14/03/2023
Turning one dollar into thousands is terrific. But unfortunately, turning one network packet into thousands can lead to serious trouble.
How Does It Work?
One of the most challenging network attacks to protecting your network is a Denial-of-Service attack or, more accurately today, a Distributed Denial-of-Service (DDoS) attack. The idea is that an attacker compromises many machines and creates what is often called a botnet. These machines will perform some attack on a specified host, generally at a specified time. Attackers without their own botnets can access those created by others for some payment.
The computers comprising the botnets have been compromised by some malware and listen over the internet for instructions to perform attacks. The compromised computers are sometimes called zombies, and sometimes they are called bots. The instructions can come in many forms, and that's a story for a different post.
The way many of these attacks works is simple. First, the bot sends messages to a site called an amplifier that then sends much larger messages (hence the term amplifier) to a victim network. This is possible because the messages the bots send are crafted to tell the receiving host to reply to the victim. The term for this is address spoofing. In other words, the bot lies about who is sending the message.
The issue is further complicated by the protocols used in the attack. In the past, protocols such as DNS (the Domain Name System that lets us use a name such as learningtree.com instead of the numbers 19.85.219.100) or NTP (the Network Time Protocol used to synchronize computer clocks around the world) were common. These have two characteristics: sending a small packet elicits a large response, and the server cannot verify the client. These servers often send 50 to 60 times more data to the (spoofed) sender than they received from the initial request. If the attacker sends one packet to the bot, and that bot sends hundreds of packets to amplifiers, the victim can receive large amounts of data. With hundreds or thousands of bots, the victim will be inundated with data.
More recently, attackers are telling the bots to send packets to a different kind of amplifier. These amplifiers are called memcached servers. They store data on a network so that users of that network can retrieve it faster. The problem is that they can be used as amplifiers that send tens of thousands of times more data in a response that was sent in the request, making them very efficient amplifiers. Such an amplifier can completely shut down the inbound traffic for a large company!
In all of these cases, the issue is that the amplifiers are configured to accept requests from anyone instead of being configured only to accept requests from the networks they are intended to serve. Indeed, memcached servers should be behind an organization's firewall.
Good News
There is some good news. In December 2018, the FBI seized multiple sites that reportedly acted as DDoS for hire sites. That is a valuable start. However, it is still incumbent on DNS, NTP, and memcached server managers to properly secure them to prevent their use as amplifiers. How to do that is beyond the scope of this post, but the key is using current software versions and configuring them properly.
The basic ideas behind DDoS are simple, and the ways to prevent amplification are well-documented. As more sites are secured, this threat can be diminished.
To your safe computing,
John McDermott
This piece was originally posted Feb 12, 2019 and has been refreshed with updated styling and links.