There is a new trend in Distributed Denial of Service (“DDoS”) attacks that has a resonating character to it: Amplification! Doesn’t it make sense that a large DDoS volume is easier to achieve with Amplification? When is a DDoS attack a Reflection and when is it Amplification, and why should I care?
First of all size matters! While a small DDoS attack can be mitigated with a simple on premise DDoS mitigation solution, attacks over 10 gbps (10 gigabits per second) may easily fill up the “pipe” into your datacenter thereby making the onsite solution superfluous as the traffic never gets there and successfully brings all services in that datacenter down.
Next line of thought: so how do malicious actors achieve DDoS attacks the size of 10 gbps and higher, and what are the key ingredients for such a truly large attack? Will it become easier for us to mitigate these attacks in the future? What can we do to slow down the growth of attack sizes, what are the holes in our infrastructure that allow such volumetric attacks? Here the key ingredients are Amplification and Reflection.
What is Amplification?
Let us have a closer look at how Reflection and Amplification actually work. The oldest known protocol based reflection is the ICMP based SMURF attack (no, not the little blue skinned creatures!):
The Attacker “spoofs” the IP address of the victim (spoofing meaning pretending to have the victim’s IP address), sending packets to the Router shown above (“The Unwitting Collaborator” or UC). Given the nature of ICMP and the unpatched and open systems of the 90s, the Router then forwards the request to all end devices in the local network. Each device responds by sending a response to the victim. The UC is acting as a reflector because the attacker’s request reflects off the UC and onto the victim. Amplification is achieved because four different machines respond. Reflection is the basis for Amplification. Note that the power is in the Amplification because a small request may result in a much larger amount of traffic being sent to the victim.
So now we understand that reflection leverages spoofing. This is something particularly easy to do with any UDP (“User Datagram Protocol”) based protocol such as DNS, SNMP and SSDP. Why is it easy with UDP (vs TCP)? UDP is connectionless, packets are sent without setting up a connection with the other side. Therefore, there is no verification of the origin of the packets. TCP (Transport Control Protocol) on the other hand, is connection oriented and requires a three-way handshake. It is very challenging to successfully spoof with TCP.
In 2014 there has been a marked increase in large-scale DDoS attacks leveraging Amplification and Reflection. So what changed in 2014? A paper was published by a German Security Researcher named Rossow in early 2014 doing a theoretical analysis of how Reflection and Amplification could lead to large-scale DDoS attacks. Nearly simultaneously large-scale attacks became prevalent leveraging exactly those protocols and associated methods found by Rossow with high “Bandwidth Amplification Factor” (BAF). n particular, the virtually hereto unheard of protocol NTP which Rossow’s work showed to have the highest amplification potential was a very popular DDoS attack vector in 2014. Coincidence? Unlikely.
Here is an overview of some of the key protocols (all UDP based) that Rossow analyzed:
Protocol | Method | Description |
| DNS | EDNS0 | Returns all known DNS record types |
| NTP | Monlist | Returns list of all recent clients including client data like IP address, NTP version, etc. |
| NetBIOS | Name Service | Broadcast query that returns list of all machines in that local network with IP address and name |
| SSDP | Discovery | Returns list of available services |
Read more: DDoS is Cloud's security Achilles heel
Note also the commonality between the above mentioned methods. They basically all return a list! So there is nothing magical about amplification per se, just use a method that returns a list, preferably a potentially very large list!
Of course there are further reflection and amplification exploits independent of protocol, e.g. RPC amplification and amplification using prevalent software systems like WordPress and Sentinel.
So what are we to do? First of all our Internet Infrastructure needs to be patched for each and every protocol and method found to have Amplification vulnerabilities. This is just catch up work though. In addition, work is needed to find further system functions like RPC and popular software like WordPress that have amplification potential and then the community working with this software have to ensure all open vulnerable interfaces are patched. So this is not simply equipping the potential victim with mitigation capabilities, but ruling out further unwitting collaborators!
For the potential victims, a sound DDoS mitigation strategy is needed. If a DDoS attack that is 10 gbps or higher has to be mitigated, only a cloud-based strategy is viable. Any onsite or ISP based solutions cannot mitigate an attack of that size and will either result in an overloaded pipe into the datacenter or blackholing the traffic (blackholing - dropping all traffic to that destination including the valid requests).
So what questions or criteria should be used to determine the vendor?
First of all determine the risk to your assets vulnerable to a 10 gbps attack. For example how much would downtime cost you per asset? This will provide a business case and help determine budget considerations.
Then consider the following questions you should use to determine a vendor’s suitability for DDoS mitigation:
- What SLAs do you provide?
- What is the maximum size of a DDoS attack that you can mitigate (e.g. gbps)?
- Do you blackhole traffic if it reaches a certain threshold? If so, what is that threshold?
- What is your accuracy or false positive rate?
- Where are your scrubbing centres located?
- How is my user experience / performance impacted?
We have shown how Reflection and Amplification are interrelated and how they work: simpler than may appear! Numerous mitigation strategies have been summarized, both from a global infrastructure and potential victim point of view. We have to drive harder to stay ahead of the malicious actors!