Cyber Security Featured Article

Reflection DDoS Attacks - You Don't Need a Bigger Botnet

September 06, 2016
By Special Guest
Stephen Gates, Chief Intelligence Analyst, NSFOCUS -

In the early days of DDoS attacks, the motivations and techniques were very different than they are today.  When the first DDoS attacks were launched in the early 2000s, attackers were primarily motivated by competitive advantage and notoriety.  Additionally, the mechanisms attackers used were quite primitive in comparison to the attacks launched today.

Their process was simple.  Attackers would build larger-and-larger botnets, made up of infected and compromised computers that fell victim to their malware campaigns. Attackers realized that in order to create as much havoc as possible, botnets of millions of computers would be required to take organizations offline.  This was primarily due to the fact that the attacker’s “targeted victims” began purchasing Internet connections (pipes) that were very large in size; for example, 10 Gbps.

Back in the day, the typical DDoS attack was a TCP SYN Flood.  Although still prevalent today, this attack method has become less effective for two reasons. Attacking someone who has 10 Gbps or greater Internet pipes using TCP SYN floods requires millions of machines - all sending a TCP SYN packet at the same time.  In addition, TCP SYN floods not only attempted to fill the pipes with nothing but bogus SYN packets, they were also very effective at taking firewalls offline, due to the limited processing power of early-day firewalls.  Today all of this has changed.

Around the year 2008, DDoS attackers began to realize that their SYN Flood campaigns were becoming less effective; taking someone offline who had multiple 10 Gbps Internet pipes required tens-of-millions of botnet-infected machines.  Most organizations began upgrading to firewalls that were capable of processing millions of SYN packets per second, with little, if any, performance degradation.   Therefore, attackers had to formulate a different approach.

Attackers still desiring to launch DDoS attacks were at a loss with how to make DDoS attacks more effective once again, while at the same time using smaller botnets.  In addition, attackers realized that the larger their botnets became, the more likely they were to draw the attention of law enforcement officials who were focused on taking the botnets and their herders offline.  Over the course of the next few years, some of the biggest botnets on record were taken offline by law enforcement.  As a result, hackers had to devise a new way of making their DDoS attacks effective once again.

Although many DDoS subject matter experts knew what was coming next, most people in the cyber security industry did not have a clue to what the new age of DDoS attackers were conceiving. The Reflection DDoS attack was born to address the issues mentioned above.  Today, this attack approach has the notoriety of launching the largest DDoS attacks on record.  The attackers’ methodology was simple to understand for most people who know how the Internet works.  The new attack method was even worthy of gaining its own name – Distributed Reflection Denial of Service (DrDoS).   However, how do these new DDoS attacks actually work?

The primary prerequisite for DrDoS attacks to work effectively requires two components: A reflection component and an amplification component.  Without these two components working together, the attacks are not much different than any other DDoS attack.   When these components work together, attackers can generate massive amounts of denial of service traffic.

In this attack scenario, attackers first scan the Internet looking for computers that will respond to a request; for example, DNS servers, NTP servers, SNMP servers, QOTD servers, etc.  The US-CERT lists a large number of protocols capable of being used in DrDoS attacks. Most often these attacks take advantage of the UDP protocol, which happens to be perfect at enabling these attacks to operate effectively.

Once attackers identify large numbers of computers that are “open” to the Internet, that provide services (using the protocols found in the list from the US-CERT), they then use a smaller botnet, instructing the botnet-infected machines to spoof their IP addresses.  The IP address the botnet machines use is the IP address of the attacker’s “intended victim.” Attackers can easily find the victim’s IP address information from the Internet within seconds.

Once attackers instruct their botnet-infected machines to spoof their IP addresses, they further instruct them to send a request to a list of open DNS servers, NTP servers, SNMP servers, etc., that they previously discovered while doing their scans of the Internet. Now, this is where things get interesting.

Attackers are very good at having their botnet infected machines craft the right request packets.  Attackers then instruct these machines to send these specially crafted requests to the aforementioned open servers, while spoofing their source IP addresses.  As a result, the servers respond to the spoofed requests sending large amounts of data back to the intended victim.  As indicated, not only is there a traffic reflection that happens due to the spoofing, there is also an amplification factor.  Specially crafted requests to these servers force them to respond with very large responses.

The Network Time Protocol (NTP) has the largest amplification factor known.  It comes in at around 557x; meaning that a small request can force a response 557 times larger in size.  Doing some simple math, for example, a request that is 50 bytes long can generate a response that is nearly 28,000 bytes long.  That is a lot of traffic that will have to be fragmented into smaller packets to traverse the Internet, since it only support packets sizes that are about 1500 bytes long in most cases.  All DrDoS attacks operate using these same principles regardless of what protocol is used.

The whole purpose of DrDoS is not to consume router, firewall, or switch capacities by sending millions of small packets, for example, TCP SYN packets.  In this case, DrDoS creates millions of very large packets that are quite effective at filling sizeable Internet pipes. This allows attackers to have much smaller botnets while still being capable of generating massive amounts of traffic, capable of taking any organization offline.

About the Author

Stephen Gates, Chief Research Analyst at NSFOCUS,  is a recognized Subject Matter Expert on DDoS attack tools and methodologies, including next-generation defense approaches. 

Edited by Alicia Young

Article comments powered by Disqus
Free Subscription