~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet

Stylized illustration of a hooded figure at a laptop.reader comments

8 with 8 posters participating

Criminals are upping the potency of distributed denial-of-service attacks with a technique that abuses a widely used Internet protocol that drastically increases the amount of junk traffic directed at targeted servers.

DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections that allow targets to withstand ever-larger torrents of traffic, the criminals respond with new ways to make the most of their limited bandwidth.

Getting amped up

In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. The intermediaries then send the targets responses that are tens, hundreds, or thousands of times bigger. The redirection works because the requests replace the IP address of the attacker with the address of the server being targeted.

Other well-known amplification vectors include the memcached database caching system with an amplification factor of an astounding 51,000, the Network Time Protocol with a factor of 58, and misconfigured DNS servers with a factor of 50.

DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data.

DDoSes that abuse D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called booter and stressor services—which use commodity equipment to provide for-hire attacks—have adopted the technique. The company has identified almost 4,300 publicly reachable D/LTS servers that are susceptible to the abuse.


Article Tags:
Article Categories: