LAS VEGAS -- New research presented at Black Hat 2016 revealed adversaries are shifting strategies for DDoS DNS amplification attacks and also found new fraudulent services are being offered to those seeking to launch DDoS attacks.
Elliott Peterson, an FBI special agent with the Anchorage field office, and Andre Correa, co-founder for Malware Patrol, the malware and ransomware threat data provider based in São Paulo, Brazil, set up a number of honeypots in various regions around the world starting in November 2014 to gather data from DDoS attacks, including timestamps, source and destination IP addresses, ports attacked and attack type. The honeypots have gathered more than eight million records so far in 2016.
According to the data, port 123, the well-known port used by Network Time Protocol (NTP) servers, is no longer the most abused UDP port for DDoS DNS amplification attacks. Peterson posited this change could be due to many NTP servers being patched after previous research found they were an important tool in amplification attacks.
Peterson said NTP servers had been popular vectors for DDoS attacks because they offered very high amplification rates, meaning one packet sent to an NTP server could elicit as many as 500 in return, a rate that is still among the highest possible in an amplification attack. However, Peterson said adversaries have begun to target amplification techniques that offer only around a 30-to-one return.
This has led to the Simple Service Discovery Protocol (SSDP) and port 1900 becoming the most abused UDP port, which yields an amplification factor of 31-to-one. The focus on this amplification factor was attributed to the types of tools used in attacks.
The investigation found booters and stressers to be very popular tools offering quick and easy access to would-be attackers who might not have the technical skills to launch an attack themselves. Correa said these services can be rented for as little as $5 to $20 per month and many offer very easy payments via PayPal or other web services.
Peterson said booters and stressers often have very short time-to-live times so they rarely last longer than a few months. He said the longest lasting services tended to offer front ends themselves located behind enterprise DDoS protection because booters and stressers are themselves major targets for DDoS attacks.
"They will frequently attack each other's services as if to show that theirs is the better service and then we see them bragging about these activities online," Peterson said.
Peterson said the higher amplification factors and DDoS size often get the headlines, but are not representative of the trend they saw in attacks.
"The botnets can be used kind of surgically but usually those are longer running attacks, more powerful attacks," Peterson said. "So, if you're seeing a lot of short-running attacks, that could very well be a booting service. We haven't really seen those get above about 30 [gigabytes per second]."
Peterson admitted their research may have seen more attacks in the 40 to 50 Gbps range if they studied the "premium market" but also said the highly publicized mega DDoS attacks are probably less common than people think.
"While we do see 200 to 300 Gbps attacks, and also some of our partners that do DDoS enterprise mitigation do see those size of attacks, they're a lot more uncommon than people think and they often seem to be attributed to botnets, Linux-based botnets, things that have a lot more throughput than what we've seen," Peterson said. "But I think there's a lot of questions in terms of how those are really measured and if the measurements are often accurate."
Peterson said, as usual, there is no honor among thieves. Their investigation found many fraudulent booter services that would take money from customers but never launch the DDoS DNS amplification attacks requested. Because of this, there has been a rise in so-called "Turnkey DDoS-as-a-service" which is much more expensive to purchase but also offers "excellent customer service."
Peterson said there were a few different ways enterprises could help to mitigate DDoS attacks including deploying DDoS sensors.
"The idea now with sensors is that you're actually seeing the attack as they run. The sensors can be really valuable and the generally accepted threshold for sensors is about 20 distributed DDoS sensor [which] will get you better than 80 or 90% visibility," Peterson said. "We think you should look at social media. We think you should pay attention to what's going on at work, whether employees are gaming can cause problems. You may be inadvertently participating in this mess by having servers misconfigured."
Learn more about how the SSDP can be secured to prevent DDoS DNS amplification attacks.
Find out how DDoS DNS amplification and application-layer attacks are driving DDoS trends.
Get info on avoiding DDoS DNS amplification attacks.