Security news that informs and inspires

FBI Warns of DDoS Attacks Abusing Network Protocols


The Federal Bureau of Investigation warned in a “private industry notification” last week that attackers are increasingly using amplification techniques in distributed denial-of-service attacks. There has been an uptick in attack attempts since February, the agency’s Cyber Division said in the alert.

An amplification attack occurs when attackers send a small number of requests to a server and the server responds with numerous responses. The attackers spoof the IP address to make it look like the requests are coming from a specific victim, and the resulting responses overwhelms the victim’s network.

“Cyber actors have exploited built-in network protocols, designed to reduce computation overhead of day-to-day system and operational functions to conduct larger and more destructive distributed denial-of-service amplification attacks against US networks,” the FBI alert said. Copies of the alert were posted online by several recipients, including threat intelligence company Bad Packets.

Attackers can target a variety of protocols in an amplification attack, such as DNS, SSDP, and NTP. The alert focused on protocols used in network management, device discovery, and web transfer, such as Apple Remote Desktop’s (ARD) Apple Remote Management Service (ARMS), Web Service Dynamic Discovery (WS-DD), and Constrained Application Protocol (CoAP). Organizations may be overlooking threats from these protocols when considering their attack surface.

Universities and enterprises rely on ARD to manage large fleets of Apple Macs. The ARMS service listens on port 3283 for incoming commands to remote Apple devices when ARD is enabled. Last October, threat actors exploited ARMS to conduct DDoS amplification attacks with a “35.5:1 amplification factor,” according to the alert. That means the attacker sends out a request, and the target is hit with a response that is 35.5 times larger than the initial request.

“If I can generate a few megabytes per second of attack traffic, the target is getting hit with 35 times as much,” said Nilesh Dherange, CTO of Gurucul. “As an attack, I send those packets but they are redirected to my target rather than back to me.”

“An attacker spoofs the victim IP sending a very small amount of traffic to a valid internet facing system that subsequently replies with much more traffic as compared to the size of the request for information,” said Roger Barranco, vice president of global security operations for Akamai. “It's like asking a short question and getting a very long answer.”

WS-DD is used by Internet of Things to automatically detect nearby Internet-connected devices. According to the alert, attackers launched more than 130 DDoS attacks in May and August of last year by exploiting WS-DD. Some of those attacks reached sizes greater than 350 Gigabits per second.

As of August 2019, there were 630,000 Internet-accessible IoT devices with WS-DD enabled, according to the alert.

In December of 2018, attackers also started abusing the multicast and command transmission features of CoAP to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, the alert said.

The FBI alert also mentioned a vulnerability in Jenkins, an open source platform used by developers to automate certain tasks,which could be exploited to launch DDoS attacks. While the FBI noted that there is no evidence yet that the vulnerability has been exploited in recent attacks, the potential is still there.

“Researchers estimated cyber actors could use vulnerable Jenkins servers to amplify DDoS attack traffic 100 times against the online infrastructure of targeted victims across sectors,” the alert said.

Usually, the security strategy for defending against these kinds of attacks would require disabling the protocols being abused. However, the alert acknowledged that disabling ARMS, WS-DD, and CoAP would lead to “loss of functionality to business productivity and connectivity.” Device manufacturers are unlikely to disable these features because doing so would impact user experience. Instead, the FBI encouraged organizations to partner with the local internet service provider to control network traffic, to set up a denial-of-service mitigation service, and change default usernames and passwords for all network devices or adding other security controls. Security professionals should also configure network firewalls to block unauthorized IP addresses and disable port forwarding.

“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” the alert said.

DDoS activity was steady in the early months of 2020, but has picked up pace recently. Network performance company Netscout observed an average of about 735,000 DDoS attacks per month from November 2019 to March 2020. From March to April, however, Netscout observed more than 864,000 attacks, which was a 17 percent increase.

The FBI alert comes on the heels of several high-profile DDoS attacks this year. Amazon Web Services reported it was hit with 2.3 terabits-per-second DDoS attack (293 million packets per second) in February, the largest DDoS attack ever recorded. In June, Akamai blocked a DDoS attack generating 809 million packets per second against a large European bank, and a different 1.44 terabits-per-second attack (reached 385 million packets per second) against a web hosting provider. Cloudflare also fought off an attack that peaked at 754 million packets per second in June.