Several online gaming sites were recently hit by distributed denial-of-service (DDoS) attacks that used a new type of assault on the victims: a Network Time Protocol Amplification Attack.
Such attacks rely on the use of publicly accessible NTP servers to overwhelm a victim system with UDP traffic, according to the US –CERT site.
“It’s the first time I’ve ever seen volumetric NTP at noteworthy levels,” says Shawn Marck, CEO at Black Lotus, which provides DDoS mitigation services, adding his impression is that the DerpTrolling group, which took credit for the attack, is doing this mainly for the kicks they get in disrupting online games like War of Wizard and Steam.
“The NTP attack worked pretty well,” said Barrett Lyon, founder of anti-DDoS service Defense.net. It had been known that an attacker could manipulate an NTP server to generate attack traffic against a target, but DerpTrolling’s denial-of-service hits in early January are regarded as dangerous proof of a new DDoS attack vector.
+More on Network World: Anti-Bot Working Group to fight DDoS attacks from cloud infrastructure | Arbor Networks introduces cloud-based DDoS service | DDoS attacks against banks raise question: Is this cyberwar? +
US CERT issued an advisory on NTP amplification attacks on Jan. 10, stating the exploitation of these servers was caused by vulnerabilities left unpatched. But Lyon sees a different problem. He says the older NTP servers simply can’t prevent the type of exploitation carried out in NTP Amplification attacks because older NTP gear doesn’t support processes such as rate-limiting that might prevent it.
NTP servers are “forgotten pieces of infrastructure” that almost no one thinks about — until something like this new example of a DDoS attack comes along, says Lyon, an industry veteran who also founded anti-DDoS security firm Prolexic Technologies, which was just acquired by Akamai.
It’s not just the old infrastructure but the latest new mobile devices are being exploited by attackers to launch DDoS attacks.
Today, Prolexic issued its quarterly global DDoS attack report, noting that even Android-based mobile devices are being spotted as instruments to launch DDoS attacks.
In the report, Prolexic says its response team “uncovered evidence of the use of mobile applications launching DDoS attacks against enterprise clients, including one of the world’s largest financial firms.” Prolexic says signatures matching AnDOSid, a DDoS attack tool for Android devices, were observed in DDoS attack campaigns.
While use of mobile devices to launch DDoS attacks is still considered unusual, there’s no reason to think it might not grow, Prolexic points out. In its report, Prolexic also notes the rise of NTP as an attack vector.
“The NTP protocol is implemented in all major operating systems, network infrastructure devices, and embedded devices. By using UDP, NTP is subject to spoofing. In addition, misconfiguration of network equipment can allow enterprise infrastructure to be used as an unwilling participants in a DDoS attack. This can be achieved by responding to requests for NTP updates and directing the response to the victim host and overwhelming it with NTP traffic.”
According to Prolexic’s report, the “traditional” attack vectors include the likes of ICMP and SYN floods but these declined last year in favor of UDP fragmentation floods.
Where do DDoS attacks come from?
According to Prolexic, the U.S. is thought to be the main source of DDoS attacks during the last quarter, constituting 23.62% of what Prolexic saw. That’s up a disturbing 14.5% for the U.S. compared to the last quarter. China used to hold the top spot for DDoS but is now in second place at 19.09%. Thailand was third at 13.59% Other countries, including the United Kingdom, South Korea, India, Turkey, Italy, Brazil and Saudi Arabia all follow on a top 10 list.
DDoS attacks are often carried out by means of large-scale botnets that cyber-criminals control through compromised desktops or servers to manipulate them to launch streams of unwanted traffic at targets. It’s possible to get a lot of firepower by stealthily taking over the servers in hosting centers around the world to do this. Some hosting centers (sometimes called ‘bulletproof’ hosting) simply don’t seem to care.
Microsoft for several years has taken up the banner of shutting down botnets in takedowns wherever it can around the world, mainly by taking aggressive legal action whenever possible.
Rich Boscovich, assistant general counsel at Microsoft Digital Crimes Unit which carries out this anti-bot effort, says it involves getting visibility into malware and locating computers at ISPs all over the world. “We’ve taken third-party servers off hosting providers as part of our takedown,” he says, adding, “We know there’s significant chance of retribution from criminals when their botnets are taken away.”
And Microsoft’s network resources do become subject to DDoS attacks because criminals can quickly and easily re-purpose botnets that might have been used to generate spam, for instance, into cannons blasting out attack traffic. Among other things, Microsoft uses anti-DDoS gear from A10 Networks, custom-designed, says Boscovich. He declined to go into specifics about this but merely added DDoS is a “real danger.”
DDoS attacks are often measured based on speeds they achieve, the higher often being the most destructive in swamping networks or crashing applications, so anti-DDoS vendors are always striving to achieve higher speeds for defense. A10 Networks, for instance, which unveiled its Thunder line of standalone anti-DDoS gear today, said it can handle 37GGbps to 155Gbps. The company says service providers and large enterprises would be the most likely buyers. Prolexic says it saw DDoS attacks reaching 179Gbps in the last quarter.
What’s the motivation behind DDoS attacks?
Admittedly, there’s nothing particularly new about DDoS attacks which have been around in one form or another since the early days of the Internet, along with the later tales of botnets and the Russian cyber-mafia. But many say the motivations for trying to blast away at the networks and applications of others seems to have grown.
In the early days it was extortion, asking for payment to stop the attacks. Today, business competitors may pay to attack other competitors, too. “You hear it all the time, especially in the casino space or the escort space,” says Shawn Marck of Black Lotus. “The majority of attacks are economically motivated.”
But political activism is also a factor these days as angry protestors supporting one cause or another are egged on by groups such as Anonymous to launch DDoS attacks. However, it’s been the protestors joining the DDoS campaigns that get arrested more often than the organizers, notes Chris Risley, CEO at Defense.net.
Many governments are also believed to be making use of DDoS from time to time, say Lyon and Risley. North Korea is thought to attack South Korea this way, and the Iranians are believed by some to have been behind the widespread attacks against U.S. banks in the fall of 2012. Many more governments, including the U.S., also quietly have their hands on the DDoS trigger, they suggest.
For anyone who wants to launch a DDoS attack, it’s quite simple to go online and pay as little as a few dollars as hour to buy the access to do it, according to Defense.net. There’s also “advertising online claiming to test your systems for DDoS, when they’re really conduits for selling DDoS services,” says Lyon. He adds on Pastebin, you can find blatant ads for DDoS with guarantees it will work.
According to the Prolexic report, the average attack duration totaled 22.8 hours. Attackers favored striking network infrastructure about three quarters of the time, with application-layer attacks taking up the remaining 23.4%.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org