DDoS attacks – an explanation of amplified reflective UDP-based attacks

One of the most common types of DDoS attacks is the UDP-based amplified reflection attack. I will now explain how this attack works and what makes it so hard to protect against it.

The most targeted systems is web servers. Any system attached to internet can be victim of a DDoS attack and this attack works just as well on all types of systems. But for this video, lets assume that the victim is the web server.

This system is connected to internet via a local internet connection with a bandwidth of lets say 200 Megabits per second. There is a firewall filtering and inspecting all traffic between the web server and internet. It has a capacity of 500Mbps. The internal network has a capacity of 1 Gbps, that is roughly 1000 Mbps. Finally the web server itself can handle 100Mbps.

This system is sized for 100Mbps which means that the weaker link of the chain, which is the web server, has a capacity of 100Mbps. If there would ever be a demand for more traffic, the web server could be upgraded to handle more traffic and the bottleneck would instead be the internet connection of 200Mbps. This upgrade race could continue forever upgrading the weakest point of the traffic flow to keep up with the demands of bandwidth and performance.

When it comes to UDP-based attacks however, the traffic flow normally stops and terminates in the firewall.

This means that the capacity of the parts behind the firewall is irrelevant and in this case the weakest link is the 200Mbps internet link.

If the link, or the firewall is exhausted, it will start dropping packets. The result of this is retransmissions and eventually outage of service. The webpage will become slow or unresponsive.

So, if the weakest link is 200Mbps, all it takes to do a Denial of Service attack is to generate more than 200Mbps of traffic.

If Evil Bob who have the intention to attack the web server has more than 200Mbps of bandwidth at home he could in theory create this attack all by himself. However, doing that will most probably draw attention to him from his ISP when generating that massive amount of traffic.

Instead of generating this traffic directly to the victim web server he generates traffic to reflectors. The reflectors are servers on internet that has no intentions to be part of any DoS-attack.

To be able to do a reflective DoS-attack the attacker uses UDP which is stateless. He sends traffic to the reflector using the victim web server as source address for the traffic, which makes the reflectors believe that the traffic came from the web server, and the reflectors will send replies to the web server.

If the attacker used TCP packets which are stateful, the packet from the attacker would be a SYN-packet and the response from the reflector to the victim would be a SYN-ACK-packet which has no payload and is rather small.

By using any kind of stateless UDP-packets where the query, the first packet, is small and the response, in this case sent from the reflector to the victim, is bigger, the attack would be amplified. If the amplification factor was 1 to 10, the attacker could generate 20Mbps of UDP queries to the reflectors and the responses fro the reflector to the victim would be 10 times bigger, 200Mbps. This is called an amplified attack.

There are different types of UDP-based protocols used in amplification attacks today. The most common types uses DNS or NTP-servers. In both cases, proper configured DNS and NTP-servers does not answer to this types of queries. But there are many not properly configured DNS and NTP-servers on internet which can be used as reflectors for these attacks.

To further strengthen these attacks, the attacker does not send the UDP-packets himself to the reflectors. Instead he uses botnets for this. A botnet is a number of malware infected computers spread over the world that the botnet controller can use for various purposes. Your or mine virus infected computer can be part of this botnet. If the infected computer does not do anything active it is called a zombie. It is often a background process running in the computer invisible for you and me, just waiting for commands from the command and control server managing the botnet.

In the DDoS-scenario the botnet command server is called a stresser or booter delivering DDoS-attacks as a service on internet. Anyone with a credit card can pay a few dollars to the person in charge with the stresser and this will deliver a DDoS-attack against the target of choise.

So, in a typical DDoS-attack, Evil Bob is just a person wanting to take down a service on internet. He visits a web page delivering stresser services. He enters his credit card number and points out the address to the target he wants to take down and depending on how much he pays, the stresser will deliver an attack at a certain bandwidth and time. The more money, the more traffic is sent and for a longer period. A normal price can be 30 minutes of attack at a rate of 1.5Gbps at a cost of 15 USD.

The stresses will send commands to the botnet, and the botnet members sends UDP packets to the reflectors with spoof source IP addresses. The reflectors sends their amplified responses to the target.

The challenge with mitigating these attacks onsite is that you need to have enough bandwidth and resource to handle the incoming attacks. Today many attacks are in the the amplitude of one of several Gigabits per second so upgrading the internet connection and firewall to handle this amount of traffic would protect the internal resources from being exhausted. But the price that comes with handling all this traffic is in most cases unrealistic high. And the only thing left to do is to filter and block this traffic before it reaches the weakest links of the chain. Most major ISP:s can today handle this traffic and filtering the DDoS attack within your ISP premises is often the only option left. If they can deliver this service. And if the price for this service is reasonable.

There are a few long term solutions to DDoS-attacks.

First of all, botnets are being used as a tool to scale up DDoS-attacks. Working with eliminating botnets and malware will reduce the impact of DDoS attacks.

Second, unpatched servers being used as reflectors should be upgraded and properly configured. When using DNS-service as amplifying reflectors, the attacker takes advantage of the fact that the server is configured as an open resolver. In most cases the DNS-servers should be configured like this and proper configuration of these servers would make them less attractive as amplifying reflectors.

Third. In my opinion the most powerful counterfeit of DDoS attacks would be of ISP:s around the world would implement unicast reverse path forwarding, also known as uRPF. This is also called source filtering. When an ISP that has customers that are part of bonnets that is being used in DDoS-attacks, these client computers sends spoofed packets. This is being allowed by each local ISP since they do not verify the source address of the traffic coming from their customers. The ISP knows that traffic sourced from their customer should have certain specific ranges of addresses in the source field of the IP packets. Today most ISP:s does not implement uRPF which makes source address spoofing easy to use.

DDoS attacks are in my opinion the biggest and most severe threat to todays internet. And there is no silver bullet that protects us. And as long as anyone with a credit card and 25 dollars can buy an attack we will see these attacks.

My name is Jimmy Larsson, please visit my blog at nat0.net

Tagged with: , , , , , , , ,
Posted in General Security, Security

Leave a Reply

Your email address will not be published. Required fields are marked *



[mc4wp_form id="2457"]
Website Security Test