~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet

Criminals are upping the potency of distributed denial-of-service attacks with a technique that abuses a widely used Internet protocol that drastically increases the amount of junk traffic directed at targeted servers.

DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections that allow targets to withstand ever-larger torrents of traffic, the criminals respond with new ways to make the most of their limited bandwidth.

Getting amped up

In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. The intermediaries then send the targets responses that are tens, hundreds, or thousands of times bigger. The redirection works because the requests replace the IP address of the attacker with the address of the server being targeted.

Other well-known amplification vectors include the memcached database caching system with an amplification factor of an astounding 51,000, the Network Time Protocol with a factor of 58, and misconfigured DNS servers with a factor of 50.

DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data.

DDoSes that abuse D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called booter and stressor services—which use commodity equipment to provide for-hire attacks—have adopted the technique. The company has identified almost 4,300 publicly reachable D/LTS servers that are susceptible to the abuse.

The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps.

Skilled attackers with their own attack infrastructure typically discover, rediscover, or improve amplification vectors and then use them against specific targets. Eventually, word will leak into the underground through forums of the new technique. Booter/stressor services then do research and reverse-engineering to add it to their repertoire.

Challenging to mitigate

The observed attack “consists of two or more individual vectors, orchestrated in such a manner that the target is pummeled via the vectors in question simultaneously,” Netscout Threat Intelligence Manager Richard Hummel and the company’s principal engineer, Roland Dobbins, wrote in an email. “These multi-vector attacks are the online equivalent of a combined-arms attack, and the idea is to both overwhelm the defenders in terms of both attack volume as well as present a more challenging mitigation scenario.”

The 4,300 abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaller Application Delivery Controller didn’t always turn it on by default. Citrix has more recently encouraged customers to upgrade to a software version that uses anti-spoofing by default.

Besides posing a threat to devices on the Internet at large, abusable D/TLS servers also put organizations using them at risk. Attacks that bounce traffic off one of these machines can create full or partial interruption of mission-critical remote-access services inside the organization’s network. Attacks can also cause other service disruptions.

Netscout’s Hummel and Dobbins said that the attacks can be challenging to mitigate because the size of the payload in a D/TLS request is too big to fit in a single UDP packet and is, therefore, split into an initial and non-initial packet stream.

“When large UDP packets are fragmented, the initial fragments contain source and destination port numbers,” they wrote. “Non-initial fragments do not; so, when mitigating a UDP reflection/amplification vector which consists of fragmented packets, such as DNS or CLDAP reflection/amplification, defenders should ensure that the mitigation techniques they employ can filter out both the initial and non-initial fragments of the DDoS attack traffic in question, without overclocking legitimate UDP non-initial fragments.”