~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet

[mood]

~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet

 

Enlarge

 

Criminals are upping the potency of distributed denial-of-service attacks with a technique that abuses a widely used Internet protocol that drastically increases the amount of junk traffic directed at targeted servers.

 

DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections that allow targets to withstand ever-larger torrents of traffic, the criminals respond with new ways to make the most of their limited bandwidth.

Getting amped up

In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. The intermediaries then send the targets responses that are tens, hundreds, or thousands of times bigger. The redirection works because the requests replace the IP address of the attacker with the address of the server being targeted.

 

Other well-known amplification vectors include the memcached database caching system with an amplification factor of an astounding 51,000, the Network Time Protocol with a factor of 58, and misconfigured DNS servers with a factor of 50.

DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data.

 

DDoSes that abuse D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called booter and stressor services—which use commodity equipment to provide for-hire attacks—have adopted the technique. The company has identified almost 4,300 publicly reachable D/LTS servers that are susceptible to the abuse.

 

The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps.

 

Skilled attackers with their own attack infrastructure typically discover, rediscover, or improve amplification vectors and then use them against specific targets. Eventually, word will leak into the underground through forums of the new technique. Booter/stressor services then do research and reverse-engineering to add it to their repertoire.

Challenging to mitigate

The observed attack “consists of two or more individual vectors, orchestrated in such a manner that the target is pummeled via the vectors in question simultaneously,” Netscout Threat Intelligence Manager Richard Hummel and the company’s principal engineer, Roland Dobbins, wrote in an email. “These multi-vector attacks are the online equivalent of a combined-arms attack, and the idea is to both overwhelm the defenders in terms of both attack volume as well as present a more challenging mitigation scenario.”

 

The 4,300 abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaller Application Delivery Controller didn’t always turn it on by default. Citrix has more recently encouraged customers to upgrade to a software version that uses anti-spoofing by default.

 

Besides posing a threat to devices on the Internet at large, abusable D/TLS servers also put organizations using them at risk. Attacks that bounce traffic off one of these machines can create full or partial interruption of mission-critical remote-access services inside the organization’s network. Attacks can also cause other service disruptions.

 

Netscout’s Hummel and Dobbins said that the attacks can be challenging to mitigate because the size of the payload in a D/TLS request is too big to fit in a single UDP packet and is, therefore, split into an initial and non-initial packet stream.

“When large UDP packets are fragmented, the initial fragments contain source and destination port numbers,” they wrote. “Non-initial fragments do not; so, when mitigating a UDP reflection/amplification vector which consists of fragmented packets, such as DNS or CLDAP reflection/amplification, defenders should ensure that the mitigation techniques they employ can filter out both the initial and non-initial fragments of the DDoS attack traffic in question, without overclocking legitimate UDP non-initial fragments.”

 

Netscout has additional recommendations here.

 

 

Source: ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet

[mood]

DDoS booters now abuse DTLS servers to amplify attacks

 

 

DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks.

 

DTLS is a UDP-based version of the Transport Layer Security (TLS) protocol that prevents eavesdropping and tampering in delay-sensitive apps and services.

Already abused in single and multi-vector DDoS attacks

According to reports that surfaced in December, a DDOS attack used DTLS to amplify traffic from vulnerable Citrix ADC devices that used DTLS configurations without a 'HelloClientVerify' anti-spoofing mechanism designed to block such abuse.

 

DDoS attacks using DTLS can reach an amplification factor of 35 according to German DDoS protection vendor Link11 or an amplification ratio of 37.34:1 based on info from DDoS mitigation firm Netscout.

Citrix released a fix to remove the amplification vector on affected NetScaler ADC devices in January, adding a 'HelloVerifyRequest' setting to remove the attack vector.

 

However, two months later, Netscout said that more than 4,200 DTLS servers are still reachable over the Internet and ripe for abuse in reflection/amplification DDoS attacks.

 

Netscout has observed single-vector DTLS amplification DDoS attacks up to roughly 44.6 Gbps and multi-vector attacks of up to ~206.9 Gbps.

Adopted by DDoS booter services

DDoS-for-hire platforms, also known as stressers or booters, are now also using DTLS as an amplification vector which puts it in the hands of less sophisticated attackers.

Booter services are used by threat actors, pranksters, or hacktivists without the time to invest or skills to build their own DDoS infrastructure.

 

They rent stresser services to launch DDoS attacks triggering a denial of service that commonly brings down targeted servers or sites or causes various levels of disruption.

"As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, D/TLS reflection/amplification has been weaponized and added to the arsenals of so-called 'booter/stresser' DDoS-for-hire services, placing it within the reach of the general attacker population," Netscout added.

 

To mitigate such attacks, admins can either disable unnecessary DTLS services on Internet-exposed servers or to patch/configure them to use the HelloVerifyRequest anti-spoofing mechanism to remove the DTLS amplification vector.

 

DHS-CISA also provides guidance on how to detect DDoS attacks and the measures you need to take while being DDoSed.

 

 

Source: DDoS booters now abuse DTLS servers to amplify attacks