larger flows, criminals respond with new ways to make the most of their limited bandwidth.
In a so-called dynamic attack, DDoSers send requests of relatively small data sizes to certain types of intermediate servers. Intermediaries then send the targets responses that are tens, hundreds, or thousands of times larger. The modification works because requests replace the attacker’s IP address with the target server’s address.
Other well-known boosters include the memcached data caching system with an incredible 51,000 optimization factor, Network Time Protocol with a factor of 58, and correcting incorrect DNS servers with a factor of 50.
DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services receiving a new enhancement vector. The vectors are Datagram Transport Layer Securityor D/TLS, which (as its name suggests) is important Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data.
DDoSes that exploit D/TLS allow individuals to increase their attacks by a factor of 37. Previously, Netscout only detected advanced attacks using dedicated DDoS infrastructure exploiting the vector. Now, so-called booter and hacker services—which use malware to deliver attacks—have taken over the process. The company has identified nearly 4,300 publicly available D/LTS servers that are susceptible to the exploit.
The largest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other boosters to achieve a total speed of up to 207Gbps.
Savvy attackers with their own attack infrastructure often discover, re-discover, or improve exploits and then use them against specific targets. In the end, wealth will leak into the underground through the gatherings of the new order. Booter/stressor jobs are then researched and re-engineered to add to their repertoire.
Challenging to reduce
The observed attack “consists of two or more individuals, organized in such a way that the target is attacked by the attackers in question at the same time,” Netscout Threat Manager Richard Hummel and the company’s chief engineer, Roland Dobbins, wrote in an email. “These multi-vector attacks are the online equivalent of a hybrid attack, and the idea is to outsmart both defenders in terms of both attack scale and present a more challenging mitigation scenario.”
The 4,300 abusable D/TLS servers are the result of incorrect configurations or outdated software that disables the anti-spoofing mechanism. While the device is built into the D/TLS specification, the application with Citrix Netcaller Application Delivery Manager is not always turned on by default. Citrix has recently encouraged customers to upgrade to a software version that uses anti-spoofing by default.
Besides being a threat to devices on the Internet at large, malicious D/TLS servers also put the organizations that use them at risk. Attacks that divert traffic from one of these devices can create a full or partial disruption of critical remote access services within an organization’s network. Attacks can also cause other service disruptions.
Netscout’s Hummel and Dobbins say attacks can be challenging to mitigate because the payload in a D/TLS request is too large to fit in a UDP packet and is, therefore, split into initial and non-initial packet streams. .
“When large UDP packets are fragmented, the first fragments contain source and port numbers,” they wrote. “The first fragments are not; therefore, when reducing the UDP target/amplification vector which contains distributed packets, such as DNS or CLDAP encryption/amplification, defenders should ensure that the egress protocols they receive can filter both at the beginning and the first fragments of the DDoS attack traffic in question, without UDP overclocking under the first fragments.”
Netscout has additional recommendations Here.