The Evolving Threat of Amplification DDoS Attacks

Sean Leach | Jun 12, 2014

If there is one trend in the cybersecurity world over the last 12-18 months that cannot be ignored, it is the increasing prevalence and destructive power of amplification-based distributed denial of service (DDoS) attacks.

An amplification attack is a two-part DDoS attack that generally uses the User Datagram Protocol (UDP).  An attacker first sends a large number of small requests to unsuspecting third-party servers on the Internet.  The attacker crafts these requests to result in large responses, but they are otherwise normal except that their source addresses are rewritten (spoofed) so they appear to have come from the victim instead of the attacker.  When all the third-party servers send their large responses to the victim, the resulting amount of traffic is much more than the attacker could have generated alone. These attacks often overwhelm the resources of the victim, as attacks in the hundreds of Gbps are possible using this method.

Two protocols heavily targeted for this technique over the last few months have been the domain name system (DNS) protocol and the network time protocol (NTP).  For example, certain DNS queries sent to an authoritative DNS server will result in responses with a 10-20x amplification factor (e.g. a 40-byte DNS question can result in a 400-byte or greater response).  Attackers can either generate the attack traffic themselves or use a botnet of compromised PCs to hide their footprints, but in either case they take advantage of a huge number of "open" DNS servers on the Internet that will respond to any request sent to them.  This is a relatively easy technique that has proven successful in launching very large-scale attacks (i.e., several hundred Gbps in size).

NTP is commonly used to synchronize electronic clocks so computers around the world all agree on the time. This is critical to the functioning of electronic commerce.  NTP relies on the UDP protocol just like DNS does and it is vulnerable to similar attacks.  One particularly damaging NTP attack uses the MONLIST command, which is found in older NTP servers.  MONLIST returns the last 600 clients that an NTP server has talked to, which results in responses with an amplification factor of 10-200x with just a single NTP server.  Attacks that combine thousands of NTP servers can do incredible damage while using very little of the attacker's resources.  

In the first quarter of this year, Verisign DDoS Protection Services saw an 83 percent jump in average attack size over Q4 2013, which was primarily attributed to NTP-based attacks.  While DNS amplification was the most common vector in 2013 and continues to be seen, the NTP attack type is the largest attack vector seen this year. We mitigated multiple amplification attacks -- commonly ranging from 50 to 75 Gbps -- for our customers.  Directly related to the popularity of amplification attacks was the sharp decline in more complex application-layer attacks.  With so many vulnerable NTP servers and reflection vectors readily available on the Internet, attackers were able to cause maximum disruption with minimum effort on their part, ditching smarter layer-7 attacks in favor of volume-based amplification attacks (Read Verisign’s Q1 2014 DDoS Trends Report for more information.).

How to Defend Against an Amplification Attack

The only real way to defend against attacks of this size is, unsurprisingly, massive network infrastructure that is engineered to withstand very large volumes of traffic.  Unfortunately, this isn’t how most customer networks are designed, and it’s certainly cost prohibitive for an organization to keep scaling up the network to match the ever-increasing size of these attacks. It’s an unwinnable arms race; attackers will always have access to more bandwidth than you.

Leveraging a third-party cloud-based DDoS protection service like Verisign’s is likely to provide the best protection against these attacks. Our infrastructure is scaled and architected to defend against the largest-known attacks. Furthermore, we operate a fully redundant and interconnected network backbone to help ensure a massive attack doesn’t impact any one site or our ability to protect our customers.  

It is important to also have a service like Verisign’s that continually monitors network traffic to look for signs of an attack. When Verisign detects an attack, our DDoS Protection Services take over and offload traffic going to the targeted site and redirects it to the Verisign network where it is inspected and filtered so that only non-attack traffic is sent to the target site. This technique allows customers to restore critical services and operations faster.

Making sure your NTP and DNS servers are not part of the problem is a critical component of a DDoS protection plan! By ensuring you are running the latest versions of ntpd servers, disabling MONLIST (it’s rarely needed and disabled by default in newer versions of ntpd servers) and generally limiting the amount of NTP traffic allowed inbound to your network, you can help prevent an attack before it is able to start.  For more information on this, check out the Open Resolver Project (http://openresolverproject.org) that targets shutting down open recursive DNS resolvers, and the OpenNTPProject (http://openntpproject.org) that attempts to do the same for open NTP servers.

Amplification Attacks – What’s Next?

Just like complex layer-7 attacks, amplification attacks are here to stay.  There are way too many DNS and NTP servers on the Internet that have either already been used, or are vulnerable and waiting to be used in DDoS attacks. Even as awareness increases and organizations begin to lock down these systems, there are plenty of other protocols that can be exploited to replace them.  One example is the simple network management protocol (SNMP), which is a common UDP protocol used for network management. Several types of network devices actually come with SNMP ‘on’ by default.   A request sent to an SNMP server returns a response that is larger than the query that came in. Sound familiar?  The list goes on.

Is there a limit to the size of these amplification attacks?  I have seen one source speculate that a 1-Tbps attack is likely (that’s one terabit per second).  While I don’t doubt such an attack is possible, at some point the attackers become victims of their own success, generating so much traffic that links are congested close to the source before the attack traffic can even reach the intended victim.  When this happens, the provider hosting the third-party DNS or NTP servers isn't able to get all the attack traffic from their network to the victim network because the provider's links are too small. However, to keep up with the soaring demand of high-bandwidth applications, like online video, network operators are upgrading their network capacity at tremendous rates – this will remove that bottleneck and allow these DDoS attacks to get bigger and bigger.

So while there’s no sure way of predicting the next DDoS vector, the amplification technique is sure to remain popular with attackers for the foreseeable future. As a result, Verisign expects the size of attacks to continue rising.

For more information about DDoS trends, read our Q1 2014 DDoS Trends report or join me and Forrester Principal Analyst Rick Holland for a webinar on June 19 at 1pm ET titled Is Your Infrastructure Capable of Handling a Multi-Vector Attack?