One of the trickiest things about stopping DDoS attacks is that hackers constantly develop new variations on familiar themes. Take a recent strike against an unnamed gaming company, which used an amplification technique to turn a relatively tiny jab into a digital haymaker.
On Wednesday, researchers from Akamai’s DDoS mitigation service Prolexic detailed a 35 gigabit per second attack against one of its clients at the end of August. Compared to the most powerful DDoS attacks ever recorded, which have topped 1 terabit per second, that might not sound like a lot. But the attackers used a relatively new technique—one that can potentially yield a more than 15,000 percent rate of return on the junk data it spews at a victim.
The new type of attack feeds on vulnerabilities in the implementation of the Web Services Dynamic Discovery protocol. WS-Discovery lets devices on the same network communicate, and can direct them all to ping one location or address with details about themselves. It’s meant to be used internally on local access networks, not the rollicking chaos monster that is the public internet. But Akamai estimates that as many as 800,000 devices exposed on the internet can receive WS-Discovery commands. Which means that by sending “probes,” a kind of roll-call request, you can generate and direct a firehose of data at targets.
Attackers can manipulate WS-Discovery by sending these specially crafted malicious protocol requests to vulnerable devices like CCTV cameras and DVRs. And because WS-Discovery is built on a network communication protocol known as User Datagram Protocol, the probes can spoof their IP address to make it look like the request came from a target’s network. It’s a bait and switch; the devices that receive the commands will send their unwanted replies to the DDoS target instead of the attacker.
“It’s like somebody sitting over here to your left and they reach behind your back, smack the guy on your right side in the head, and then he looks over at you and you look at him and he clocks you in the face, because he thought you were the person that hit him,” says Chad Seaman, senior engineer on Akamai’s security intelligence response team. “This is a really classic reflection attack. And there’s a huge pool of vulnerable devices sitting out there waiting to be abused.”
By implementing WS-Discovery without protections on devices that will be exposed to the public internet, manufacturers have inadvertently built a population of devices that can be abused to generate DDoS attacks.
“DDoS attacks abusing the WS-Discovery protocol have increased,” says security researcher Troy Mursch. “The notable thing here is the amount of vulnerable hosts that can be abused and the large amplification factor that enables crippling attacks.”
The spoofing enabled by UDP makes it difficult for defenders to see exactly what commands attackers send in any specific reflection DDoS. So the Akamai researchers don’t know specifically what was in the tailored packets hackers sent to trigger the attack on the gaming client. But in its own research, the Akamai team was able to craft smaller and smaller exploits that would generate larger and larger attacks. Criminal hackers are likely not far behind. The Akamai researchers also point out that if botnet operators start automating the process of generating WS-Discovery DDoS attacks, the barrages will crop up even more. Mursch says he sees evidence that’s already happening.
Akamai Prolexic fended off the 35 Gbps attack, and its client didn’t have any downtime during the assault. But the researchers say that the industry needs to be prepared for bigger versions in the future. As with the infamous Mirai botnet that conscripted vulnerable Internet of Things devices to join a zombie gadget army, it will be difficult to fix the population of exposed WS-Discovery devices that’s already out there.