LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-15-2016, 09:12 AM   #1
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
More Alerts Alert (TA14-017A) UDP-Based Amplification Attacks (Revised 12 Apr 2016)


Quote:
Systems Affected

Certain application-layer protocols that rely on User Datagram Protocol (UDP) have been identified as potential attack vectors:
  • DNS
  • NTP
  • SNMPv2
  • NetBIOS
  • SSDP
  • CharGEN
  • QOTD
  • BitTorrent
  • Kad
  • Quake Network Protocol
  • Steam Protocol
  • RIPv1
  • Multicast DNS (mDNS)
  • Portmap/RPC
Overview

A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.

Description

UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation in VOIP (voice over IP), it is very easy to forge the IP packet datagram to include an arbitrary source IP address [1]. When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. Previously, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale using multiple amplifiers and targeting a single victim, DDoS attacks can be conducted with relative ease.

To measure the potential effect of an amplification attack, a metric called the bandwidth amplification factor (BAF) is used. BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [2 (link is external)] [3 (link is external)].

The list of known protocols—and their associated bandwidth amplification factors—are listed below. US-CERT offers thanks to Christian Rossow for providing this information. For more information on bandwidth amplification factors, please see Christian's blog (link is external) and associated research paper (link is external).
The complete Notification may be found at https://www.us-cert.gov/ncas/alerts/TA14-017A.

Hope this helps some.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
US-CERT Alert (TA14-017A) UDP-Based Amplification Attack tronayne Linux - Security 0 08-21-2015 11:44 PM
US-CERT: TA14-017A: UDP-based Amplification Attacks (rev. 09 Feb 2014) tronayne Linux - Security 1 02-18-2014 07:51 AM
US Cert: TA14-013A: NTP Amplification Attacks Using CVE-2013-5211 tronayne Slackware 7 01-15-2014 12:35 PM
US-CERT Alert (TA13-088A) DNS Amplification Attacks (Revised 22 July 2013) tronayne Linux - Security 4 09-20-2013 05:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration