Last week, on July 21, 2020, the Federal Bureau of Investigation sent out a private industry notification¹ (PIN) 20200721-002 that threat actors are scaling operations to conduct massive and destructive DDoS amplification attacks. The FBI coordinated and released this PIN notice with the Cybersecurity & Infrastructure Security Agency (CISA).
Per the FBI alert, “As early as December 2018, cyber actors began exploiting built-in network protocols to carry out destructive DDoS attacks against US networks. As recently as February 2020, cybersecurity researchers identified new built-in network protocol vulnerabilities that have not yet been exploited but increase the attack surface. This is based on open-source evidence of host-based, mobile, and Internet of Things (IoT) device protocol exploitation, resulting in amplification attacks in networked environments.”
February 2020. Researchers in the United Kingdom identified a vulnerability in the built-in network discovery protocols of Jenkins servers that threat actors could exploit to support DDoS amplification attacks. Jenkins is an open-source automation server for the automation of software development, build creation, testing, and deployment. It was estimated that threat actors could use compromised Jenkins servers to amplify DDoS attack traffic approximately 100 times against the targeted infrastructure.
October 2019. Threat actors exploited Apple’s Remote Management Service (ARMS) to launch DDoS amplification attacks per open-source reporting. The ARMS service would listen in to traffic on port 3283 for incoming commands to remote Apple devices. These could then be used by threat actors to launch DDoS amplification attacks with a 35.5:1 amplification factor.
May and August 2019. Threat actors exploited the Web Services Dynamic Discovery (WS-DD) protocol to launch over 130 DDoS attacks according to open source reporting. IoT devices were subsequently used to amplify DDoS attacks, according to open-source reporting once again. IoT devices use the WS-DD protocol to detect new Internet-connected devices in close proximity automatically. WS-DD operates using User Datagram Protocol (UDP), enabling threat actors to spoof a victim’s IP address and then floods the target with data from nearby IoT devices.
August 2019. There were over 600,000 Internet-connected IoT devices with the WS-DD protocol enabled.
December 2018. Threat actors utilized the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, once again per open-source reporting.
Further, per the FBI alert, “Threat Outlook Cyber actors increasingly are likely to abuse built-in network protocols for DDoS attacks against US networks. While a defense-in-depth strategy calls for the disabling of built-in features, such as ARMS, WS-DD, and CoAP, the loss of functionality to business productivity and connectivity may make implementing these strategies challenging. Moreover, device manufacturers are unlikely to disable such features by default because it would interfere with the user experience. Cyber actors’ abuse of built-in network protocols may enable DDoS amplification attacks to be carried out with limited resources and result in significant disruptions and impact on the targets. In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks.”
There are several specific types of attacks that are used to overwhelm DNS servers, thus rendering the DNS service unavailable. When an attack on the DNS is successful, it can severely degrade or halt enterprise operations. When an enterprise can’t publish the addresses for its web and mail servers, operations degrade rapidly.
The two principal DDoS attack methodologies used by threat actors include amplification, referenced heavily in the FBI alert, and reflection. While technically two different attack tactics, attackers often combine amplification and reflection attacks.
An amplification attack is a technique used by threat actors where a small query can trigger a massive response, such as querying for a TXT record or a zone transfer when you haven’t secured zone transfers to only your trusted sources. In this scenario threat actors flood the server with short requests that require long responses, allowing even a relatively weak compute resource to overload a DNS server. The DNS server is so busy attempting to respond to all these illegitimate requests that it doesn’t have time to respond to legitimate ones.
There are other variations of DDoS attacks that can cause a significant impact on enterprise operations. A reflection attack sends queries that appear to come from the intended target of the attack. The response, which is typically amplified, is sent to the victim, thereby overwhelming the victim’s network.
In this use of this reflection attack vector, the attacker sends a query to a recursive name server with a spoofed source IP address. Instead of the real IP address, the threat actor places the target (victim) IP address as the source IP address. The recursive name server retrieves the answer to the query from the authoritative name server and sends it to the target.
Now the threat actor can combine the two techniques by spoofing the targets’ IP address and sending a carefully crafted query that will result in a large payload. This is a very effective and overwhelming DDoS attack scenario.
The authoritative name server provides the amplification, and the recursive name server provides the reflection. This allows the threat actor to attack two different targets at the same time. It also causes the intended target of the amplification attack to infer perhaps that they were attacked by the second victim, which is patently false.
Infoblox uses signature-based methods to detect and drop DDoS attacks like DNS amplification and reflection, to keep the DNS servers running. See this datasheet for more information.
Other sources of information on this attack and the use of these attack techniques may be referenced here:
- FBI PIN Alert 20200721-002 Issued on July 21, 2020, https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/fbi-private-industry-notification-20200721-002.pdf
- MITRE ATT&CK Network Denial of Service https://attack.mitre.org/techniques/T1498/
- MITRE ATT&CK Endpoint Denial of Service https://attack.mitre.org/techniques/T1499/
- MITRE ATT&CK Network Denial of Service: Reflection Amplification https://attack.mitre.org/techniques/T1498/002/