BibTex RIS Cite

A study on exploitable DRDoS amplifiers in Europe

Year 2021, Volume: 10 Issue: 2, 26 - 41, 01.06.2021

Emre Murat Ercan Ali Aydin Selçuk

Abstract

One of the best-known cyber attacks, distributed denial of service DDoS , is evolving. It has become much more malefic and effective with the use of amplification power of reflected messages. This attack is known as the distributed reflected denial of service DRDoS or the amplification attack. Attackers abuse UDP-based protocols' connectionless property for this attack and achieve an attack volume of hundreds of Gbps. The attack occurs by botnets' spoofing a victim's IP address and demanding some service from unhardened servers. Attackers generally prefer protocols that have high a "amplification factor" such as NTP and Memcached, or protocols where it is hard to differentiate legal requests from malicious ones, such as DNS. At this point, an important defensive strategy against these attacks is to harden servers not to play a role as amplifiers. In this paper, we carried out a detailed research of servers in 41 European countries and focused on three UDP-based protocols most commonly abused by attackers: DNS, NTP, and Memcached. We searched these servers by automatic regional scans and analyzed whether they have been hardened against DRDoS attacks.

Keywords

—Denial of service DRDoS attacks DNS NTP Memcached

References

  • Specht SM, Lee RB. Distributed denial of service: tax- onomies of attacks, tools, and countermeasures. In: In- ternational Conference on Parallel and Distributed Com- puting Systems (ISCA PDCS), San Francisco, CA, USA, 2004.
  • Rossow C. Amplification Hell: Revisiting Network Proto- cols for DDoS Abuse. In: Network and Distributed System Security (NDSS) Symposium, San Diego, CA, USA, 2014.
  • Bellovin SM. Security problems in the TCP/IP protocol suite. ACM SIGCOMM Computer Communication Re- view 1989, 19 (2): 32–48.
  • Kührer M, Hupperich T, Rossow C, Holz T. Exit from hell? Reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium, San Diego, CA, USA, 2014.
  • Kührer M, Hupperich T, Rossow C, Holz T. Hell of a handshake: Abusing TCP for reflective amplification DDoS attacks. In: 8th USENIX Workshop on Offensive Technologies (WOOT’14), San Diego, CA, USA, 2014.
  • CERT. UDP-based amplification attacks. CERT Advisory, revised 2019. https://www.us-cert.gov/ncas/alerts/TA14- 017A. Accessed: March 4, 2021.
  • Heberlein LT, Bishop M. Attack class: address spoofing. In: 19th National Information Systems Security Confer- ence, 1996. [8]Webb A. years? International evolved in recent https://internationalsecurityjournal.com/how-have-ddos- weapons-evolved/. Accessed: March 4, 2021. 2019.
  • Ryba FJ, Orlinski M, Wahlisch M, Rossow C, Schmidt TC. Amplification and DRDoS attack defense - a survey and new perspectives. arXiv:1505.07892v3, 2016.
  • Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 2004, 34 (2): 39–53.
  • Asosheh A, Ramezani N. A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification. WSEAS Transactions on Computers 2008, 7 (4): 281–290.
  • Osterweil E, Stavrou A, Zhangi L. 20 Years of DDoS: A call to action. arXiv:1904.02739, 2019.
  • Cloudflare. Famous DDoS attacks: The largest DDoS attacks of all time. Cloudflare Learning Center, 2020. https://www.cloudflare.com/learning/ddos/famous-ddos- attacks/. Accessed: March 4, 2021.
  • Amazon Web Services. Threat Landscape Report – Q1 2020. AWS Shield, 29 May 2020. https://aws-shield- tlr.s3.amazonaws.com/2020-Q1_AWS_Shield_TLR.pdf. Accessed: March 4, 2021.
  • Prolexic Technologies. Prolexic stops largest-ever DNS reflection DDoS attack. Prolexic Quarterly Global DDoS Attack Report Q2 2013.
  • Weinberg F. NGO Forum website launched before crucial presidential elections in Zimbabwe. HURIDOCS, 30 July 2013.
  • Prince M. The DDoS that almost broke the Internet. The Cloudflare Blog, 27 March 2013.
  • Prince M. The DDoS that knocked Spamhaus offline (and how we mitigated it). The Cloudflare Blog, 20 March 2013.
  • Takashi D. Hackers attack Dota 2 and League of Legends servers in quest for one game livestreamer. GamesBeat, 30 December 2013. CERT. [20] US Alert CERT Alerts, Attacks. cert.cisa.gov/ncas/alerts/TA13-088A. Accessed: March 4, 2021. Amplification https://us- 2013.
  • Nic.TR. 14/12/2015 Tarihinde Başlayan DDoS Saldırısı. Nic.TR Kamuoyu Duyurusu. 21 December 2015 (in Turk- ish).
  • Chacos B. DDoS attack on Dyn DNS knocks Spotify, Twitter, Github, PayPal, and more offline. PCWorld, 21 October 2016.
  • Prince M. Technical details behind a 400Gbps NTP am- plification DDoS attack. The Cloudflare Blog, 13 February 2014.
  • Kottler S. February 28th DDoS incident report. The GitHub Blog, 1 March 2018. https://github.blog/2018-03- 01-ddos-incident-report/. Accessed: March 4, 2021.
  • Z. Durumeric Z, Wustrow E, Halderman JA. ZMap: fast Internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium, Washington, DC, USA, 2013.
  • MITRE. CVE-2006-0987 detail. National Vulnerability Database, 2006. https://nvd.nist.gov/vuln/detail/CVE- 2006-0987. Accessed: March 4, 2021.
  • MITRE. CVE-2006-0988 detail. National Vulnerability Database, 2006. https://nvd.nist.gov/vuln/detail/CVE- 2006-0988. Accessed: March 4, 2021.
  • MITRE. VE-2013-5211 detail. National Vulnerability Database, 2013. https://nvd.nist.gov/vuln/detail/CVE- 2013-5211. Accessed: March 4, 2021.
  • MITRE. CVE-2018-1000115 detail. National Vulnerability Database, 2018. https://nvd.nist.gov/vuln/detail/CVE- 2018-1000115. Accessed: March 4, 2021.
  • Microsoft. Use DNS policy for applying filters on DNS queries. Microsoft Documentation, 2020.
  • Team Cymru. Secure NTP template. Team Cymru Community cymru.com/secure-ntp-template.html. Accessed: March 4, 2021. 2019. https://www.team
  • Graham-Cumming J. Understanding and mitigating NTP- based DDoS attacks. The Cloudflare Blog, 9 January 2014. [33] Dormando. Disable UDP port by default. https://github.com/memcached/memcached/commit/ dbb7a8af90054bf4ef51f5814ef7ceb17d83d974. 27 February 2018. Accessed: March 4, 2021.
  • Alibaba Cloud. Harden Memcached service security. Al- ibaba Cloud Security Advisories, 8 May 2018. [35] Dormando. Memcached 1.5.6 release notes. https://github.com/Memcached/Memcached/wiki/ ReleaseNotes156. 27 February 2018. Accessed: March 4, 2021.
There are 31 citations in total.

Details

Primary Language English
Journal Section Research Article
Authors

Emre Murat Ercan This is me

Ali Aydin Selçuk This is me

Publication Date June 1, 2021
Published in Issue Year 2021 Volume: 10 Issue: 2

Cite

IEEE E. M. Ercan and A. A. Selçuk, “A study on exploitable DRDoS amplifiers in Europe”, IJISS, vol. 10, no. 2, pp. 26–41, 2021.