Massive Distributed Reflection Denial of Service (DrDoS) DoSNETs for hire - NTP, Chargen, SNMP, SSD

Here is a snapshot of what the internet looked like in early 2000, the chart below shows the broadcast address and the amount of times it will respond to a single ping request:

Last rescan: Thu Feb 24 10:15:39 PST 2000

RESP ADDR EMAIL ADDRESSES

———————————————————————

124273 208.158.191.0

27545 210.45.224.255

12501 193.76.71.0

10679 202.178.229.0

10483 200.255.9.0

9818 210.72.81.0

9617 207.34.70.0

8176 207.112.112.0

7222 207.112.112.255

6681 206.130.55.0

6316 206.130.55.255

6003 210.243.91.255

5358 208.192.16.255

4658 209.132.220.255

4413 206.144.34.255

4207 206.144.35.255

3146 207.34.70.255

2418 170.118.254.0

2416 170.118.254.255

And a snapshot as of today from Powertech.no who has kept Netscan’s operation going:

Current top ten smurf amplifiers (updated every 5 minutes) (last update: 2015-08-09 20:01:02 CET)

Network #Dups #Incidents Registered at Home AS

212.1.130.0/24 38 0 1999-02-20 09:41 AS9105

204.158.83.0/24 27 0 1999-02-20 10:09 AS3354

209.241.162.0/24 27 0 1999-02-20 08:51 AS701

159.14.24.0/24 20 0 1999-02-20 09:39 AS2914

192.220.134.0/24 19 0 1999-02-20 09:38 AS685

204.193.121.0/24 19 0 1999-02-20 08:54 AS701

198.253.187.0/24 16 0 1999-02-20 09:34 AS22

164.106.163.0/24 14 0 1999-02-20 10:11 AS7066

12.17.161.0/24 13 0 2000-11-29 19:05 not-analyzed

199.98.24.0/24 13 0 1999-02-18 11:09 AS6199

Netscan offered a script that checked the number of times that x.y.z.0 and x.y.z.255 reply to a single ping packet. If either number is greater than 1, the network is misconfigured and its administrator should be notified. Networks responding more than 10 times per ping were likely to be used in smurf broadcast amplifier lists. Netscan shut its doors after helping to eliminate the number of available networks to be abused in smurf attacks. Some organizations criticized Netscan for publishing the lists of networks being used in attacks (an attacker could simply copy the vulnerable networks into a list and use them in an attack) but they will always be remembered as the ones who saved the internet.

In today’s world there are a whole new set of protocols that can be abused in reflection attacks. A snapshot of 2015 with the protocol and amplification factor charted below:

UDP-based Amplification Attacks Protocol Bandwidth Amplification Factor NTP 556.9 CharGen 358.8 DNS up to 179 QOTD 140.3 Quake Network Protocol 63.9 SSDP 30.8 Kad 16.3 SNMPv2 6.3 Steam Protocol 5.5 NetBIOS 3.8 BitTorrent 3.8

There are no organizations publishing lists of known misconfigured protocols these days as that might result in lawsuits and jail time as denial of service attacks are not taken lightly anymore.

DNS amplification attacks:

This type of attack takes advantage of open or misconfigured DNS servers that respond to outside recursive DNS queries. In this type of attack it does not matter if the nameserver is authoritative or not, the DNS servers will respond to any queries regardless. In a reflection attack the attackers have the ability to create a TXT record attack which will associate arbitrary and non-formatted text to a domain or host to amplify the size of the response. Reflection/Amplification based on authoritative or non-authoritative name servers. If the nameserver is an authoritative name server for the domain being queried. The attacker issues a DNS ANY query which retrieves all cached records available for the domain name and the attacker spoofs the reply to be sent to the victim. Furthermore, RFC 2671 makes it possible to increase the buffer size of the request. If the requestor-side specification of the maximum buffer size is changed responders can be made to send messages which are too large for intermediate gateways to forward thus leading to potential ICMP storms between gateways and responders. An “A record attack” occurs when an attacker issues multiple queries for A records to victim DNS servers, the request have malformed domain names so the DNS server responds with registry code or RCODE. Large numbers of these queries from a large number of sources can create devastating results. Simple Network Management Protocol (SNMP) DrDoS attacks

SNMP operates at layer seven (application layer) to manage devices such as routers, switches, VoIP, video systems and other devices. SNMP will transmit data about the devices it has records for and can even be used to manage some devices. SNMP is broken into three parts, the device, the agent which are software modules that are within the devices and collect various info and the management software which does just like you’d think, maintains and manages records for all devices it manages.

SNMP uses UDP port 161 to transmit messages and 162 to catch or “trap” messages. There are three versions of SNMP, v1,v2 and v3. SNMPv2 and v3 use additional protocol data units which are “GetBulkRequest” and “InformRequest”. Since SNMP is transmitted using UDP, IP address spoofing is possible as it is a stateless protocol.

The DrDoS is performed after an attacker scans the internet for SNMP hosts and their community strings. Using this information the attacker can send a BulkGetRequest which is around 100 bytes and the response from the SNMP server is around 400 bytes an amplification ratio around 1:4. Attackers can also use the GetBulkRequest and enumerate all the Management Information Bases (MIBs) which can increase the amplification ratio to around 1:7 making it far more efficient for DrDoS attacks.

Network Time Protocol (NTP) DrDoS attacks

NTP uses UDP port 123 to synchronize computer time clocks, specifically network clocks using a set of clients and servers. Attackers scan and build a database of NTP servers that respond to outside request (they should be ACL’d to prevent abuse). The attacker issues an NTP mode 7 command which request a “monlist” which is a function built into the protocol for monitoring. There is a packet size minimum set fourth in the RFC which returns a more even response for the request. Attackers can circumvent this restriction by removing the padding from the request allowing them to issue the monlist request with a much smaller request. The request without padding was calculated at 60 bytes while the response returned 2604 bytes giving this attack a whopping reflection multiplier of 43:1.

Character Generator Protocol (CHARGEN) DrDoS attacks

CHARGEN uses TCP and UDP, the TCP generator service is not vulnerable to amplification attacks as the connection is oriented. The UDP based CHARGEN service listens on port 19 for incoming datagrams, when one is received the server answers with a random number of characters between zero and 512. This means the attacker will not be able to always successfully amplify the response but more often than not it will be. Open source information estimates an average reflection multiplier of about 17.

Here is an actual example of what a CHARGEN attack looks like in a packet:

2015-04-16 06:17:16.392098 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…26..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh

“#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi

#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij

$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk

%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl

2015-04-16 06:17:16.393881 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…27..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh

“#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi

#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij

$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk

%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl

2015-04-16 06:17:16.398694 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443

.>..E…2<..q……”…..-$c..w

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg

!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh

“#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi

#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij

$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk

%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl

In the wild there have been reports of NTP DoSNETs attacking with over 100GB/S, SNMP DoSNETs capable of 40 GB/S, DNS attacks at 10 GB/S, CHARGEN DoSNETs at about 20MB/S. If one attacker or group of attackers can leverage all of these types of attacks at the same time it would be devastating to virtually any server on the net. Currently, you can buy or rent these DoSNETs on the hacker underground forums and IRC channels for as little as $5 for a 30 minute attack.

Find more great Cyber Security Articles, Information, Education, Certifications, Vulnerabilities and Guides at Computer Security.org

Related Articles - Computer, Cyber Security, Computer Security, Network Security, Internet Security, Malware, Adware, Spyware, Viruses, Exploit Kit, Denial of Service,

Email this Article to a Friend! Receive Articles like this one direct to your email box! Subscribe for free today!