A group of researchers has discovered a new DDoS attack system, Very powerful. With this type of attack, a fleet of more than 100,000 poorly configured servers could be used, which together can amplify the waves of junk data that are sent as requests to the attacked systems to unthinkable levels. In many cases, attacks with this system could lead to an infinite routing loop that causes a flow of traffic that can be perpetuated over time.
The attack uses a specific type of serversknown as middle box or intermediate box, which are the ones that would be poorly configured and distributed throughout the network. Middleboxes are typically deployed by countries, such as China, for the purpose of censoring restricted content. Also the big entities to block sites that promote pornography, gambling and pirated downloads.
The servers that could be used in these attacks do not follow the specifications of the transmission control protocol. This, before the establishment of a connection is authorized, requires a triple check (handshake), consisting of a SYN packet sent by the client, a SYN+ACK response from the server and a confirmation by means of an ACK packet from the client. this check limits the possibility of the TCP-based app being used as an amplifier, because the ACK confirmation must come from the company with which the connection is to be established. In this case, this would not be the case, because the misconfigured servers send the packets without the recipient going through this check.
Last August, researchers from the University of Maryland and the University of Boulder in Colorado published theoretical research showing that there are hundreds of thousands of these servers that had the potential to issue, through this system, the largest DDoS attacks ever seen. .
Furthermore, in these cases, the attackers would increase the power of their attacks, while saving resources, through amplification vectors, spoofing the target’s IP and sending a relatively small packet of data to a misconfigured server used for the attack. resolution of domain names, the synchronization of computer clocks or the acceleration of database caching. Since the responses that the servers send are dozens, hundreds, or thousands of times larger than the request, the response overflows the attacked target.
According to the researchers, at least 100,000 of the servers they had identified as misconfigured and used as middleboxes exceeded the amplification factors of DNS servers (by about 54 times more) and NTP servers (by as much as 556 times more ). Additionally, they identified hundreds of servers that amplified traffic even more than misconfigured servers. They did it through memcached, a cache database system for website acceleration that can increase traffic volume by no less than 51,000.
At the time of the investigation there was no evidence of DDoS amplification attacks with actively used middleboxes, but the discoverers of the attack system assured that it was a matter of time before they began to be used. And it seems that day has come. For a few days, according to Akamai, have started detecting multiple DDoS attacks what used middleboxes just the way they had intended the researchers.
These attacks peaked at 11 Gbps, sending up to 1.5 million packets per second. They are smaller than other large DDOS attacks, but the researchers expect the attacks to grow in size as attackers optimize their actions and identify more misconfigured servers to target and use for their purposes. To get an idea of what it might look like, in these still small detected attacks, one of the servers used as a middlebox received a SYN packet with a 33-byte payload and responded with a 2,156-byte payload: 65 times more. And the amplification has the potential to be even greater with more preliminary work.
Another middlebox located by Akamai was responding to SYN packets with multiple SYN packets launched by it for unknown reasons. These packets were loaded with data. Also, the server completely ignored RST packets, which are supposed to terminate a connection, from the target. And worryingly, the research team has also discovered that some servers used as middleboxes will respond when they receive any additional packets, including RSTs, creating an endless storm of packets.
Unfortunately there is no method that end users can use to block the DDoS amplification that is used in this case. Among what can be done to prevent this type of attack is get the operators of these servers to reconfigure their machineswhich in many cases is unlikely to happen, at least in the short term.
