Follow Us

Industry Insight

The rise of UDP-based DDoS attacks



The DDoS war is ramping up with the use of network time protocol (NTP) amplification to paralyse, not just individual organisation’s networks, but potentially large proportions of general internet traffic.

The largest ever DDoS attack to date with a DNS amplification hit the anti-spam company, Spamhaus last year. This attack reached 300 Gbps, taking Spamhaus offline and also affecting the DDoS mitigation firm, CloudFare. With the volume of traffic that was going through peering exchanges and transit providers, the attack also slowed down internet traffic for everyone else.

However, in the last couple of months these UDP amplification attacks seem to have moved on to NTP, taking advantage of an exploit available in older, unpatched NTP systems. These servers are usually used for time synchronisation and utilise the UDP protocol on port 123. Like DNS, they will respond to commands issued by any client to query certain information, unless they are properly secured.

These attack styles are not new, but their historically infrequent usage and the potential for mass disruption means they warrant more attention. Coverage of these attack styles in both industry and mainstream press is to be welcomed in my opinion, because these attacks are relatively defensible and coverage will hopefully get more administrators to secure or patch their NTP servers.

What is all the fuss about?
DNS amplification attacks ramp up the power of a botnet when targeting a victim. The basic technique of a DNS amplification attack is to spoof the IP address of the intended target and send a request for large DNS zone files to any number of open recursive DNS servers.

The DNS server then responds to the request, sending the large DNS zone answer to the attack target rather than the attacker, because the source IP was spoofed. The DNS amplification attack on Spamhaus saw request data (the data the attacker sent to the DNS servers) of roughly 36 bytes in length, while the response data (the data from the DNS server to the attack target) was around 3000 bytes, meaning the attackers increased the bandwidth used by 100x. Not only is that a large increase in attack bandwidth, but these packets from the DNS servers arrive at the target in a fragmented state due to their large size and have to be reassembled, which ties up the routing resources as well.

NTP amplification attacks work by spoofing the IP of the attack target and sending a ’monlist’ command request to the NTP servers. This command will return the IP addresses of the last 600 clients that have used the NTP server to synchronise time. By issuing this command a small request packet can trigger much larger UDP response packets containing active IP addresses and other data.

The volume of the response data is related to the number of clients that communicate with any particular NTP server. This means that a single request which consists of a single 64-byte UDP packet can be increased to 100 responses each, which contain the last 600 client IP addresses that have synchronised with the server. Each of those 100 responses will be a UDP packet of around 482 bytes which gives the attacker a bandwidth amplification of around 700x [482 bytes x 100 responses = 48200 bytes / 64 bytes = 753.125].

With this level of amplification available and several popular DDoS attack tools already including a module for abusing ’monlist’ we could be on for a new record in DDoS attack size this year unless the vulnerabilities are patched soon.

For example, if DNS amplification created a 300 Gbps, then NTP amplification means we could potentially see a 2.1 Tbps (21,000 Gbps) attack. There is no network that could absorb an attack of that size; it would have an enormous knock-on effect on general Internet traffic as the Spamhaus attack did with peering points, transit providers and content delivery networks being overloaded.

This isn’t to say that DNS and NTP are the only amplification attack methods. There are other amplification and reflection-style tactics as well and, while not as popular as more tried-and-true DDoS methods, they represent a real threat if you are not prepared for them.

Fixing the problem
The easiest way to fix this and remove your NTP servers from being an attack vector for a DDoS is to update your NTP servers to version 4.2.7 which removes the ‘monlist’ command. Otherwise you can disable query within your NTP server via a configuration change:

  • nano /etc/ntp.conf [Your configuration file might be located elsewhere]
  • #Restrict general access to this device
  • Restrict default ignore
  • Restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap
  • Noquery

This change will prevent your NTP server from being used to launch DDoS attacks against other networks, but an update to the latest version is still recommended.

Conclusion
DDoS attacks have been around in one form or another since the very beginnings of the internet, but the motivations, as well as the scale of these attacks seem to have grown significantly.

In the early days it was just extortion; a hacker would ask for payment to stop the attacks. Nowadays, some businesses may pay for competitors to be attacked, as a few hours offline could be worth millions. You also have DDoS being used as a method of political activism by groups such as Anonymous, as well as the potential for a government to use DDoS to disrupt another country’s infrastructure.

Systems administrators need to ensure their systems are reviewed regularly for patches and known vulnerabilities. If systems are left unpatched then at best you can be used as a vector to attack another network or organisation, but at worst those vulnerabilities could be exploited to take your systems offline or steal your data.

Posted by David Barker, technical director of 4D Hosting

Tags: 4d hosting, ddos, denial of service attack, dns, ntp server, security

RSSSubscribe to this blog

More from Techworld

More relevant IT news

Contact Us

For editorial queries:
Mike Simons Mike_Simons@idg.co.uk

For website issues:
Email webmaster@techworld.com

For commercial queries
Russell Kearney russell_kearney@idg.co.uk


For more contact details click here.


Email this to a friend

* indicates mandatory field





Techworld White Papers

Optimising data protection for virtual environments

VM environments require the same level of data protection as does the physical server environment. Companies may use data protection tools built for the physical environment in the virtual world, but this has serious disadvantages.

Download Whitepaper

PCI Compliance: Are UK businesses ready?

Exploring the results of a recent survey, including: ? Levels of understanding of the standard ? Current perceptions of actual compliance status ? Attitudes toward addressing compliance

Download Whitepaper

Mobility Management for Dummies

Your complete guide to managing and securing mobile devices such as laptops and smartphones.

Download Whitepaper

Magic Quadrant for midrange and high-end NAS solutions

It is difficult to find one midrange or high-end NAS product that can cater to all needs. File systems embedded in NAS are often designed to solve one major pain point, with additional features being added later to broaden use cases and benefits.

Download Whitepaper

Techworld UK - Technology - Business

Oracle Video

Enabling agile and intelligent businesses

 Changing markets, competitive pressures and evolving customer needs are placing increasing pressure on IT to deliver greater flexibility and speed. Explore truly flexible SOA foundations with this Oracle video.

Watch
COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Complete our survey and you could win a Sony E-book Reader.
Techworld have teamed up with HP to compile a survey relating to server virtualisation. Complete the short survey and you could be the lucky winner of a Sony E-book reader.

Complete the survey here

Site Map

Test