In the constantly evolving threat landscape attackers are always finding new ways to target their victims. In the last few years we have seen a steady growth in Distributed Reflective Denial of Service attacks, DrDoS. These attacks rely on misconfigured public servers and these public servers can provide an attacker with the amplification in bandwidth needed to take down their targeted site.
More recently, attackers have been exploring different UDP protocols to generate large volumetric attacks in a different way. And just last month, the Radware Emergency Response Team (ERT) saw the rise of a new UDP based reflection attack utilizing the RPC Portmapper service.
Portmapper, also known as portmap and RPCbind, can be used to generate a 7-28 times amplification in bandwidth. Portmapper runs on TCP or UDP port 111 and it is a service that is used to direct clients to the proper port number so they can communicate with the requested RPC service. Attackers are using the UDP protocol to launch these volumetric attacks because UDP is a connection-less protocol that does not validate the source IP address. This allows attackers to send packets with a spoofed IP address resulting in the bandwidth amplification. In the event of a reflection attack, the packet sent back to the spoofed IP address is many times larger than the size of the original packet. This amplification can quickly overwhelm the targeted system.
A way to measure the amplification is to use the Bandwidth Amplification Factor (BAF). The BAF is a measurement that compares the bytes of the payload sent versus the payload received. This comparison determines the size of the amplification. The RPC portmap attack does not provide the same amplification that CharGEN or NTP does but it highlights a growing trend in leveraging misconfigured servers for amplification.
DrDoS attacks are hard to filter due to the fact that the requests are coming from legitimate services. Radware mitigates SSDP, NTP and DNS attacks daily with much larger amplification rates then what we see with this new RPC reflection attack. In the case of the RPC reflection attack there is nothing to patch. Network operators can watch for anomalous activity and run network ingress filters. It is also recommended that you disable RPC services if not in use. If the service is required, filter the TCP/UDP ports of the RPC service by using a firewall and limiting external access.
Access control lists (ACLs) should be used as the most reliable and efficient solution for protecting the most important assets in your organization. ACLs can analyze the patterns and create signatures based on the attack insuring that legitimate users are not blocked. A properly tuned behavior-based Denial of Service protection, BDOS, system with the correct footprint strictness will identify the anomaly and create a signature for the attack automatically.
This is just the beginning due to many other UDP services that have not been explored for the possibility of amplification. UDP amplification attacks are not going away any time soon due to the lack of complexity required to perform these attack.
To Learn More About Other Points of Failure in DDoS Attacks, Download the 2015 Global Application & Network Security Report by the Radware ERT
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.