For all the impressive numbers they can put up, and all the shock and awe headlines they can garner, DDoS amplification attacks have a certain…reputation. While the methods used to create the large volume of an amplification attack are certainly clever, the attacks themselves – are not. They are big and brawny. They batter the front door instead of picking a lock. They are a 300 lb lineman running directly at your quarterback. Where once they were a bandwidth-chomping menace to deal with, an expense and a headache all in one, the advent of cloud-based DDoS mitigation has reduced amplification attacks to a one-dimensional, easily handled threat.
However, what if that 300 lb lineman suddenly learned to tippy-toe? What if he snuck around your D-line and came at the QB from an angle you would never expect? You would have a problem on your hands. Just like the potential targets of a certain type of DDoS amplification attack have one on theirs.

Table of Contents

Working smarter

There’s a reason professional DDoS protection has become a must-have for businesses and websites ranging from small in size to enterprise level, and it’s that so many attackers are professionals themselves, constantly innovating and finding new ways to inflict distributed denial of service damage. Pros versus pros just makes for a fairer fight.
This new breed of crafty amplification attacks is unsurprisingly the handiwork of those accomplished attackers, and while the technique may be new, the exploit used to make it happen has been a thorn in the side of security professionals since 2001. The Universal Plug and Play or UPnP is a protocol that enables IoT device discovery and allows devices to communicate using a LAN. Thanks to poor default settings, this protocol also tends to enable remote access and remote code execution.
One of the remote commands that can be executed over UPnP is AddPortMapping, which relates to port forwarding rules. Typically, UPnP payloads come from UDP port 1900, and knowing this greatly aids in mitigating DDoS attacks involving UPnP devices (more on that below). However, attackers can use the AddPortMapping command in vulnerable devices like routers to reroute packets through different ports than would usually be used by this protocol.
So, in this amplification attack method, attackers spoof the IP of the intended victim and send requests on behalf of the victim to vulnerable UPnP devices which forwards the requests to external servers using the ports specified in the AddPortMapping command. The responses from the external servers travel back to the UPnP device, also using ports specified in the AddPortMapping command, and have their source ports switched one more time before the device forwards the responses to the victim, leading to a bunch of packets coming from what appear to be irregular source ports. This method can be used in conjunction with stalwart amplification techniques including DNS, NTP and SSDP, ensuring the response the victim receives will be much larger than any request sent in the first place.

Going deep

The mitigation of a typical amplification attack doesn’t necessarily begin when that big smash of traffic arrives. Even as the first trickles of attack traffic arrive, an always-on mitigation service can recognize malicious traffic by the IP and source port information, issuing instructions to the scrubbing servers to filter and bounce said traffic before it can reach the intended target network. From there it’s a simple matter of bandwidth versus bandwidth, and legitimate users of the website or service are none the wiser.
With UPnP devices obfuscating that telling source port data, mitigation services are going to have to dig deeper to identify amplification attack traffic, namely by using deep packet inspection. This is a process that is a lot more work than simply checking the source IP and port info, especially when traffic is ramping up due to a potential attack. Think of it like pulling bad apples off a conveyor belt based on surface bruising versus slicing open every apple to try and find the rot internally. This kind of inspection requires dedicated mitigation equipment. If you’ve invested in a leading cloud-based mitigation service, you can be confident these obfuscated amplification attacks will be handled as handily as other amplification attacks. Anything else and you’re likely either looking at attack traffic getting through, or legitimate traffic getting bounced alongside attack traffic, denying users the services the attack tried to deny them in the first place.
It doesn’t seem fair that such mighty attacks now get to be sophisticated as well, but as avid observers of the DDoS landscape know, attacks getting worse and worse is about par for the course. We’re at the point where you can either leave dealing with these assaults to the professionals, or you can wait for the next awful attack innovation and see what you think then.
Worth sharing? Please share on Facebook or Twitter. It helps more people see it.

Website | + posts