In recent months, we have seen an onslaught of Amplified DDoS attacks that leverage existing Internet technology to amplify the power and ultimate impact of the attack. The basic idea behind amplified DDoS is:

1. Widespread vulnerability
2. Spoof the target

This technique is certainly not new. Historically, amplification has been used extensively in DDoS attacks.  What is new, however, is that these attacks are now affecting more people worldwide than ever before. Coupled with the widespread adoption of the Internet we’ve seen in the past few years, this is a devastating combination.  That’s why the mitigation of DDoS attacks is so important to address.

First Known Amplified DDoS Attack: Smurf

One of the first known Amplified DDoS attacks was Smurf written by TFreak in 1997. This attack was wildly popular. The attacker would spoof ICMP packets to originate from the target’s destination address and send these to a network broadcast address. Network devices would by default respond to this broadcast request and in turn respond to the spoofed source address. If the network contained sufficient systems that would reply to these packets, the victim network would be flooded with an onslaught of ICMP packets.

This attack mechanism was ultimately rendered ineffective via three changes:

1. Routers were configured to not forward packets to the broadcast address.
2. Systems were configured not to respond to broadcast requests, or even to reply to ICMP at all.
3. Networks installed ingress and egress ICMP filters or policers.

An example of a Cisco directive to resolve this issue:

Cisco(conf-if)# no ip directed-broadcast

Another Historic Amplified DDoS Attack: Bang!

This attack is less widely known around the world currently. Bang was a relatively obscure attack written by Sorcerer. This Amplified DDoS attack is capable of amplifying TCP by about 2-3x. In a TCP bang attack, the attacker spoofs the victim’s target IP as usual, and sends a TCP SYN (new connection) to any number of public systems with open TCP ports. The system would then reply with 2 to 3 TCP SYN-ACK packets to the intended target.

The interesting thing about this attack is that it is relatively easy to launch, requires no vulnerabilities in target hosts, and can leverage literally any open TCP service. To stop this attack, the target systems would have to employ intelligent stateful firewalls that do not permit repetitive connections in quick succession. However, because this attack can leverage any open system, the attack does not really need to reuse the same amplifier multiple times in quick succession.

This attack is a little less effective than most protocol attacks because it does not exhaust new connection resources on systems. What it can do, however, is occupy a target host’s single core via IRQ exhaustion. On host systems, when a new packet arrives into the network card, the kernel generates an interrupt request (IRQ) which then places the packet into the network stack. By default, this process is performed in the first core on the system. Therefore, if one core is exhausted, the systems can no longer process new incoming packets.

The source code to this can be found on http://www.exploit-db.com/exploits/343/. A quick review of the code shows that it is very simple, which is why it’s such an elegant attack. Kudos to Sorcerer.

Modern Amplification: NTP / DNS

These amplified DDoS attacks leverage vulnerabilities in DNS and NTP to dramatically amplify attacks. Because most UDP is stateless, this makes the attack very easy to launch. DNS and NTP amplification can reach hundreds of gigabits per second.

Amplification: WordPress

WordPress is great. It’s used by so many people around the world, including us! It’s fast, easy to setup, and wildly customizable. Its popularity makes it a phenomenal platform for amplified DDoS, so long as a vulnerability is found. Since WordPress is open source, finding a vulnerability becomes easier.

Unfortunately, a vulnerability was found in WordPress that makes this possible. The vulnerability is in xmlrpc.php, used for Pingback, a feature that is on by default in WordPress.

This particular exploit was reported to have recently been used so effectively that 162,000 WordPress sites were used to launch a synchronous DDoS attack.  The particular attack can be launched with a simple script (readily available, sorry to say):

$ curl -D – “site.com/xmlrpc.php” -d
‘<methodCall><methodName>pingback.ping</methodName>
<params>
<param>
<value>
<string>http://targethost.com</string>
</value>
</param>
<param>
<value>
<string>site.com/content </string>
</value>
</param>
</params>
</methodCall>’

The elegance of this attack is also in its simplicity. A single system can generate many requests per second to a target IP. This generates an effective layer 7 flood to the destination, amplified to incorporate the source addresses of many individual systems.

 Are We Done Yet?

Probably not! The Internet is growing rapidly. IPv6 promises every system will be online and not behind NAT, making direct access easier. One of Cisco’s new marketing taglines is “The Internet of Things”. As more devices (phones and tablets especially) and software stacks go online, we’ll see new attacks developed from the shadows of obscurity.