Jump to content
  • DDoSers are using a potent new method to deliver attacks of unthinkable size


    Karlston

    • 959 views
    • 7 minutes
     Share


    • 959 views
    • 7 minutes

    100,000 misconfigured servers are creating a new way to knock sites offline.

     

    Last August, academic researchers discovered a potent new method for knocking sites offline: a fleet of misconfigured servers more than 100,000 strong that can amplify floods of junk data to once-unthinkable sizes. These attacks, in many cases, could result in an infinite routing loop that causes a self-perpetuating flood of traffic. Now, content-delivery network Akamai says attackers are exploiting the servers to target sites in the banking, travel, gaming, media, and web-hosting industries.

     

    These servers—known as middleboxes—are deployed by nation-states such as China to censor restricted content and by large organizations to block sites pushing porn, gambling, and pirated downloads. The servers fail to follow transmission control protocol specifications that require a three-way handshake—comprising an SYN packet sent by the client, a SYN+ACK response from the server, followed by a confirmation ACK packet from the client—before a connection is established.

     

    This handshake limits the TCP-based app from being abused as amplifiers because the ACK confirmation must come from the gaming company or other target rather than an attacker spoofing the target’s IP address. But given the need to handle asymmetric routing, in which the middlebox can monitor packets delivered from the client but not the final destination that’s being censored or blocked, many such servers drop the requirement by design.

    A hidden arsenal

    Last August, researchers at the University of Maryland and the University of Colorado at Boulder published research showing that there were hundreds of thousands of middleboxes that had the potential to deliver some of the most crippling distributed denial of service attacks ever seen.

     

    For decades, people have used DDoSes to flood sites with more traffic or computational requests than the sites can handle, denying services to legitimate users. DDoSes are similar to the old prank of directing more calls to the pizza parlor than the parlor has phone lines to handle.

     

    To maximize the damage and conserve resources, DDoSers often increase the firepower of their attacks though amplification vectors. Amplification works by spoofing the target’s IP address and bouncing a relatively small amount of data at a misconfigured server used for resolving domain names, syncing computer clocks, or speeding up database caching. Because the response the servers automatically send are dozens, hundreds, or thousands of times bigger than the request, the response overwhelms the spoofed target.

     

    The researchers said that at least 100,000 of the middleboxes they identified exceeded the amplification factors from DNS servers (about 54x) and Network Time Protocol servers (about 556x). The researchers said that they identified hundreds of servers that amplified traffic at a higher multiplier than misconfigured servers using memcached, a database caching system for speeding up websites that can increase traffic volume by an astounding 51,000x.

     

    Here are two illustrations that show how the attacks work:

    middlebox-ddos-amplification.gif

     

    weaponizing-middleboxes.gif

    Bock et al.

    Day of reckoning

    The researchers said at the time that they had no evidence of middlebox DDoS amplification attacks being used actively in the wild but expected it would only be a matter of time until that happened.

     

    On Tuesday, Akamai researchers reported that day has come. Over the past week, the Akamai researchers said, they have detected multiple DDoSes that used middleboxes precisely the way the academic researchers predicted. The attacks peaked at 11Gbps and 1.5 million packets per second.

    While small when compared to the biggest DDoSes, both teams of researchers expect the attacks to get larger as DDoSers begin to optimize their attacks and identify more middleboxes that can be abused (the academic researchers didn’t release that data to prevent it from being abused).

     

    Kevin Bock, the lead researcher behind last August’s research paper, said DDoSers had plenty of incentives to reproduce the attacks his team theorized.

     

    “Unfortunately, we weren’t surprised,” he told me upon learning of the active attacks. “We expected that it was only a matter of time until these attacks were being carried out in the wild because they are easy and highly effective. Perhaps worst of all, the attacks are new; as a result, many operators do not yet have defenses in place, which makes it that much more enticing to attackers.”

     

    One of the middleboxes received a SYN packet with a 33-byte payload and responded with a 2,156-byte reply.

     

    65x-amplifier.png

    Akamai

    That translated to a factor of 65x, but the amplification has the potential to be much greater with more work.

     

    amplification-rank-640x318.png

     

    Akamai researchers wrote:

     

    Volumetric TCP attacks previously required an attacker to have access to a lot of machines and a lot of bandwidth, normally an arena reserved for very beefy machines with high-bandwidth connections and source spoofing capabilities or botnets. This is because until now there wasn’t a significant amplification attack for the TCP protocol; a small amount of amplification was possible, but it was considered almost negligible, or at the very least subpar and ineffectual when compared with the UDP alternatives.

     

    If you wanted to marry a SYN flood with a volumetric attack, you would need to push a 1:1 ratio of bandwidth out to the victim, usually in the form of padded SYN packets. With the arrival of middlebox amplification, this long-held understanding of TCP attacks is no longer true. Now an attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint, and because of quirks with some middlebox implementations, attackers get a SYN, ACK, or PSH+ACK flood for free.

    Infinite packet storms and complete resource exhaustion

    Another middlebox Akamai encountered, for unknown reasons, responded to SYN packets with multiple SYN packets of its own. Servers that follow TCP specifications should never respond this way. The SYN packet responses were loaded with data. Even worse, the middlebox completely disregarded RST packets sent from the victim, which are supposed to terminate a connection.

     

    ignore-rst-packet.png

    Akamai

    Also concerning is the finding from Bock’s research team that some middleboxes will respond when they receive any additional packet including the RST.

     

    “This creates an infinite packet storm,” the academic researchers wrote in August. “The attacker elicits a single block page to a victim, which causes a RST from the victim, which causes a new block page from the amplifier, which causes a RST from the victim, etc. The victim sustained case is especially dangerous for two reasons. First, the victim’s default behavior sustains the attack on itself. Second, this attack causes the victim to flood its own uplink while flooding the downlink.”

     

    Akamai also provided a demonstration showing the damage that occurs when an attacker targets a specific port running a TCP-based service.

     

    tcp-service-targeting.png

    Akamai

    “These SYN packets directed at a TCP application/service will cause that application to attempt to respond with multiple SYN+ACK packets and hold the TCP sessions open, awaiting the remainder of the three-way handshake,” Akamai explained. “As each TCP session is held in this half-open state, the system will consume sockets that will in turn consume resources, potentially to the point of complete resource exhaustion.”

     

    Unfortunately, there’s nothing typical end-users can do to block the DDoS amplification being exploited. Instead, middlebox operators must reconfigure their machines, which is unlikely in many cases. Barring that, network defenders must change the way they filter and respond to packets. Both Akamai and the academic researchers provide much more detailed instructions.

     

     

    DDoSers are using a potent new method to deliver attacks of unthinkable size


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...