Small Effort, Big Annoyance – Three New DDoS Amplification Techniques to Know

Every DDoS attack is an annoying DDoS attack, to be sure. The downtime, the lost revenue, the degraded reputation, it’s always a bummer no matter what variety of attack did the damage. However, when you’re hit with a behemoth network-layer attack from an IoT botnet or a sophisticated application-layer attack that required a lot of homework, at least you know the attackers had to do a fair bit of work. At least they had to build that botnet, or refine their attack to target your server-side resources specifically.

With an amplification attack, there tends to be no such satisfaction. With minimal resources and just a few requests attackers can produce a DDoS assault of epic proportions. They’re the small effort, big results attacks, and it’s no wonder attackers have spent the last year or so coming up with a few new amplification techniques.

Thinking smarter

If you’ve been looking for one more good reason to invest in anti DDoS protection, lo and behold, here it is. Amplification attacks tend to be the big bruising variety of distributed denial of service network-layer attacks, the kind that any ol’ cloud-based DDoS mitigation service or highly scalable DDoS protection can handle by simply having enough bandwidth to absorb the traffic.

To add a new weapon to their arsenal, attackers have found a way to get crafty with an amplification technique. They’re using an unfortunate default setting in the Universal Plug and Play protocol – the AddPortMapping command – to forward requests that are spoofed to look as though they’re coming from the intended victim to an external DNS, NTP or SSDP server with commands to reroute the requests and the server responses through irregular source ports. By the time the external server’s responses reach the victim – large responses compared to the original requests, of course, as DNS, NTP an SSDP are all classic amplification techniques – the source port is obfuscated because of the rerouting. This makes it much harder to mitigate the attack because filtering out attack traffic now requires deep packet inspection, a much more resource-intensive process compared to checking header info. Without dedicated mitigation equipment or a leading cloud-based mitigation service, it might not be possible.

Thinking bigger

Memcached servers are, as you might expect, cache servers designed to ease the burden on the external data sources of websites by serving up cached content to visitors. These servers are free, open-source, very helpful and highly popular, storing huge amounts of content. However, many of these public-facing Memcached servers by default use port 11211. This makes it easy for attackers to once again spoof the IP of their intended victim and request statistics from Memcached servers, ensuring a response so large that even a single one has the potential to cause a DDoS attack. Up the number of spoofed requests and the return grows in huge proportions.

NTP amplification attacks previously reigned as the method with the biggest amplification factor, producing a response up to 557 times bigger than the initial request. An amplification factor that used to be scary is now positively cute when it’s put up beside Memcached, which boasts an amplification factor anywhere from 9000 to 51,000. This technique has already been put to use setting a new DDoS size record, with a 1.7 Tbps attack hitting an unnamed target earlier this year.

A new classic

It can be tiring to be a cybercriminal. Sometimes DDoS attackers don’t want to be bothered coming up with a new technique that makes amplification attacks crafty, or one that blows all previous amplification factors out of the water. Sometimes an attacker just wants to take advantage of an unnecessary exploit to create an amplification technique that’s an instant classic, like LDAP amplification.

Lightweight Directory Access Protocol (LDAP) is a protocol that makes it easy to access internet directories. Thanks to port 389, this protocol also makes it easy to launch DDoS amplification attacks. Attackers simply scan for servers with port 389 open, as this port enables connectionless LDAP communication. Attackers then spoof the IP of the victim, send requests to these servers, and sit back while LDAP servers send their voluminous responses to the victim server. LDAP’s amplification factor has been found to range between 46 and 55 – nothing close to Memcached, of course, but enough to make trouble for websites lacking scalability in their DDoS mitigation.

An exercise in frustration

Not only are amplification attacks annoying because there’s so much malicious payoff for so little malicious effort, but they’re also annoying because if information technology security were where it needs to be, many amplification techniques wouldn’t even be possible. There’s no good reason for port 389 to be open. The Universal Plug and Play protocol shouldn’t 1) make remote access so easy or 2) allow port mapping to be remotely controlled. Further, there has been a patch issued to rectify the DDoS vulnerability on Memcached servers.

However, all of these amplification techniques are still going strong, as are ones that predate these new techniques by decades. If you’re trying to decide whether to bet on the entire internet tightening up its basic security, or professional cloud-based DDoS protection, smart money is on the latter.