Exploiting built-in network protocols for DDoS attacks
A distributed denial-of-service (DDoS) attack is an attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server. The power of these kinds of attacks can be amplified (distributed) by using a large volume of servers/senders instead of a single one.
In general, a DDoS attack is started from a vast number of compromised devices distributed around the world and organized in a huge cluster, also known as a botnet. With this distributed approach, it is very similar to using a single internet-connected device to flood a target with malicious traffic. The difference is that everyone floods the target at the same time with intent to cause unavailability.
Different groups of DDoS and attack types
A distributed denial-of-service can be executed following different goals and divided into three main groups:
Volume-based attacks: This chain includes UDP, ICMP and other spoofed-packet floods. By using this attack, saturating the bandwidth of the attacked site is possible. The magnitude of the attack is measured in bits per second (bps).
Network protocol attacks: This kind of configuration Includes SYN floods, fragmented packet attacks, ping of death and smurf DDoS. With the use of this kind of approach, server resource exhaustion is possible or even spamming other intermediating peripheries such as firewalls, load balancers and so on. The magnitude of the attack is measured in packets per second (pps).
Application layer attacks: This approach includes low-and-slow attacks, GET/POST floods and targets, often web servers and operating system vulnerabilities. The main goal of this attack is to crash the system. Its magnitude is measured in request per second (rps).
Exploiting built-in network protocols
According to the Federal Bureau of Investigation (FBI), criminals are using built-in network protocols for large-scale distributed denial-of-service (DDoS) amplification attacks. The motivation behind this kind of DDoS attack is to amplify the damage of a targeted attack, which can lead to significant disruptions in operations and impact services.
In this report, the FBI highlights the recent DDoS amplification attacks and compares them with incidents that occurred in December 2018, when cybercriminals exploited the multicast and command transmission features of the Constrained Application Protocol (CoAP). That attack wave used CiAP, accessible via the internet and geolocated in China, to perform a wide attack using peer-to-peer networks.
On February 28, 2018, some months before, the GitHub website was hit by the biggest distributed denial-of-service (DDoS) attack and achieved a record 1.35 Tbps. A misconfiguration of the Memcached servers was used to amplify the DDoS attack.
In 2019, attackers took aim at the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks in the wild. Many of them achieved a magnitude of 350 Gigabits per second (Gps). As the Internet of Things (IoT) uses WS-DD protocols to detect other devices nearby, more than 630.000 devices with this protocol enabled were used to amplify a DDoS attack. In the same year, security experts reported an increase in the use of misconfigured IoT devices in attacks on this line.
Towards the end of 2019, a new wave of attacks was observed. In October 2019, the popular service Apple Remote Management Service (ARMS) was used to amplify a DDoS attack by criminals. In detail, this protocol is used by companies to manage their Apple computers in an easy way.
More recently, in February 2020, a group of researchers found a novel vulnerability in the built-in network discovery protocols of Jenkins servers, which could be used in amplified DDoS attacks.
The flaw was discovered by Adam Thorn of the University of Cambridge, CVE-2020-2100. The vulnerability affects Jenkins 2.218 and earlier as well as LTS 2.204.1 and earlier.
“Jenkins’ vulnerability is caused by an auto-discovery protocol that is enabled by default and exposed in publicly facing servers,” explained Radware security evangelist, Pascal Geenens. “Disabling the discovery protocol is only a single edit in the configuration file of Jenkins and it got fixed in last week’s patch from a default enabled to disabled.”
The motivation behind DDoS attacks
DDoS attacks are the most prevalent cyber threat increasing both in number and volume over the years. These types of attacks are often motivated according to different perspectives, including:
- Ideology: Hacktivists use DDoS attacks to target websites they disagree with.
- Business: Attacks to take down competitors’ websites or services.
- Adrenaline rush: Script kiddies use pre-written scripts to launch DDoS attacks and the main goal is just to get an adrenaline rush.
- Extortion: DDoS attacks are used as a means of extorting money from their targets.
- Cyberwarfare: DDoS attacks are launched and authorized by governments that can damage the enemy country’s infrastructure.
Mitigating a multi-vector DDoS attack requires a variety of strategies. In detail, separate legitimate and malicious traffic is, in fact, a hard task, and the goal of the attacker is to cover up its attack as much as possible to make any mitigation efforts inefficient.
Some efficient measures to fight this problem are tasks that involve dropping or limiting network traffic, such as:
- Blackhole routing
- Rate limiting
- Web application firewall
- Anycast network diffusion
At last but not least, ensure that all the devices including IoT, network peripheries, servers, web services, software in general and operating systems are up to date and with security patches applied.
What is a DDoS Attack?, Cloudflare
Cyber Actors Exploiting Built-In Network Protocols to Carry Out Larger, More Destructive Distributed Denial of Service Attacks, FBI Private Industry Notification
Biggest DDoS Attack Ever Recorded, Segurança Informática
DevOps Alert: 12,000 Jenkins Servers Exposed to DoS Attacks, Infosecurity Magazine