#drdos

600,000 TFTP Servers Can Be Abused for Reflection DDoS Attacks

▻http://news.softpedia.com/news/600-000-tftp-servers-can-be-abused-for-reflection-ddos-attacks-50156

A new study has revealed that improperly configured TFTP servers can be easily abused to carry out reflection DDoS attacks that can sometimes have an amplification factor of 60, one of the highest such values.

The study:

Evaluation of TFTP DDoS Amplification Attack

▻http://researchrepository.napier.ac.uk/8746
This work outlines an evaluation tool and evaluates an amplification attack based on the Trivial File Transfer Proto-col (TFTP). This attack could have amplification factor of approximately 60, which rates highly alongside other researched amplification attacks. This could be a substantial issue globally, due to the fact this protocol is used in approximately 599,600 publicly open TFTP servers. Mitigation methods to this threat have also been consid-ered and a variety of countermeasures are proposed. Effects of this attack on both amplifier and target were analysed based on the proposed metrics. While it has been reported that the breaching of TFTP would be possible (Schultz, 2013), this paper provides a complete methodology for the setup of the attack, and its verification.

There is a guy who went the effort to test it all out (Google Translate necessary...)
Here is his technical description
▻http://drops.wooyun.org/tips/14020
▻https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fti

#DDoS #DRDoS
#TFTP

A New DDoS Reflection Attack: Portmapper (TCP/UDP 111)

Portmapper is a mechanism to which Remote Procedure Call (RPC) services register in order to allow for calls to be made to the Internet.
When a client is looking to find the appropriate service, the Portmapper is queried to assist. The response size varies wildly depending on which RPC services are operating on the host.

▻http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industr

It already has been used in a number of attacks, with the largest impact to organizations taking place August 10 through 12. These attacks targeted only a subset of verticals, primarily focused on gaming, hosting and Internet infrastructure

[...]

On the high end of the spectrum, we have seen responses as large as 1930 bytes for an amplification of 28.4x.

[...]

We recommend disabling Portmapper along with NFS, NIS and all other RPC services across the open Internet as a primary option. In situations where the services must remain live, firewalling which IP addresses can reach said services and, subsequently, switching to TCP-only are mitigations to avoid becoming an unknowing participant in DDoS attacks in the future.

#DDoS #DRDoS

Torrent clients and BitTorrent Sync can be leveraged for DrDoS attacks

http://cdn.arstechnica.net/wp-content/uploads/2015/08/bittorrent-drdos-attack.png

▻https://www.usenix.org/conference/woot15/workshop-program/presentation/p2p-file-sharing-hell-exploiting-bittorrent

In this paper, we demonstrate that the BitTorrent protocol family is vulnerable to distributed reflective denial-of-service (DRDoS) attacks. Specifically, we show that an attacker can exploit BitTorrent protocols (Micro Transport Protocol (uTP), Distributed Hash Table (DHT), Message Stream Encryption (MSE))and BitTorrent Sync (BTSync) to reflect and amplify traffic from peers.

We validate the efficiency, robustness and evadability of the exposed BitTorrent vulnerabilities in a P2P lab testbed. We further substantiate the lab results by crawling more than 2.1 million IP addresses over Mainline DHT (MLDHT) and analyzing more than 10,000 BitTorrent handshakes. Our experiments reveal that an attacker is able to exploit BitTorrent peers to amplify the traffic up to a factor of 50 times and in case of BTSync up to 120 times.

Additionally, we observe that the most popular BitTorrent clients are the most vulnerable ones. (uTorrent, Mainline Vuze)

[...]

We showed that anattack is quite difficult to circumvent, as the found vulnerabilities can only be defended with a DPI firewall. In case of a MSE handshake, it is even harder to detect the attack, since the packet contains a high entropy payload with a public key and random data.

The paper:

▻https://www.usenix.org/system/files/conference/woot15/woot15-paper-adamsky.pdf

▻https://torrentfreak.com/bittorrent-can-be-exploited-for-dos-attacks-research-warns

BitTorrent Inc has been notified about the vulnerabilities and patched some in a recent beta release. For now, however, uTorrent is still vulnerable to a DHT attack. Vuze was contacted as well but has yet to release an update according to the researcher.

Arstechnica also wrote about it:

▻http://arstechnica.com/security/2015/08/how-bittorrent-could-let-lone-ddos-attackers-bring-down-big-sites

En Français :

▻http://actualite.housseniawriting.com/technologie/2015/08/16/les-attaques-drdos-peuvent-se-propager-via-les-clients-bittorrent/7227

#DDoS #DrDoS

New DRDoS (Distributed Reflection Denial-of-Service) based on NTP, similar to the previous DNS open resolver based DDoS in 2013

The mechanism is to spoof UDP port 123 packets with a REQ_MON_GETLIST request, which will return the last 600 clients with NTP requests and hence the significant BAF - Bandwidth Amplification Factor. NTP is reflection-vulnerable as it does not validate the source IP of the sender.

Affected are all versions of ntpd prior to 4.2.7p26;
this last version has disabled support for MON_GETLIST

How to test if you are vunerable ?
ntpq -c rv
ntpdc -c sysinfo
ntpdc -n -c monlist

If the last command returns nothing then you’re OK.
If it returns a whole list of hostnames and IP addresses, then you know what time it is…

Solutions :
(1)
Download version 4.2.7p26 or later: ▻http://www.ntp.org/downloads.html
(2)
Disable queries: if update is not possible in your environment then a workaround is to disable status queries by adding to /etc/ntp.conf:
For IPv4 : restrict default kod nomodify notrap nopeer noquery
For IPv6: restrict -6 default kod nomodify notrap nopeer noquery
(restart ntpd after the change)
(3)
Allow status queries but disable “ntpdc –c monlist” via “disable monitor”

Either approach is a good idea because
(a) you protect your network from unwanted reconnaissance, as monlist is included in network tools such as NMAP or metasploit
(b) you avoid participating in DRDoS attacks and probably also suffering from it.

Official Security Reports :
NIST reference of the vulnerability
▻http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211
CERT vulnerability notice
▻http://www.kb.cert.org/vuls/id/348126

Other reports on this NTP DRDoS :
very good : "Understanding and mitigating NTP-based DDoS attacks" - ▻http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

"New DoS attacks taking down game sites deliver crippling 100Gbps floods" ▻http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-game-sites-deliver-crippling-100-gbps-flood

"Les attaques DDoS sur l’industrie du jeu mettent en lumière les faiblesses de sécurité du NTP" ▻http://www.pcworld.fr/jeux-video/actualites,attaques-ddos-steam-origin-league-leagends-planetside-guild-wars-

▻http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project

Documentation :
"Hardening Cisco Routers - Chapter 10: NTP" - ▻http://oreilly.com/catalog/hardcisco/chapter/ch10.html

"Network Time Protocol (NTP): Overview and Configuration" - ▻http://e2epi.internet2.edu/npw/a2/ntp.pdf

▻http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

How NTP works :
▻http://www.eecis.udel.edu/~mills/ntp/html/warp.html
▻http://www.ntp.org

NTP RFCs :
– "RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification" ▻http://www.ietf.org/rfc/rfc5905.txt

– Ou la version Bortzmeyer, excellente dans son ample élaboration comme d’habitude : ►http://www.bortzmeyer.org/5905.html

– "RFC 5906: Network Time Protocol Version 4: Autokey Specification" ▻http://www.ietf.org/rfc/rfc5906.txt

– "RFC 5907: Definitions of Managed Objects for Network Time Protocol Version 4 (NTPv4)" ▻http://www.ietf.org/rfc/rfc5907.txt

– "RFC 5908: Network Time Protocol (NTP) Server Option for DHCPv6" ▻http://www.ietf.org/rfc/rfc5908.txt

#DRDoS
#DDoS
#BAF
#denial-of-service
#NTP
#reflection
#NMAP
#metasploit
#security
#vulnerability