Trends in DDOS: amplification attacks

A typical Distributed Denial of Service attack looks like this: first, infect a large number of machines with malware. You’ll now be able to control those machines, acting as servants in your botnet. When the time is right, send all of the machines under your command the instruction to attack your target. They will now start to send as much data to your target as they can, hoping to overwhelm the target’s bandwidth and server capacity. The result: the targeted website can’t deal with the traffic and is forced offline.

Both attackers and those defending against them are always looking for more effective techniques.  An attacker can dial up the level of onslaught by using amplification. A popular method, which has been around for a number of years, is to abuse the Internet’s address book: the Domain Name System. In a DNS amplification attack, the attacker has their botnet send numerous requests to a DNS server. The source IP address in these requests is faked to look like they came from the intended target, and that’s where the DNS server will send all its responses to. A small request (just ask for all information in a DNS zone) can generate large replies, so for every single request a machine in your botnet does, a much larger volume of data is directed towards your target. Not only does this amplify the magnitude of the attack, easily generating enormous amounts of traffic, but it’s also hard to defend against: if you run a network, you might not really want to cut off communications with the DNS system.

Recently, we’ve been seeing a new approach where hackers are using memcached servers to amplify their attacks. Used properly, a memcached server can speed up your website by storing data in memory, in order to reduce the number of times you need to retrieve information from a database or API. A lot of large websites have deployed memcached servers and, apparently, not all of them are well protected. The concept of a memcached amplification attack is similar: have your botnet send small queries to a vulnerable memcached server, using a fake source IP address. The memcached server will then send large replies back to your target. A 15 byte request can result in a reply of hundreds of kilobytes, amplifying your attack at least 10,000 times. Abusing these servers, hackers have managed to generate DDOS attacks of up to 1.7 Tbps. That’s 1,700,000,000,000 bits per second! Good luck defending against that.

To stop these attacks, we’ll need the people running memcached servers to secure them. Usually, only machines on their local network would need to send requests or receive replies and a firewall should block other attempts to access them. However, it might take a while for every last person running a memcached server to configure it properly. Until then, expect to see a few more huge attacks.

Leave a Comment

Your email address will not be published.