Thursday, 20 February 2014

What's The Next Reflection Attack

Two years ago we were all talking about DNS reflection attacks and the possibility that they may make an appearance. A year later they did just that, and on a massive scale.  These DDOS attacks that use distributed groups of machines to mount reflection attacks have become known as Distributed Reflective Denial of service attacks or DRDOS.

Sadly, DNS servers were not the only part of the internet that was vulnerable to this sort of misuse, allowing a perfectly valid (actually vital) piece of functionality to be subverted and used to mount a Denial of Service Attack (DDOS). Just as we had been saying a few months ago, other, often forgotten protocols can also be misused to mount DDOS attacks:

And so it was that we saw the largest DDOS attack yet recorded which used the obscure Network Time Protocol (NTP). Those of us who watch such things did see some evidence of such an attack building during the Christmas period 2013: hackers were playing with the protocol to mount small scale attacks.  That appears to have been merely a proof of concept for what was to come some weeks later.

At least we now know the weapons that will be used, right? Personally I'm not sure internauts have quite understood the scale of the problem.  Awareness if growing of the potential size of such attacks but DNS and NTP are not the only tools that could be used.  As I've been trying to say, there are several protocols that hold the potential to be misused in the same way.

The protocols that are potentially vulnerable are based upon User Datagram Protocol (UDP). Many will have heard of TCP which underlies much of what we do on the web, but few realise the UDP is running alongside it.  Whereas TCP is designed to resend packets of data if they fail to arrive at their destination, UDP is more akin to fire and forget. UDP is what is called a connectionless protocol.

For protocols that run on UDP as opposed to TCP, it is slightly easier to spoof the sender's IP address meaning that if the recipient is asked to return some data it can be diverted to an IP address that never requested it.  In essence, this is a reflection attack.  Imagine harnessing many systems who all request some service to return data, and they all pretend to be one target machine.  That target will suddenly be deluged by the responses.

But what protocols run on UDP and are thus liable to be usurped if not protected against. There are many but they include the often used:
There are also protocols used for peer-to-peer networking that could be similarly misused:
There are even games that use protocols that are potentially vulnerable such as Quake Network Protocol and niche communities like Steam.

An obvious question to ask is why have hackers chosen DNS and then NTP over any of these other possibilities.  As ever the devil is in the detail.  If trying to mount a DDOS attack you want to divert as much data as possible to your target, and each of these protocols returns differing amounts, having bandwidth amplification factors such shown here:

28 to 54
Quake Network Protocol
Steam Protocol

Once attackers had worked out that reflection attacks were a viable way of mounting DDOS attacks, using DNS, it is not surprising that they opted to next try NTP as it can produce up to 10 times more data.  It also doesn't take long to realise that some other protocols such as CharGEN and even the venerable QOTD which can produce more data than the original DNS attacks.  Perhaps these are the next to be misused by attackers.

Whichever protocol is used in future attacks one thing is certain: mounting such attack is becoming easier.  The reason is that attackers are producing toolkits that allow someone with little technical knowledge to press the button and fire off a DDOS attack based on UDP based protocols.  We have already seen version 1.1 of a DNS based toolkit circulating so I can't believe it will be long before we see an NTP based toolkit or possibly even a toolkit that allows you to select your preferred attack protocol.

However, before you throw up your arms and think the Internet is doomed it is worth noting that there are defences against such attacks.  Since 2000 there has been a standard (BCP38) which shows ways of defeating attacks that use IP spoofing.  Needless to say there are many commercial products that will help you do this but I don't intend to recommend any in particular if only because in choosing such products context is everything. 

One very useful place to start is the Spoofer Project which aims to help you understand the susceptibility of the Internet (or at least that part which you inhabit) to IP spoofing.

DRDOS attacks are here to stay and 2014 is likely to see them growing in size and number.  As with all DDOS attack you won't stop them but you can mitigate them significantly.  The trick is to be aware and get prepared.