“We found hundreds of thousands of IP addresses that offer amplification factors greater than 100×,” Bock and his team said, highlighting how a very large number of networking middleboxes could be abused for DDoS attacks far larger than the UDP protocols with the best amplification factors known to date.įurthermore, the research team also found thousands of IP addresses that had amplification factors in the range of thousands and even up to 100,000,000, a number thought to be inconceivable for such attacks.
Most UDP protocols typically have an amplification factor of between 2 and 10, with very few protocols sometimes reaching 100 or more. In total, the team said they found 200 million IPv4 addresses corresponding to networking middleboxes that could be abused for attacks. In an interview this week, Kevin Bock, a researcher at the University of Maryland, told The Record that amplification factors varied based on middlebox device type, vendor, configurations, and network setup.īock said the research team scanned the entire IPv4 internet address space 35 different times to discover and index middleboxes that would amplify TCP DDoS attacks. Some amplified traffic more than others, while some did not even respond. Middleboxes provide huge DDoS amplification factorsīut the research team says that not all middleboxes responded to their tests in the same way. The reason was that the UDP protocol uses a simple two-stage request and response process that can be easily abused and weaponized by DDoS botnet operators. Historically, the best DDoS reflective amplification vectors were servers running UDP-based protocols, such as SNMP, DNS, NetBIOS, CoAP, and NTP.
The technique effectively allows attackers to reflect/bounce and amplify traffic towards a victim via an intermediary point. This happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker (thanks to a technique known as IP spoofing). One of the most dangerous of these methods was the so-called “ DDoS reflective amplification attack.” First documented in the early 2000s, DDoS attacks were initially carried out by hijacking home computers to launch requests to websites, all at the same time, in order to overwhelm a victim’s hosting infrastructure.Īs the years went by, methods to carry out DDoS attacks also diversified. How DDoS reflective amplification attacks workīut to understand the importance of this research, a short intro to DDoS attacks is also needed. Making matters worse, researchers said the amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of carrying out a DDoS attack known to date and very likely to be abused in the future. In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet.Īuthored by computer scientists from the University of Maryland and the University of Colorado Boulder, the research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.
0 kommentar(er)
