Some reflection and amplification attack tools can provide a surging, snowballing lump of traffic against a target with relatively little effort, and as a result, hacktivists and others are embracing them wholesale.
“In Q1, DDoS attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques, a trend Prolexic has been seeing for some time,” said Stuart Scholly, senior vice president and general manager of Security at Akamai, in a statement. “Instead of using a network of zombie computers, the newer DDoS toolkits abuse internet protocols that are available on open or vulnerable servers and devices. We believe this approach can lead to the internet becoming a ready-to-use botnet for malicious actors.”
Network Time Protocol (NTP) amplification attacks rely on the use of publicly accessible servers. The technique leverages NTP servers to overwhelm a victim system with UDP traffic. NTP is widespread, used by not just desktops but also all manner of connected devices to sync their clocks. For example, the clock configuration on a Mac computer is actually the address of an NTP server run by Apple.
NTP servers also support monitoring services that allows administrators to query the server for traffic counts of connected clients. The query is done with the “monlist” command, which actually counts as a vulnerability (CVE-2013-5211). The monlist feature of NTP is enabled by default on older NTP-capable devices.
The basic attack vector consists of an attacker sending a "get monlist" request to a vulnerable NTP server. The command causes a list of the last 600 IP addresses that connected to the NTP server to be returned. In a NTP amplification attack, the source address is spoofed to be that of an unwitting victim, who then receives the list. Several queries could easily rack up enough traffic from the results to overwhelm the victim’s resources.
“Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” US-CERT explained in a recent advisory. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”
And, because of the pervasiveness of NTP, it’s a relatively simple attack to carry out. An attacker, armed with a list of open NTP servers on the internet, can easily pull off a DDoS attack using NTP. Common tools like Metasploit and NMAP have had modules capable of identifying NTP servers that support monlist.
In addition to NTP, Prolexic has observed other abused protocols to be Character Generator (CHARGEN) and Domain Name System (DNS). These protocols are all based on UDP, offer amplification and may be favored as they allow attackers to hide their identity.
Innovation Creates Greater Danger
“Innovation in the DDoS marketplace has given rise to tools that can create greater damage with fewer resources,” the report noted. “Q1’s high-volume, infrastructure-based attacks were made possible by the availability of easy-to-use DDoS tools from the DDoS-as-a-service marketplace. These tools are designed by malicious hackers to deliver greater power and convenience into the hands of less skillful attackers.”
In the first quarter, NTP reflection attacks surged. The NTP flood method went from accounting for less than 1% of all attacks in the prior quarter to reaching nearly the same popularity as SYN flood attacks, a perennial favorite among DDoS attackers. Meanwhile, neither CHARGEN nor NTP attack vectors were detected one year ago, but accounted for 23% of all infrastructure attacks mitigated by Prolexic in Q1 2014.
The evidence of this technique shift is clear. The first quarter saw a 39% increase in average bandwidth and the largest-ever DDoS attack to cross the Prolexic DDoS mitigation network. This attack involved multiple reflection techniques combined with a traditional botnet-based application attack, to generate peak traffic of more than 200 Gbps and 53.5 million packets per second.
Overall, compared to one year ago, Prolexic saw a whopping 47% increase in total DDoS attacks and a 133% increase in average peak bandwidth. Compared to last quarter, there’s been an 18% increase in total DDoS attacks and a 114% increase in average peak bandwidth.
Also, interestingly, average duration is going down: last year the typical attack lasted 35 hours; last quarter it was 23 hours. Now, the average is 17 hours, a 50% decrease in average attack duration since last year.
In terms of targets, this quarter saw more than half of the DDoS attack traffic aimed at the media and entertainment industry. This one industry was targeted by 54% of the malicious packets mitigated by Prolexic during active DDoS attacks in Q1.
“Attacks on this sector offer plenty of perks for a malicious actor, including press coverage and high visibility,” Akamai noted in the report. “High visibility allows campaign organizers to more effectively reach out to supporters and recruit others to join their cause.”