2014 in DDoS Attacks: Part 1, Attack Vectors

Distributed Denial of Service (DDoS) attacks are extremely common occurrences on the web. At any given time during the day, a website or web service somewhere is subjected to disruption via a massive influx of malicious traffic. The aim of this article will be to explain the different types of attacks that are prevalent on the internet today, elaborate on how you might be able to prevent or mitigate the impacts of these attacks, describe some security best-practices, and offer some insights about the future of DDoS.

Amplification Attacks and How They Work

The latest craze in DDoS vectors is undoubtedly that of the “amplification” attack. In this attack vector, the malicious user (attacker) sends a request packet from a “spoofed” address (this is the victim’s address) to a vulnerable server. The vulnerable server then sends a response that is much larger than the original request packet (hence the “amplification”) to the spoofed address, thus impacting the victim. For a good real-world example of what sending a spoofed request is like, picture sending an envelope via USPS with someone else’s address written as the return address on it. Then picture putting a letter requesting a ton of advertising junk mail in that envelope and mailing it to every Fortune 5000 company on the list. Some of the largest recent attacks have been over 400Gbps — to put that in perspective, many servers on the internet are provisioned by default with a 10Mbit or 100Mbit port — that would be over 4,000 servers connected at 100Mbit ports all completely maxing out their uplink ports to send what is, essentially, nonsense packets to the victim.


Amplification Attack Vectors

The first attack of this style to gain significant popularity was the DNS Amplification Attack, which started impacting the internet on a large scale toward the end of 2012, and continued to have an impact through 2013 and into the early part of 2014. DNS stands for “Domain Name System” and is the protocol that allows domains names (like “quadranet.com”) to resolve to an IP address, which eliminates the need to memorize cumbersomely large numbers. The DNS amplification attack works by allowing an attacker to perform a DNS lookup/query from a spoofed source, and the DNS Server then returns a large number of results to the spoofed address. The DNS server has to be what’s called an “open resolver” for this attack vector to work, which means that it allows recursive lookups from anyone. Allowing recursive lookups is most commonly done by ISPs to allow their users to have access to local nameservers to resolve domains; however DNS server software is often shipped with recursive lookups globally allowed. More recently, attackers have found a flaw in NTP, the “Network Time Protocol”, which is used for keeping clocks synchronized. The flaw that was found is especially problematic because it affects the default version of ntpd that ships with most unix/linux operating systems. It’s centered around a command called MONLIST, which provides the user issuing the command with the last 600 IPs that accessed the server. As one might imagine, that’s quite a lot of data for one tiny request packet.

As a dedicated server/colocation/cloud service provider, QuadraNet oversees a substantial amount of IP space and we’ve been doing our part to be good netizens by eliminating the ability to exploit these attack vectors on our network. For one, we began conducting non-intrusive scans on our own network to ensure that any exploitable servers in our data centers are reported to their owner so that they can be properly secured. Within our management panel (https://manage.quadranet.com), clients can also configure a notification to be sent when excess bandwidth usage is detected, so that way if they are being exploited, it won’t go unnoticed and can be properly dealt with. We also actively work to disseminate information so that systems administrators can be prepared in handling and preventing these attacks.

How do I know if I’m vulnerable?

The following two commands can help you discover whether you’re vulnerable to an NTP amplification attack. The first requires an nmap add-on script that can be downloaded from https://svn.nmap.org/nmap/scripts/ntp-monlist.nse.

nmap -sU -pU:123 –script=ntp-monlist <IP>
ntpdc -c monlist <IP>

The following command can help you discover whether you’re vulnerable to a DNS amplification attack:

dig A quadranet.com +short @<IP>

Run this command from a remote server/machine (not the same one you are testing), and if a response is returned, the IP you are testing is vulnerable. Note that this does not necessarily mean that a response shouldn’t be returned – many DNS servers intentionally allow recursive lookups in order to function as open nameservers for the public, as described earlier. If the server you are testing is your own, and that is not the intended behavior, then the IP should be considered vulnerable.

This is part 1 of a 3-part series on DDoS attacks in 2014 and how you can help prevent them.

Part 2: 2014 In DDoS Attacks: Part 2, Mitigating Attacks
Part 3: 2014 In DDoS Attacks: Part 3, The Future of Internet Attacks