DDoS attacks are nothing new, but the storms of traffic they use to drown targets in 2014 have grown into hurricanes.
Here’s a chart of the trend:
They even struck the Calyptix office last week, albeit indirectly. When we tried to send our email newsletter, our email service provider, AWeber, was offline and apparently under attack. The forms Aweber hosts on our website also disappeared.
For us, it was an inconvenience. For AWeber, it was a disaster. It could be just as harmful to any of your clients if they were attacked.
Below we explain how this new brand of DDoS works. We will soon update this post with ways to mitigate the attacks.
Attack Profile: UDP-Based DRDoS
This type of DDoS attack is sometimes called Distributed Reflection Denial of Service, or DRDoS. The latest variation sends selected UDP traffic from an infected machine to a server that generates amplified reflection traffic to the target.
The attack works because of the characteristics of UDP:
1. UDP traffic is one-way or connectionless (also known as “fire and forget”)
2. The source IP addresses can be spoofed by attackers if the network does not implement anti-spoofing measures.
For the attack to succeed, the attacker relies on:
1. An infected machine to generate UDP traffic on command with a spoofed source IP
2. The network to permit the malicious traffic to pass unimpeded onto the Internet
3. A vulnerable NTP server that supports the “monlist” command
These recent attacks utilize requests by computers to synchronize their time clocks via Network Time Protocol (NTP) on UDP port 123. NTP is a highly effective vector because the volume of reflection traffic sent to the target is over 500-times the originating traffic.
Other UDP-based services are also potential vectors for similar DDoS attacks:
– Certain gaming protocols
Stay Tuned: Our security experts are researching this threat. We will soon update this post with mitigation techniques you can use to protect your business and your clients.
Tips for mitigating these DDoS attacks:
- Filter traffic by region – If your client connects only with systems in a given region, such as systems in the U.S., then you can use location-based filtering to block traffic from all other regions.
- Filter traffic by protocol – If your client does not typically send or receive traffic in a given protocol, then block all inbound and outbound traffic that uses the protocol.
- Detect flow anomalies – The huge traffic spiked caused by a DDoS attack should easily noticed. Set alerts for abnormal or suspicious traffic patterns so you can respond as soon as possible.
- Deploy dedicated DDoS mitigation – Solutions are available, such as cloud services and dedicated devices, that are designed to mitigate DDoS attacks. Cloud-based services, for example, can serve as crossroad between your network and the Web, letting the service provider take the brunt of any attacks on your system.Dedicated mitigation devices can also be deployed upstream from the client’s firewall, or even in front of specific assets on the network that warrant enhanced protection.
- Update the disaster recovery plan – If you and the client have agreed on a disaster recovery plan, update it to specify how you should respond in the event of a major DDoS attack. This can help ensure that the resources and authority you need to mitigate an attack are available the moment you are aware of the situation.