Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday September 18 2019, @08:55PM   Printer-friendly
from the ask-a-little-get-a-lot dept.

Submitted via IRC for SoyCow2718

Clever New DDoS Attack Gets a Lot of Bang for a Hacker's Buck

One of the trickiest things about stopping DDoS attacks is that hackers constantly develop new variations on familiar themes. Take a recent strike against an unnamed gaming company, which used an amplification technique to turn a relatively tiny jab into a digital haymaker.

On Wednesday, researchers from Akamai's DDoS mitigation service Prolexic detailed a 35 gigabit per second attack against one of its clients at the end of August. Compared to the most powerful DDoS attacks ever recorded, which have topped 1 terabit per second, that might not sound like a lot. But the attackers used a relatively new technique—one that can potentially yield a more than 15,000 percent rate of return on the junk data it spews at a victim.

The new type of attack feeds on vulnerabilities in the implementation of the Web Services Dynamic Discovery protocol. WS-Discovery lets devices on the same network communicate, and can direct them all to ping one location or address with details about themselves. It's meant to be used internally on local access networks, not the rollicking chaos monster that is the public internet. But Akamai estimates that as many as 800,000 devices exposed on the internet can receive WS-Discovery commands. Which means that by sending "probes," a kind of roll-call request, you can generate and direct a firehose of data at targets.

Attackers can manipulate WS-Discovery by sending these specially crafted malicious protocol requests to vulnerable devices like CCTV cameras and DVRs. And because WS-Discovery is built on a network communication protocol known as User Datagram Protocol, the probes can spoof their IP address to make it look like the request came from a target's network. It's a bait and switch; the devices that receive the commands will send their unwanted replies to the DDoS target instead of the attacker.

[...] The spoofing enabled by UDP makes it difficult for defenders to see exactly what commands attackers send in any specific reflection DDoS. So the Akamai researchers don't know specifically what was in the tailored packets hackers sent to trigger the attack on the gaming client. But in its own research, the Akamai team was able to craft smaller and smaller exploits that would generate larger and larger attacks. Criminal hackers are likely not far behind. The Akamai researchers also point out that if botnet operators start automating the process of generating WS-Discovery DDoS attacks, the barrages will crop up even more. Mursch says he sees evidence that's already happening.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Fnord666 on Wednesday September 18 2019, @09:22PM (3 children)

    by Fnord666 (652) on Wednesday September 18 2019, @09:22PM (#895847) Homepage

    Just when you thought they had run out of protocols to abuse, someone goes and puts another one on the intarwebs.

    • (Score: 2) by DannyB on Wednesday September 18 2019, @09:34PM (2 children)

      by DannyB (5839) Subscriber Badge on Wednesday September 18 2019, @09:34PM (#895852) Journal

      I'll stick with the tried and true safety and security of telnet.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by ikanreed on Wednesday September 18 2019, @09:41PM (1 child)

        by ikanreed (3164) Subscriber Badge on Wednesday September 18 2019, @09:41PM (#895855) Journal

        MUDs were truly the pinnacle of gaming.

        • (Score: 2) by DannyB on Wednesday September 18 2019, @09:50PM

          by DannyB (5839) Subscriber Badge on Wednesday September 18 2019, @09:50PM (#895862) Journal

          A couple decades ago, dsniff was a lot more fun than gaming. Ah, those were the days.

          And it's not some kind of vaping.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 0) by Anonymous Coward on Wednesday September 18 2019, @10:00PM

    by Anonymous Coward on Wednesday September 18 2019, @10:00PM (#895868)

    ... license the junk data, then the kiddies would have none to dos with.

  • (Score: 0) by Anonymous Coward on Wednesday September 18 2019, @10:58PM

    by Anonymous Coward on Wednesday September 18 2019, @10:58PM (#895881)

    yeah the computing monster is sad:
    there they go and scout a nice CCD sensor and add infrared and there they go, writting long emails to manufacturers to get a really good and cheap gigabit ethernet interface and then *OMG* they top it off with a fisherprice web interface where one cannot turn off all these blarring "hi guys! i am heeeerrreee. please acknowledge my presence on the network" blarycols. sheesh.

  • (Score: 4, Insightful) by sjames on Thursday September 19 2019, @12:58AM (1 child)

    by sjames (2882) on Thursday September 19 2019, @12:58AM (#895926) Journal

    While I don't excuse the attackers, this one sounds like it's nearly an own goal. Tell your firewall do not accept packets from outside with an inside source address and this won't happen.

    Of course, the upstream provider and pretty much every provider in the chain should have similarly filtered out the implausible packets.

    • (Score: 2) by hendrikboom on Thursday September 19 2019, @04:30PM

      by hendrikboom (1125) Subscriber Badge on Thursday September 19 2019, @04:30PM (#896139) Homepage Journal

      I was once receiving packets from outside with an outside source IP number and an outside destination IP number. I complained to my ISP, who told me that this was impossible and those packets must have originated within my system. This despite them coming in through my DSL line.

      Never found out what was going on.

      -- hendrik

  • (Score: 2) by All Your Lawn Are Belong To Us on Thursday September 19 2019, @01:01AM (1 child)

    by All Your Lawn Are Belong To Us (6553) on Thursday September 19 2019, @01:01AM (#895927) Journal

    How is this different from This story from 8/28? [soylentnews.org]

    --
    This sig for rent.
    • (Score: 2) by c0lo on Thursday September 19 2019, @08:25AM

      by c0lo (156) Subscriber Badge on Thursday September 19 2019, @08:25AM (#896018) Journal

      First time was approved by Fnord666. Second time, by...

      First time, it was linked to a ZDNet story. Second time, to a Wired one.

      Both of the times it was picked by upstart from the SoyCow2718's IRC.
      Which makes me wonder: how exactly are the SoyCows numbered? And do we really have at least 2718 of them?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(1)