When new DDoS attack methods explode onto the scene with record-breaking attack sizes or innovative server-exhausting techniques it is always, to put it mildly, a hideously unwelcome development. Yes, Memcached and Pulse Wave attacks have caused much hand-wringing amongst security researchers and done a lot of damage to target businesses.
However, for as much attention as these new techniques may garner, it’s the old and outdated vulnerabilities that allow attackers to turn a small number of resources into a whopping DDoS attack that are the true head-scratchers.
In the days of IoT botnets you wouldn’t think a vulnerability from 1983 would be allowing DDoS amplification attacks to succeed, but here we are, and here’s what you need to know about two old exploits that are causing new problems.
Amplification frustration
A good indication that amplification attacks were going to come back into favor with attackers in a big way in 2018 was the stats from the end of 2017. According to distributed denial of service provider Imperva’s Q4 2017 report, crafty little application layer attacks were by far attackers’ favorites. Network layer attacks had fallen about 50% from Q3 while application layer had risen by nearly the same margin.
Since DDoS attackers aren’t in the business of letting anyone get comfortable and think they know what’s coming, it only makes sense that network layer attacks, very much including amplification attacks, were about to rear their bloated, bandwidth-chomping heads again.
DDoS attackers love amplification techniques because they can put in the bare minimum of attack resources and, using protocols and spoofed IPs that make it look as though victim servers are requesting huge amounts of data, can turn their tiny, easy efforts into a big whack of traffic that often leads to downtime for the victim. The worst part is that these protocols are often not just outdated, but were never all that useful to begin with.
This is the case with the two retro-chic amplification techniques currently making the rounds.
CHARGEN up with Plug and Play
The first old vulnerability being leveraged for DDoS amplification attacks is one that was discovered in 2001, which doesn’t sound all that ancient until you stop and realize that was 17 years ago. It’s a vulnerability contained within the Universal Plug and Play or UPnP protocol, which is the protocol that allows devices to discover each other and share data. This is enabled by default on a huge number of devices, many of which would never use it. The vulnerability specifically rests with the fairly pointless AddPortMapping command within the protocol, which allows attackers to have the source of their malicious attack traffic disguised, thus making mitigation a much more complicated process. Instead of being able to glance at header information to identify attack traffic, mitigation services instead need to be able to quickly perform deep packet inspection. Not every service is capable of this, at least not at a speed that keeps site performance from being affected.
The second old-is-new-again vulnerability being leveraged by attackers lately makes that UPnP vulnerability look positively young. This one takes advantage of the CHARGEN or character generation protocol, which was popular about the same time as when “Fraggle Rock” debuted, with CHARGEN servers used to connect devices like printers and copiers in 1983. A CHARGEN server can host both TCP and UDP connections over port 19. With a TCP connection, the CHARGEN server sends a steady stream of arbitrary characters to the connecting host, and with a UDP connection it replies to requests with datagrams containing a random number of characters ranging all the way up to 512, making the responses typically much larger than the initial requests.
The entire protocol is essentially considered a vulnerability and as a result quickly became obsolete, yet now a full 35 years later victims are being flooded over port 19 because so many devices still have this unnecessary and obsolete protocol enabled by default.
A waiting game that won’t be won
With the speed at which technology evolves it can be tempting to think that when there’s something on the internet causing major problems, smart people will figure out how to fix it and then it will be fixed. As we’ve seen over the decades, however, that is pretty much only half accurate. The unpatched, unfixed, widely forgotten and still horribly available vulnerabilities being used by cybercriminals are an embarrassment to the internet landscape, but unless you can convince yourself that 1983 wasn’t all that long ago, it would seem they aren’t going anywhere anytime soon. If you’re not willing to fall victim to vulnerabilities that are older than LeBron James, it’s time to get leading cloud-based DDoS protection.