Nefariousness? Nefariety? Nefertiti?

Network World has an interesting report by Ellen Messmer on recent distributed denial of service attacks (DDoS) against some well-known gaming sites. With Messmer writing it’s almost always a good read, but her editor needs a slap on the hand for the headline “Massive denial-of-service attacks pick up steam, new nefarious techniques”. Though I admire the dedication to using the word “nefarious”, it’s probably not accurate in this case; “new” is probably a stretch too.

In principle DoS and DDoS attacks are possibly the least nefarious, least new attacks out there. The goal is to simply flood a service with requests that entirely consume some resource the service requires, thus preventing legitimate access to the service. The first level of sophistication comes in the concept of “consuming resources”; the common view of DDoS is consumption of bandwidth, but historically it is actually other resources that are consumed, such as the number of available TCP connections, or even the amount of available disk space, that ultimately is consumed.

The second level of sophistication in DoS attacks is creating a sufficient volume of traffic to actually consume all resources of the target; the days where a single machine attacking alone can accomplish this are more or less over. The first obvious approach to creating more volume is DDoS, where the distributed refers to the fact that the attacker has gained control of a number of different machines, and is using them in concert to create enough traffic to overwhelm the target service.

Basically DDoS still works (though there are mitigating strategies), but implementing is problematic because the attacker needs control of many machines. If the attacker can do this legitimately, he is probably to rich too bother with DDoS. If the attacker can do this illegitimately, she is probably too skilled to bother with DDoS. The vector usually chosen is the bot-net, where a skilled (to semi-skilled) “bot herder” compromises a large number of machines, and rents them out for use in DDoS attacks. Bot-nets can be rented by the hour, but this does put the attacker in a financial relationship with a known criminal.

For those who don’t want to risk being on a bot herder’s client list, or maybe they are just cheap, it makes sense to look for other ways to create a flood of traffic. The strategy that is talked about in the Network World article is amplification, which means exactly what every guitar player thinks it means: taking a small signal and making it bigger. Mix amplification with DDoS, and…BAM!

From a network perspective the way to achieve amplification is to identify a network service that:

  1. Allows the IP address of the requester to be spoofed,
  2. Has a reply length longer than the request length, and
  3. Is widely available on the Internet.

The first requirement pretty much forces the amplification service to not be TCP-based, since one cannot complete the TCP handshake with a spoofed IP address. But what this means is that pretty much any UDP or ICMP-based services on the Internet can be used as amplification; the only question is how good they are.

Amplification is neither new nor nefarious; smurf attacks in the late 1990s are a much earlier example. The methodology is slightly different, but the principle is the same. More directly related are DNS amplification attacks, where the attacker uses a DNS request with a spoofed IP address to generate a much larger reply to the target service. (Matthew Prince at Cloudflare has an interesting description.)

So what is new and nefarious? The attackers are using network time protocol (NTP) servers as their amplifiers. NTP meets the requirements: UDP-based, widely available, and for certain queries, a significant amplification factor. I’ll give partial credit for new, since this is a variation on a theme, but nefarious? Hardly. It’s just another move in the same game. There are plenty of open UDP services in common use: SNMP, ISAKMP, VoIP, just to name a few. How long will it be before a hacker figures out how to bomb a target service with videochats?

In no way do I mean to disparage those who are actively involved in the combat against DDoS attacks. It’s an endless, thankless job, and those folks aren’t helped when users and, worse, network managers are ignorant of and/or unwilling to fix the sorts of configuration problems that let DDoS and amplification work. Don’t be that guy, as they say.

Comments are closed.