How you can protect against amplification attacks

Old No Comments on How you can protect against amplification attacks 25

After the biggest NTP DDoS attack measuring 400Gbps, F5 Networks’ Joakim Sunberg, undertakes the tricky subject based on amplification attacks.

On Feb 10, 2013, news broke out about the latest biggest DDoS attack in history of the internet recording a stunning 400Gbps targeting CloudFlare’s servers. This attack is bigger than last year’s Spamhaus by 100Gbps. Failure to prepare and take actions makes it very easy for attackers to identify targets. This should not be the case.

The latest attack targeted one of CloudFlare’s customers depending on one of the oldest protocol known as network time protocol (NTP) that synchronizes time on computers sharing the network. Spamhaus attack that hit the headlines last year depended on open DNS servers to instigate massive traffic stream. Both the attacks are types of amplification attack.

In each attack, source IP address were spoofed to create either a DNS or NTP request to redirect the packets in millions sent in response to their target. It’s a quite a direct attack vector, but the effect of amplification shows that it can be somewhat insignificant to start an extremely huge tide of data, without considering expensive botnets.

The fact is that it’s now becoming easier to perform amplification attacks. Tools such as DNS Flooder give want-to-be attackers a bit by bit guide of how to launch attacks with the help of pre-defined list of recognized open DNS servers. By broadening these toolkits to cater for other attack vectors like the NTP, is not an impossible mission for cyber criminals.

Only if businesses had a coordinated approach, then it’s not difficult to defend against these attacks. For instance, after last year’s Spamhaus, it was recounted oftenly to systems and network admins that they should identify at other possible connectionless protocols that could be used in case of amplification type attacks. Protocols such as CHARGEN, SNMP, NTP, etc are included in this list and give a review of the point where the systems requires to be locked down accordingly as part of any security check of a business.

NTP attacks can be alleviated by either an update of NTP code or a small-easy change of the configuration of NTP to end the “monlist” command that is used by anonymous hosts.

The monist command enable the would-be attackers acquire big traffic amplification chance, since in every NTP monlist request, the NTP server gives a response (to spoofed, target IP) having a list of 600 hosts connecting to the NTP server. I.e. an NTP server having 600 logged addresses can give an attacker 206 times the amplification factor. It’s a huge reward for the attacker considering the minimal investment. To end external monlist requests will consequently kill this vector of attack in its tracks.

It’s hard to mitigate systems that receive this kind of attack. Businesses should use the on premise intelligence that includes security alert Application Delivery Controllers that enable them check for any NTP requests that are suspect before making a decision on whether or not to pass the response of NTP onto the destination server. Still, this doesn’t clear the pipe that has huge Gbps of NTP response traffic.

Attack on CloudFlare shows there is need of ISPs cooperation to begin dealing with this traffic as we can get up the pipe as possible.

The best way to mitigation is a flexible and multi-layered defense having businesses play their part and operate together. Each business should contain a detailed book on what to do in case of an attack, linking with their security kit’s intelligent and flexible on and off tools.


Related Articles

Leave a comment

Back to Top