Background and introduction
A Combo Distributed Reflective Denial of Service attack (CDRDoS) takes DRDoS attacks to its next level with the combination of using more than one attack reflection vector concurrently towards a targeted host, this article will focus on its origin and where we believe it has evolved from.
Popular Layer 3 UDP Flood attack protocols include – DNS, NTP, CHARGEN, SSDP and SNMP due to large amounts of connected hosts on the internet and the amplification which can be received. A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP services, as well as bandwidth amplification factors, to overwhelm a target system with UDP traffic.
UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to spoof the IP packet datagram to include an arbitrary source IP address. When many UDP packets have their source IP address forged to a single address, the server responds to that target, creating a reflected Denial of Service (DoS) Attack.
Before Distributed Reflective attacks, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack. Now, a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks.
300gbit DNS Reflection attack on the 27th March 2013
CyberBunker launched an all-out assault, described by the BBC as the world’s biggest ever cyberattack, on the self-appointed spam-fighting company Spamhaus, which maintains a blacklist used by email providers to filter out spam.
400gbit NTP Reflection attack on the 11th of February 2014
Whilst specific details of this attack have never been released we know Cloud Flare stated they experienced a 400gbit NTP Reflection attack towards one of its customers, making it the largest publicly advertised attack event to date. The team at DERP claimed responsibility on twitter for the attack using their Gaben Laser Beam (GLB™)
DERP (sometimes referred to as DerpTrolling) is the name of a hacker group that has been active since 2011. They have largely used Twitter to coordinate distributed denial of service attacks on various high traffic websites. DERP current primary targets of attacks seem to target game service providers.
DERP GLB™ attack technology which was publicly named on the 3rd of January 2014 for its involvement against an attack which targeted riot game servers hosted within Internap NY, which in turn affected Internap’s global network. The DERP GLB™ attack tool looks to be originally based on exploiting the NTP protocol targeting NTP servers that reply to mon_list command. The combination of a spoofed source address creates a distributed reflection denial of service attack (DR DoS)
However, we suspect this tool was used much earlier evolving in late December 2013 and early January 2014as NTP DR DoS attacks started making waves across the internet targeting game service providers and bringing network protection services down to their knees, such as the below tweets whilst DERP developed a list of open NTP servers.
DERP don’t only use NTP as an attack vector. They often make comments online with regards to fax machines, fridges, printers and other devices being used as the fuel for attacks. Typically speaking, fax machines, networked printers etc. can utilise the Character Generator Protocol (CHARGEN) which is another attack vector which can be used within a DR DDoS.
DERP’s understand the importance of building a targeted sophisticated attack towards a network to achieve the goal of taking down a service by targeting the network providing the services. These targeted network layer attacks renders on premise solutions useless and highlights the importance of distributed mitigation against such attacks.
An important component for any DRDoS tool is the reliance on having access to a list of hosts (ammunition) which can be used for amplification attacks. Meanwhile the world of system administrators and network operators thanks to the various teams such as http://openntpproject.org/ http://openresolverproject.org/ along with http://www.team-cymru.org are forever publishing and notifying network owners in attempt to decrease the amount of usable ammunition.
The end result is the once extremely large pool of hosts which have been used for DRDoS attacks is slowly deceasing each day as services are patched and updated, and traffic is firewalled from public access.
This is why we suspect Global leading DDoS Analytics (such as Prolexic, Cloud Flare, Staminus, Akamai) over the last few months have all reported a decrease in the total size of DRDDoS attacks since the well-published 400gbit attack launched by DERP towards a Cloud Flare customer.
The downside for people looking to exploit these vulnerable protocols is their attack pool of hosts is constantly decreasing, as more attacks are launched from hosts which are vulnerable the additional traffic draws attention to the hosts owners which in turn is then often rectified by system administrators further deceasing the total capacity of individual protocols.
Null routed is typically when the target IP address under attack get null routed on a network device. Global network operators often run black hole BGP communities (often 666) which allows the injection of a /32 route which can null route traffic upstream within networks they directly connect to, and in most cases this /32 route also accepted upstream to the providers provider all the way to tier 1 global networks. This action quickly and effectively completes the attack taking the /32 offline however at the same time removes side effects of collateral damage which can be cause latency due to insufficient network capacity.
What’s Interesting is on the 2nd of August DERP hinted at the construction of a new super weapon via Twitter:
It’s clear that whilst the DERP GLB is an extremely powerful tool capable of causing mayhem towards networks globally and frightening network operators, the reliance on establishing extremely large attacks from hosts which can be used are diminishing every day as system administrators patch open boxes.
From previous reports and above examples, DERP is well professed in creating and launching UDP flood attacks along with being familiar with many different UDP protocols. On the 2nd of August - the same day DERP reported a new “super tool” - we captured a glance of what we believe is to come over the coming months from DERP using a combination of UDP attack vectors simultaneously.
At this stage we are calling this a Combo DRDDoS attack (CDRDoS) which so far in the real world is the combination of NTP, DNS, SSDP and CHARGEN reflection amplification traffic targeting concurrently a single host. We suspect in the future the addition of SNMP will be added to further increase attack capacity.
Our thoughts are, why use one attack vector when you can create a 'super weapon' which simultaneously uses multiple attack vectors to create even larger targeted attacks against a single /32 destination especially when each protocol’s attack capacity on its own is being constantly eroded by system administrators patching systems globally.
We believe this new super weapon or a variant of it was used to target one of our Soak and Scrub customers on the 2nd of August 2014 reaching speeds of 40+gbits internationally and over 1.2gbit domestically within Australia. Whilst this attack is very small compared to previous global attacks of 400gbit, we believe it represents the start of the age of what is to be expected in the future for denial of service attacks.
What was surprising was the amount of local Australian attack traffic generated within this combination attack which is significantly higher than what Micron21 has normally observed in previous DRDoS Attacks within Australia. In a previous 34gbit NTP attack reported on the 9th only 100mbits of attack traffic was generated domestically.
The question to be asked is: was this new attack the “super weapon” DERP have created being tested out on the same day they said something new has been built ?
The above screen capture shows the simultaneous use of multiple UDP protocols creating CDRDoS attack towards a /32 IP address. The attack utilized NTP traffic on port 123, DNS traffic on port 53, SSDP traffic on port 1900, and CHARGEN traffic on port 19, creating an attack which peaked above 40gbit/s via using the combination of different protocols simultaneously.
The above screen capture shows Interface netflow statistics further confirming the use of multiple UDP vectors within a single attack seen on the 2nd of August. Whilst the above interface did not receive CHARGEN traffic it was received on other interfaces within the same attack.
If you are reading this article and have more information to contribute towards what we have observed, or represent DERP and can provide technical information regarding the “super weapon” we would love to hear from you. Please email firstname.lastname@example.org
By proactively monitoring our Micron21 infrastructure and customers networks we can provide around the clock support adapting to threats dynamically as they occur with real-time visibility. Whilst large attacks occur the majority of attacks which we block are only a handful of packets.
Interested in more photos of our Melbourne Australia Operation Centre? Please read here
The above article was written by James Braunegg from Micron21 and published on the 11th of August 2014