CERT mailing list archives

Previous By Date Next
Previous By Thread Next

Alert (TA14-017A) – UDP-Based Amplification Attacks

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Mon, 04 Dec 2017 19:35:03 -0600
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA14-017A: UDP-Based Amplification Attacks [ https://www.us-cert.gov/ncas/alerts/TA14-017A ] 

Original release date: January 17, 2014

Updated on: December 4, 2017

Systems Affected

Certain application-layer protocols that rely on the User Datagram Protocol (UDP) have been identified as potential 
attack vectors. These include


  * Domain Name System (DNS), 
  * Network Time Protocol (NTP), 
  * Connection-less Lightweight Directory Access Protocol (CLDAP), 
  * Character Generator Protocol (CharGEN), 
  * Simple Service Discovery Protocol (SSDP), 
  * BitTorrent, 
  * Simple Network Management Protocol version 2 (SNMPv2), 
  * Kad, 
  * Portmap/Remote Procedure Call (RPC), 
  * Quote of the Day (QOTD), 
  * Multicast Domain Name System (mDNS), 
  * Network Basic Input/Output System (NetBIOS), 
  * Quake Network Protocol, 
  * Steam Protocol, 
  * Routing Information Protocol version 1 (RIPv1), and 
  * Lightweight Directory Access Protocol (LDAP). 

Overview

A distributed reflective denial-of-service (DRDoS) attack is a form of distributed denial-of-service (DDoS) that relies 
on publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overwhelm a victims system with UDP 
traffic.

Description

By design, UDP is a connection-less protocol that does not validate source Internet Protocol (IP) addresses. Unless the 
application-layer protocol uses countermeasures such as session initiation in Voice over Internet Protocol, an attacker 
can easily forge the IP packet datagram (a basic transfer unit associated with a packet-switched network) to include an 
arbitrary source IP address. [1 [ https://tools.ietf.org/html/rfc3261 ]] When many UDP packets have their source IP 
address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the 
attacker), creating a reflected denial-of-service (DoS) attack.

Certain commands to UDP protocols elicit responses that are much larger than the initial request. Previously, attackers 
were limited by the linear number of packets directly sent to the target to conduct a DoS attack; now a single packet 
can generate between 10 and 100 times the original bandwidth. This is called an amplification attack, and when combined 
with a reflective DoS attack on a large scale, using multiple amplifiers and targeting a single victim, DDoS attacks 
can be conducted with relative ease.

The potential effect of an amplification attack can be measured by BAF, which can be calculated as the number of UDP 
payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request. 
[2 (link is external) [ http://www.christian-rossow.de/articles/Amplification_DDoS.php ]] [3 (link is external) [ 
http://www.christian-rossow.de/publications/amplification-ndss2014.pdf ]]

The following is a list of known protocols and their associated BAFs. US-CERT offers thanks to Christian Rossow for 
providing this information. For more information on BAFs, please see Christian's blog (link is external) [ 
http://www.christian-rossow.de/articles/Amplification_DDoS.php ] and associated research paper (link is external) [ 
http://www.christian-rossow.de/publications/amplification-ndss2014.pdf ].

*Protocol* *Bandwidth Amplification Factor* *Vulnerable Command* DNS 28 to 54 see: TA13-088A [ 
https://www.us-cert.gov/ncas/alerts/TA13-088A ][4 [ https://www.us-cert.gov/ncas/alerts/TA13-088A ]] NTP 556.9 see: 
TA14-013A [ https://www.us-cert.gov/ncas/alerts/TA14-013A ][5 [ https://www.us-cert.gov/ncas/alerts/TA14-013A ]] SNMPv2 
6.3 GetBulk request NetBIOS 3.8 Name resolution SSDP 30.8 SEARCH request CharGEN 358.8 Character generation request 
QOTD 140.3 Quote request BitTorrent 3.8 File search Kad 16.3 Peer list exchange Quake Network Protocol 63.9 Server info 
exchange Steam Protocol 5.5 Server info exchange Multicast DNS (mDNS) 2 to 10 Unicast query RIPv1 131.24 Malformed 
request Portmap (RPCbind) 7 to 28 Malformed request LDAP 46 to 55 Malformed request [ 
https://ldapscan.shadowserver.org/ ][6 [ https://ldapscan.shadowserver.org/ ]] CLDAP [7 (link is external) [ 
https://www.akamai.com/us/en/about/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp
 ]] 56 to 70  

In March 2015, the CERT Coordination Center of the Software Engineering Institute issued Vulnerability Note VU#550620 
describing the use of mDNS in DRDoS attacks. Attackers can leverage mDNS by sending more information than can be 
handled by the device, thereby causing a DoS condition. [8 [ https://www.kb.cert.org/vuls/id/550620 ]]

In July 2015, Akamai Technologies' Prolexic Security Engineering and Research Team (PLXsert) issued a threat advisory 
describing a surge in DRDoS attacks using RIPv1. Malicious actors are leveraging the behavior of RIPv1 for DDoS 
reflection through specially crafted request queries. [9 (link is external) [ http://www.stateoftheinternet.com/ ]]

In August 2015, Level 3 Threat Research Labs reported a new form of DRDoS attack that uses portmap. Attackers are 
leveraging the behavior of the portmap service through spoofed requests to flood a victims network with UDP traffic. 
[10 (link is external) [ 
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/ ]]

In October 2016, Corero Network Security reported a new DDoS amplification attack exploiting LDAP directory services 
servers against its customers. [11 (link is external) [ 
https://www.corero.com/company/newsroom/press-releases/corero-warns-of-powerful-new-ddos-attack-vector-with-potential-for-terabit-scale-ddos-events/%5d
 ]]

In November 2017, Netlab 360 reported that CLDAP is now the third most common DRDoS attack, behind DNS and NTP attacks. 
[12 (link is external) [ 
http://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-attack-vector-surpassing-ssdp-and-chargen-en 
]]

Impact

Attackers can use the bandwidth and relative trust of large servers that provide the UDP protocols provided in this 
alert to flood victims with unwanted traffic and create a DDoS attack.

Solution

Detection

Detection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. 
Network operators of these exploitable services may apply traditional DoS mitigation techniques. To detect a DRDoS 
attack, watch out for abnormally large responses to a particular IP address, which may indicate that an attacker is 
using the service.

There are a few things victims of DRDoS attacks can do to detect such activity and respond:


  * Detect and alert large UDP packets to higher order ports. 
  * Detect and alert on any non-stateful UDP packets. (A simple Snort example is below. The approach will need to be 
customized to each environment with a whitelist and known services.) Simple Snort rule example for stateless UDP check 
var HOME_NET [10.10.10.20]
preprocessor stream5_global: track_ip yes, track_tcp yes,track_udp yes,track_icmp no,max_tcp 262144, max_udp 131072
preprocessor stream5_ip: timeout 180
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp: timeout 180, ignore_any_rules
alert udp HOME_NET 1024: -> any any (msg:"UDP Session start"; flowbits:set,logged_in; flowbits:noalert; sid: 1001;)
alert udp any any -> HOME_NET 1024: (msg:"UDP Stateless"; flowbits:isnotset,logged_in; sid: 1002) 
  * Upstream providers should maintain updated contacts and methods with downstream customers to send alerts by 
network. 

In general, network and server administrators for Internet service providers (ISPs) should use the following best 
practices to avoid becoming amplifier nodes:


  * Use network flow to detect spoofed packets. (See the Mitigation section below for information on verifying spoofed 
traffic before blocking that traffic.) 
  * Use network flow or other summarized network data to monitor for an unusual number of requests to at-risk UDP 
services. 
  * Use network flow to detect service anomalies (e.g., bytes-per-packet and packets-per-second anomalies). 

Mitigation

The following steps can help mitigate a DRDoS attack:


  * Use stateful UDP inspectionssuch as reflexive access control liststo reduce the impact to critical services on 
border firewalls or border routers. [13 (link is external) [ 
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html ]] 
  * Use a Border Gateway Protocol (BGP) to create a Remotely Triggered Blackhole, preferably in coordination with 
upstream providers or ISPs. [14 (link is external) [ 
http://packetlife.net/blog/2009/jul/6/remotely-triggered-black-hole-rtbh-routing/ ]] 
  * Maintain a list of primary upstream provider emergency contacts to coordinate responses to attacks. Upstream 
providers should conduct mitigation in coordination with downstream customers. 

In general, ISP network and server administrators should use the following best practices to avoid becoming amplifier 
nodes:


  * Regularly update software and configurations to deny or limit abuse (e.g., DNS response rate limit). [15 [ 
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html ]] [16 [ 
https://tools.ietf.org/html/bcp38 ]] [17 [ https://tools.ietf.org/html/bcp84 ]] 
  * Disable and remove unwanted services, or deny access to local services over the Internet. 
  * Use UDP-based protocolse.g., quality of service (QoS) on switching and routing devicesto enable network-based 
rate-limiting to legitimate services provided over the Internet. 
  * Work with Customer Provider Edge manufacturers for secure configuration and software. [18 (link is external) [ 
https://resources.sei.cmu.edu/asset_files/WhitePaper/2014_019_001_312679.pdf ]] 

As a service provider, to avoid any misuse of Internet resources:


  * Use ingress filtering to block spoofed packets (See the Spoofer Project [19 [ https://spoofer.caida.org/ ]], and 
IETF BCP 38 and BCP 84 guidelines). [20 (link is external) [ 
https://resources.sei.cmu.edu/asset_files/WhitePaper/2014_019_001_312679.pdf ]] 
  * Use traffic shaping on UDP service requests to ensure repeated access to over-the-Internet resources is not 
abusive. [21 [ https://tools.ietf.org/html/rfc2475 ]] [22 [ https://tools.ietf.org/html/rfc3260 ]] 

References

  * [1] SIP: Session Initiation Protocol [ https://tools.ietf.org/html/rfc3261 ] 
  * [2] Amplification Hell: Abusing Network Protocols for DDoS (link is external) [ 
http://www.christian-rossow.de/articles/Amplification_DDoS.php ] 
  * [3] Amplication Hell: Revisiting Network Protocols for DDoS Abuse (link is external) [ 
http://www.christian-rossow.de/publications/amplification-ndss2014.pdf ] 
  * [4] DNS Amplification Attacks [ https://www.us-cert.gov/ncas/alerts/TA13-088A ] 
  * [5] NTP Amplification Attacks Using CVE-2013-5211 [ https://www.us-cert.gov/ncas/alerts/TA14-013A ] 
  * [6] Open LDAP Scanning Project [ https://ldapscan.shadowserver.org/ ] 
  * [7] CLDAP Reflection DDoS (link is external) [ 
https://www.akamai.com/us/en/about/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp
 ] 
  * [8] VU#550620: Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local 
link [ https://www.kb.cert.org/vuls/id/550620 ] 
  * [9] RIPv1 Reflection DDoS [Medium Risk] (link is external) [ 
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/ripv1-reflection-ddos-threat-advisory.pdf ] 
  * [10] A New DDoS Reflection Attack: Portmapper; An Early Warning to the Industry (link is external) [ 
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/ ] 
  * [11] Corero Warns of Powerful New DDoS Attack Vector (link is external) [ 
https://www.corero.com/company/newsroom/press-releases/corero-warns-of-powerful-new-ddos-attack-vector-with-potential-for-terabit-scale-ddos-events/
 ] 
  * [12] CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen (link is external) 
[ 
http://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-attack-vector-surpassing-ssdp-and-chargen-en/ 
] 
  * [13] Configuring IP Session Filtering (Reflexive Access Lists) (link is external) [ 
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html ] 
  * [14] Remotely-Triggered Black Hole (RTBH) Routing (link is external) [ 
http://packetlife.net/blog/2009/jul/6/remotely-triggered-black-hole-rtbh-routing/ ] 
  * [15] A Quick Introduction to Response Rate Limiting [ 
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html ] 
  * [16] Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing [ 
https://tools.ietf.org/html/bcp38 ] 
  * [17] Ingress Filtering for Multihomed Networks [ https://tools.ietf.org/html/bcp84 ] 
  * [18] Abuse of Customer Premise Equipment and Recommended Actions (link is external) [ 
https://resources.sei.cmu.edu/asset_files/WhitePaper/2014_019_001_312679.pdf ] 
  * [19] The Spoofer Project [ https://spoofer.caida.org/ ] 
  * [20] Abuse of Customer Premise Equipment and Recommended Actions (link is external) [ 
https://resources.sei.cmu.edu/asset_files/WhitePaper/2014_019_001_312679.pdf ] 
  * [21] An Architecture for Differentiated Services [ https://tools.ietf.org/html/rfc2475 ] 
  * [22] New Terminology and Clarifications for Diffserv [ https://tools.ietf.org/html/rfc3260 ] 

Revisions

  * February 9, 2014  Initial Release 
  * March 7, 2014  Updated page to include research links 
  * July 13, 2015  Added RIPv1 as an attack vector 
  * August 19, 2015  Added Multicast DNS (mDNS) and Portmap (RPCbind) as attack vectors 
  * April 13, 2016  Updated detection and mitigation information 
  * November 4, 2016  Updated for LDAP attack vector 
  * December 4, 2017  Added information on CLDAP as an attack vector 



________________________________________________________________________

__This product is provided subject to this Notification [ https://edit.us-cert.gov/privacy/notification ] and this 
Privacy & Use [ https://edit.us-cert.gov/privacy/ ] policy.

________________________________________________________________________



A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov/ ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book.



________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: