Most of us who operate in the world of DDoS attacks have known about the reflective/amplified DDoS attack vector for several years. As a matter of fact Corero was warning the public that this attack vector was coming nearly 5 years ago; before the first attack of this type was ever observed. Today it seems the attackers will do whatever is necessary to take organizations offline.
In the early days of DDoS attacks the bigger the botnet you had – the better. There were reports of botnets containing millions of infected devices, located all over the work, being used in DDoS attacks. However as a result of detecting the massive botnets, law enforcement official began tracking down the botnet herders who controlled millions of devices, charged them with all sorts of crimes, and began tearing down their botnets. Today most botnets are nowhere near the size they used to be. As a matter of fact DDoS attackers really don’t need large botnets any longer since there is a better method available at the attacker’s fingertips. It’s called the reflective/amplified attack.
The new wave is here!
Today attackers do not need large botnets to generate extremely large attacks. Instead what they do is scan the entire Internet looking for devices that will help them pull off their attacks. Attackers silently scan the Internet with scripts that require almost no human intervention whatsoever. These scripts look for devices that are open to the Internet that can be used to flood someone else’s network. Say for instance you wanted to attack an organization with a large packet-per-second rate attack but only had a small botnet at your disposal. What would you do? Use the open and accessible devices you’ve found from your scans of the Internet to reflect an attack onto someone else. These devices in some cases can generate massive amounts of traffic.
Many of us have heard about the up-and-coming vulnerabilities with regards to the IoT (Internet of Things). These devices like any other device have an operating system, run a protocol stack, have a network interface (most often WiFi), and can communicate with other devices on the Internet. These devices are vulnerable to all sorts of exploits of system vulnerabilities that would allow an attacker to compromise them and obviously control them remotely. However they also have the huge potential to be used to help amplify reflective DDoS attacks against some helpless victim. The new wave is here.
For example in the latest report released by Akamai/Prolexic, “SSDP attacks made up more than 20% of the attack vectors, as compared to the findings in Q1 2014 report, where SSDP attacks were not observed at all. The proliferation of unsecured home-based, Internet connected devices (like baby monitors) using the Universal Plug and Play (UPnP) Protocol has made them attractive for use as reflectors.” SSDP (Simple Service Discovery Protocol) is the protocol that allows UPnP device to operate. It uses UDP port 1900.
Corero began seeing SSDP attacks in early Q3, 2014!
Corero also has observed a huge spike in SSDP attacks as well. I wrote a blog about SSDP attacks way back in September of last year. I find it interesting that Corero’s SmartWall® customers were detecting and defeating SSDP attacks beginning in Q3 of last year while at the same time Akamai had not detected these attacks until Q1 of 2015 – almost 6 months later. It begs one to ask why Akamai had not seen SSDP attacks previously. Is it a matter of Akamai not coming under SSDP attacks (which I find hard to believe) or did they simply have no ability to detect the attacks against their own infrastructure? I think the latter is most likely the case.
No need for big botnets any longer!
If a home or office network has any device like baby monitors, video cameras, routers, WiFi access points, etc. that have UPnP open to the Internet, those devices will respond back to the originator of the discovery packet, in this case the hacker. Once a hacker has a list of potentially millions of devices that are open to the Internet, the attacker will next use these devices almost like a botnet; however, none of these devices are under the control of the attacker. They are not part of any botnet but can be used in a reflective/amplified attack and in the case of SSDP they create a 30.8X amplification factor with regards to request traffic vs. response traffic. Meaning, the responses are 30.8 times larger than the requests.
Once the attacker has their victim in their crosshairs and knows the IP addresses of the victim’s network they will then gain access to a smaller botnet and use this botnet to send millions of discovery packets to the list of open UPnP devices the hacker found through earlier scans. However in the discovery packet the attacker will spoof the requester’s IP address to make it look like it came from his victim IP addresses. As a result the victim is flooded by massive amounts of discovery response packets effectively flooding the victim’s network with packets that all have the source port as UDP 1900.
Below is a picture that may help explain how these reflective/amplified attacks are pulled off. Please read the text boxes and take note of the arrows on the picture below. Until next time…