DDoS attacks are nothing new, but the storms of traffic they use to drown targets in 2014 have grown into hurricanes.
Here’s a chart of the trend:
They even struck the Calyptix office last week, albeit indirectly. When we tried to send our email newsletter, our email service provider, AWeber, was offline and apparently under attack. The forms Aweber hosts on our website also disappeared.
For us, it was an inconvenience. For AWeber, it was a disaster. It could be just as harmful to any of your clients if they were attacked.
Below we explain how this new brand of DDoS works. We will soon update this post with ways to mitigate the attacks.
This type of DDoS attack is sometimes called Distributed Reflection Denial of Service, or DRDoS. The latest variation sends selected UDP traffic from an infected machine to a server that generates amplified reflection traffic to the target.
The attack works because of the characteristics of UDP:
1. UDP traffic is one-way or connectionless (also known as “fire and forget”)
2. The source IP addresses can be spoofed by attackers if the network does not implement anti-spoofing measures.
For the attack to succeed, the attacker relies on:
1. An infected machine to generate UDP traffic on command with a spoofed source IP
2. The network to permit the malicious traffic to pass unimpeded onto the Internet
3. A vulnerable NTP server that supports the "monlist" command
These recent attacks utilize requests by computers to synchronize their time clocks via Network Time Protocol (NTP) on UDP port 123. NTP is a highly effective vector because the volume of reflection traffic sent to the target is over 500-times the originating traffic.
Other UDP-based services are also potential vectors for similar DDoS attacks:
- Certain gaming protocols
Stay Tuned: Our security experts are researching this threat. We will soon update this post with mitigation techniques you can use to protect your business and your clients.
Tips for mitigating these DDoS attacks: