Network security

Exploiting built-in network protocols for DDoS attacks

Pedro Tavares
February 3, 2021 by
Pedro Tavares

Introduction

A distributed denial-of-service (DDoS) attack is an attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server. The power of these kinds of attacks can be amplified (distributed) by using a large volume of servers/senders instead of a single one.

In general, a DDoS attack is started from a vast number of compromised devices distributed around the world and organized in a huge cluster, also known as a botnet. With this distributed approach, it is very similar to using a single internet-connected device to flood a target with malicious traffic. The difference is that everyone floods the target at the same time with intent to cause unavailability.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Different groups of DDoS and attack types

A distributed denial-of-service can be executed following different goals and divided into three main groups:

Volume-based attacks: This chain includes UDP, ICMP and other spoofed-packet floods. By using this attack, saturating the bandwidth of the attacked site is possible. The magnitude of the attack is measured in bits per second (bps).

Network protocol attacks: This kind of configuration Includes SYN floods, fragmented packet attacks, ping of death and smurf DDoS. With the use of this kind of approach, server resource exhaustion is possible or even spamming other intermediating peripheries such as firewalls, load balancers and so on. The magnitude of the attack is measured in packets per second (pps).

Application layer attacks: This approach includes low-and-slow attacks, GET/POST floods and targets, often web servers and operating system vulnerabilities. The main goal of this attack is to crash the system. Its magnitude is measured in request per second (rps).

Exploiting built-in network protocols

According to the Federal Bureau of Investigation (FBI), criminals are using built-in network protocols for large-scale distributed denial-of-service (DDoS) amplification attacks. The motivation behind this kind of DDoS attack is to amplify the damage of a targeted attack, which can lead to significant disruptions in operations and impact services.

In this report, the FBI highlights the recent DDoS amplification attacks and compares them with incidents that occurred in December 2018, when cybercriminals exploited the multicast and command transmission features of the Constrained Application Protocol (CoAP). That attack wave used CiAP, accessible via the internet and geolocated in China, to perform a wide attack using peer-to-peer networks.

On February 28, 2018, some months before, the GitHub website was hit by the biggest distributed denial-of-service (DDoS) attack and achieved a record 1.35 Tbps. A misconfiguration of the Memcached servers was used to amplify the DDoS attack.

In 2019, attackers took aim at the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks in the wild. Many of them achieved a magnitude of 350 Gigabits per second (Gps). As the Internet of Things (IoT) uses WS-DD protocols to detect other devices nearby, more than 630.000 devices with this protocol enabled were used to amplify a DDoS attack. In the same year, security experts reported an increase in the use of misconfigured IoT devices in attacks on this line.

Towards the end of 2019, a new wave of attacks was observed. In October 2019, the popular service Apple Remote Management Service (ARMS) was used to amplify a DDoS attack by criminals. In detail, this protocol is used by companies to manage their Apple computers in an easy way.

More recently, in February 2020, a group of researchers found a novel vulnerability in the built-in network discovery protocols of Jenkins servers, which could be used in amplified DDoS attacks.

The flaw was discovered by Adam Thorn of the University of Cambridge, CVE-2020-2100. The vulnerability affects Jenkins 2.218 and earlier as well as LTS 2.204.1 and earlier.

“Jenkins’ vulnerability is caused by an auto-discovery protocol that is enabled by default and exposed in publicly facing servers,” explained Radware security evangelist, Pascal Geenens. “Disabling the discovery protocol is only a single edit in the configuration file of Jenkins and it got fixed in last week’s patch from a default enabled to disabled.”

The motivation behind DDoS attacks

DDoS attacks are the most prevalent cyber threat increasing both in number and volume over the years. These types of attacks are often motivated according to different perspectives, including:

  • Ideology: Hacktivists use DDoS attacks to target websites they disagree with.
  • Business: Attacks to take down competitors’ websites or services.
  • Adrenaline rush: Script kiddies use pre-written scripts to launch DDoS attacks and the main goal is just to get an adrenaline rush.
  • Extortion: DDoS attacks are used as a means of extorting money from their targets.
  • Cyberwarfare: DDoS attacks are launched and authorized by governments that can damage the enemy country’s infrastructure.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Conclusion

Mitigating a multi-vector DDoS attack requires a variety of strategies. In detail, separate legitimate and malicious traffic is, in fact, a hard task, and the goal of the attacker is to cover up its attack as much as possible to make any mitigation efforts inefficient.

Some efficient measures to fight this problem are tasks that involve dropping or limiting network traffic, such as:

  • Blackhole routing
  • Rate limiting
  • Web application firewall
  • Anycast network diffusion

At last but not least, ensure that all the devices including IoT, network peripheries, servers, web services, software in general and operating systems are up to date and with security patches applied.

 

Sources

What is a DDoS Attack?, Cloudflare

Cyber Actors Exploiting Built-In Network Protocols to Carry Out Larger, More Destructive Distributed Denial of Service Attacks, FBI Private Industry Notification

Biggest DDoS Attack Ever Recorded, Segurança Informática

DevOps Alert: 12,000 Jenkins Servers Exposed to DoS Attacks, Infosecurity Magazine

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.