Blog Stéphane Bortzmeyer : Attaques par amplification : TCP aussi

/amplification-tcp.html

    • TCP Handshake Amplification

      DDoS amplification attacks currently typically use UDP-based protocols with spoofed source IPs. The reason being that there is no 3-way handshake in UDP.

      However, it turns out there are TCP-based protocols are also vulnerable to amplification attacks. Better even, the handshake itself can be abused for amplification.

      Authors of the 2014 research mentioned in Stéphane’s article (and below) have identified 4.8 million devices vulnerable to an average TCP-based amplification factor of 112x. Of those, they identified thousands of hosts that can be abused for an amplification of almost 80.000x.

      They identified that there are hosts responding to a SYN with an excessive amount of RST packets, and others that transmit actual payload data via PSH packets – even before the three-way handshake has been completed.

      From the point of view of an attacker, the number of amplifiers is important to scale up the overall attack bandwidth.
      Compared to UDP-based amplification attacks, the fact that there are much more amplifiers makes this form still the most attractive.
      An attacker has to scan many more IPv4 hosts in order to find a large enough number of TCP-based amplifiers.

      Why would TCP-based amplifiers be interesting?
      • They could be interesting to attackers who have little bandwidth available and who want to amplify as much as possible.
      • Also, TCP traffic is considerably harder to filter at the network edges than UDP-based protocols. It is not easy to make a difference between legitimate and malicious TCP traffic without appliances that keep trace of and inspect the states of TCP connections.
      • Another reason why TCP-based is more complicated is that TCP-based amplification traffic does not carry payload that can be inspected for validity.

      The paper:
      Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks
      (Marc Kuhrer, Thomas Hupperich, Christian Rossow, Thorsten Holz)

      http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf

      SYN/ACK: The majority of amplifiers cause amplification by repeatedly retransmitting SYN/ACK packets upon our SYN segments. This attack type amplifies traffic up to 80x on average, and for SIP even up to 1,596x.

      PSH: The number of amplifiers that transmit payload data via PSH (without a completed handshake) is low for most protocols. Nevertheless, the amplification factor is higher compared to the SYN/ACK amplifiers.

      RST: The by far highest amplification is observed for hosts that transmit a tremendous number of RST segments. As such, an attacker could abuse the 4,242 vulnerable Telnet hosts to achieve an average amplification rate of 79,625x. Compared to SYN/ACK, the RST amplifiers of most protocols also have a much higher traf- fic volume—even though the number of hosts is significantly lower. That is, the 8,863 SYN/ACK amplifiers of NetBIOS transmitted about 25 MB of traffic, while the RST amplifiers caused traffic of more than 12 GB. Similarly, even though we observed most of the FTP ampli- fiers sending SYN/ACK packets (causing a total of 3.2 GB of traffic), the RST amplifiers transferred 15.1 GB of traf- fic in the same amount of time, a multitude of factor 5x.

      #DDoS