A Study on Exploitable DRDoS Amplifiers in Europe

ERCAN, Emre Murat; Selcuk, Ali Aydin

A Study on Exploitable DRDoS Amplifiers in Europe

Emre Murat ERCAN, (Barikat Siber Güvenlik, Ankara, Türkiye)

Ali Aydın SELÇUK (TOBB Ekonomi ve Teknoloji Üniversitesi, Mühendislik Fakültesi, Bilgisayar Mühendisliği Bölümü, Ankara, Türkiye)

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE

2 1

Yıl: 2021 Cilt: 10 Sayı: 2 Sayfa Aralığı: 26 - 41 Metin Dili: İngilizce İndeks Tarihi: 22-06-2022

A Study on Exploitable DRDoS Amplifiers in Europe

Öz:

One of the best-known cyber attacks, distributed denial of service (DDoS), is evolving. It has become much more malefic and effective with the use of amplification power of reflected messages. This attack is known as the distributed reflected denial of service (DRDoS) or the amplification attack. Attackers abuse UDP-based protocols’ connectionless property for this attack and achieve an attack volume of hundreds of Gbps. The attack occurs by botnets’ spoofing a victim’s IP address and demanding some service from unhardened servers. Attackers generally prefer protocols that have high a “amplification factor” such as NTP and Memcached, or protocols where it is hard to differentiate legal requests from malicious ones, such as DNS. At this point, an important defensive strategy against these attacks is to harden servers not to play a role as amplifiers. In this paper, we carried out a detailed research of servers in 41 European countries and focused on three UDP-based protocols most commonly abused by attackers: DNS, NTP, and Memcached. We searched these servers by automatic regional scans and analyzed whether they have been hardened against DRDoS attacks.

Anahtar Kelime:

Belge Türü: Makale Makale Türü: Araştırma Makalesi Erişim Türü: Erişime Açık

[1] Specht SM, Lee RB. Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: International Conference on Parallel and Distributed Computing Systems (ISCA PDCS), San Francisco, CA, USA, 2004.
[2] Rossow C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In: Network and Distributed System Security (NDSS) Symposium, San Diego, CA, USA, 2014.
[3] Bellovin SM. Security problems in the TCP/IP protocol suite. ACM SIGCOMM Computer Communication Review 1989, 19 (2): 32–48.
[4] Kührer M, Hupperich T, Rossow C, Holz T. Exit from hell? Reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium, San Diego, CA, USA, 2014.
[5] Kührer M, Hupperich T, Rossow C, Holz T. Hell of a handshake: Abusing TCP for reflective amplification DDoS attacks. In: 8th USENIX Workshop on Offensive Technologies (WOOT’14), San Diego, CA, USA, 2014.
[6] CERT. UDP-based amplification attacks. CERT Advisory, revised 2019. https://www.us-cert.gov/ncas/alerts/TA14- 017A. Accessed: March 4, 2021.
[7] Heberlein LT, Bishop M. Attack class: address spoofing. In: 19th National Information Systems Security Conference, 1996.
[8] Webb A. How have DDoS weapons evolved in recent years? International Security Journal 2019. https://internationalsecurityjournal.com/how-have-ddosweapons-evolved/. Accessed: March 4, 2021.
[9] Ryba FJ, Orlinski M, Wahlisch M, Rossow C, Schmidt TC. Amplification and DRDoS attack defense - a survey and new perspectives. arXiv:1505.07892v3, 2016.
[10] Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 2004, 34 (2): 39–53.
[11] Asosheh A, Ramezani N. A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification. WSEAS Transactions on Computers 2008, 7 (4): 281–290.
[12] Osterweil E, Stavrou A, Zhangi L. 20 Years of DDoS: A call to action. arXiv:1904.02739, 2019.
[13] Cloudflare. Famous DDoS attacks: The largest DDoS attacks of all time. Cloudflare Learning Center, 2020. https://www.cloudflare.com/learning/ddos/famous-ddosattacks/. Accessed: March 4, 2021.
[14] Amazon Web Services. Threat Landscape Report – Q1 2020. AWS Shield, 29 May 2020. https://aws-shieldtlr.s3.amazonaws.com/2020-Q1_AWS_Shield_TLR.pdf. Accessed: March 4, 2021.
[15] Prolexic Technologies. Prolexic stops largest-ever DNS reflection DDoS attack. Prolexic Quarterly Global DDoS Attack Report Q2 2013.
[16] Weinberg F. NGO Forum website launched before crucial presidential elections in Zimbabwe. HURIDOCS, 30 July 2013.
[17] Prince M. The DDoS that almost broke the Internet. The Cloudflare Blog, 27 March 2013.
[18] Prince M. The DDoS that knocked Spamhaus offline (and how we mitigated it). The Cloudflare Blog, 20 March 2013.
[19] Takashi D. Hackers attack Dota 2 and League of Legends servers in quest for one game livestreamer. GamesBeat, 30 December 2013.
[20] US CERT. Alert TA13-088A: DNS Amplification Attacks. CERT Alerts, 2013. https://uscert.cisa.gov/ncas/alerts/TA13-088A. Accessed: March 4, 2021.
[21] Nic.TR. 14/12/2015 Tarihinde Başlayan DDoS Saldırısı. Nic.TR Kamuoyu Duyurusu. 21 December 2015 (in Turkish).
[22] Chacos B. DDoS attack on Dyn DNS knocks Spotify, Twitter, Github, PayPal, and more offline. PCWorld, 21 October 2016.
[23] Prince M. Technical details behind a 400Gbps NTP amplification DDoS attack. The Cloudflare Blog, 13 February 2014.
[24] Kottler S. February 28th DDoS incident report. The GitHub Blog, 1 March 2018. https://github.blog/2018-03- 01-ddos-incident-report/. Accessed: March 4, 2021.
[25] Z. Durumeric Z, Wustrow E, Halderman JA. ZMap: fast Internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium, Washington, DC, USA, 2013.
[26] MITRE. CVE-2006-0987 detail. National Vulnerability Database, 2006. https://nvd.nist.gov/vuln/detail/CVE2006-0987. Accessed: March 4, 2021.
[27] MITRE. CVE-2006-0988 detail. National Vulnerability Database, 2006. https://nvd.nist.gov/vuln/detail/CVE2006-0988. Accessed: March 4, 2021.
[28] MITRE. VE-2013-5211 detail. National Vulnerability Database, 2013. https://nvd.nist.gov/vuln/detail/CVE2013-5211. Accessed: March 4, 2021.
[29] MITRE. CVE-2018-1000115 detail. National Vulnerability Database, 2018. https://nvd.nist.gov/vuln/detail/CVE2018-1000115. Accessed: March 4, 2021.
[30] Microsoft. Use DNS policy for applying filters on DNS queries. Microsoft Documentation, 2020.
[31] Team Cymru. Secure NTP template. Team Cymru Community Services, 2019. https://www.teamcymru.com/secure-ntp-template.html. Accessed: March 4, 2021.
[32] Graham-Cumming J. Understanding and mitigating NTPbased DDoS attacks. The Cloudflare Blog, 9 January 2014.
[33] Dormando. Disable UDP port by default. https://github.com/memcached/memcached/commit/ dbb7a8af90054bf4ef51f5814ef7ceb17d83d974. 27 February 2018. Accessed: March 4, 2021.
[34] Alibaba Cloud. Harden Memcached service security. Alibaba Cloud Security Advisories, 8 May 2018.
[35] Dormando. Memcached 1.5.6 release notes. https://github.com/Memcached/Memcached/wiki/ ReleaseNotes156. 27 February 2018. Accessed: March 4,2021.

APA	ERCAN E, Selcuk A (2021). A Study on Exploitable DRDoS Amplifiers in Europe. , 26 - 41.
Chicago	ERCAN Emre Murat,Selcuk Ali Aydin A Study on Exploitable DRDoS Amplifiers in Europe. (2021): 26 - 41.
MLA	ERCAN Emre Murat,Selcuk Ali Aydin A Study on Exploitable DRDoS Amplifiers in Europe. , 2021, ss.26 - 41.
AMA	ERCAN E,Selcuk A A Study on Exploitable DRDoS Amplifiers in Europe. . 2021; 26 - 41.
Vancouver	ERCAN E,Selcuk A A Study on Exploitable DRDoS Amplifiers in Europe. . 2021; 26 - 41.
IEEE	ERCAN E,Selcuk A "A Study on Exploitable DRDoS Amplifiers in Europe." , ss.26 - 41, 2021.
ISNAD	ERCAN, Emre Murat - Selcuk, Ali Aydin. "A Study on Exploitable DRDoS Amplifiers in Europe". (2021), 26-41.

APA	ERCAN E, Selcuk A (2021). A Study on Exploitable DRDoS Amplifiers in Europe. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE, 10(2), 26 - 41.
Chicago	ERCAN Emre Murat,Selcuk Ali Aydin A Study on Exploitable DRDoS Amplifiers in Europe. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE 10, no.2 (2021): 26 - 41.
MLA	ERCAN Emre Murat,Selcuk Ali Aydin A Study on Exploitable DRDoS Amplifiers in Europe. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE, vol.10, no.2, 2021, ss.26 - 41.
AMA	ERCAN E,Selcuk A A Study on Exploitable DRDoS Amplifiers in Europe. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE. 2021; 10(2): 26 - 41.
Vancouver	ERCAN E,Selcuk A A Study on Exploitable DRDoS Amplifiers in Europe. INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE. 2021; 10(2): 26 - 41.
IEEE	ERCAN E,Selcuk A "A Study on Exploitable DRDoS Amplifiers in Europe." INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE, 10, ss.26 - 41, 2021.
ISNAD	ERCAN, Emre Murat - Selcuk, Ali Aydin. "A Study on Exploitable DRDoS Amplifiers in Europe". INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE 10/2 (2021), 26-41.