| Title | Clever New DDoS Attack Gets a Lot of Bang for a Hacker's Buck | |
| Date | Wednesday September 18 2019, @08:55PM | |
| Author | janrinok | |
| Topic | ||
| from the ask-a-little-get-a-lot dept. | ||
Submitted via IRC for SoyCow2718
Clever New DDoS Attack Gets a Lot of Bang for a Hacker's Buck
One of the trickiest things about stopping DDoS attacks is that hackers constantly develop new variations on familiar themes. Take a recent strike against an unnamed gaming company, which used an amplification technique to turn a relatively tiny jab into a digital haymaker.
On Wednesday, researchers from Akamai's DDoS mitigation service Prolexic detailed a 35 gigabit per second attack against one of its clients at the end of August. Compared to the most powerful DDoS attacks ever recorded, which have topped 1 terabit per second, that might not sound like a lot. But the attackers used a relatively new technique—one that can potentially yield a more than 15,000 percent rate of return on the junk data it spews at a victim.
The new type of attack feeds on vulnerabilities in the implementation of the Web Services Dynamic Discovery protocol. WS-Discovery lets devices on the same network communicate, and can direct them all to ping one location or address with details about themselves. It's meant to be used internally on local access networks, not the rollicking chaos monster that is the public internet. But Akamai estimates that as many as 800,000 devices exposed on the internet can receive WS-Discovery commands. Which means that by sending "probes," a kind of roll-call request, you can generate and direct a firehose of data at targets.
Attackers can manipulate WS-Discovery by sending these specially crafted malicious protocol requests to vulnerable devices like CCTV cameras and DVRs. And because WS-Discovery is built on a network communication protocol known as User Datagram Protocol, the probes can spoof their IP address to make it look like the request came from a target's network. It's a bait and switch; the devices that receive the commands will send their unwanted replies to the DDoS target instead of the attacker.
[...] The spoofing enabled by UDP makes it difficult for defenders to see exactly what commands attackers send in any specific reflection DDoS. So the Akamai researchers don't know specifically what was in the tailored packets hackers sent to trigger the attack on the gaming client. But in its own research, the Akamai team was able to craft smaller and smaller exploits that would generate larger and larger attacks. Criminal hackers are likely not far behind. The Akamai researchers also point out that if botnet operators start automating the process of generating WS-Discovery DDoS attacks, the barrages will crop up even more. Mursch says he sees evidence that's already happening.
| Links |
printed from SoylentNews, Clever New DDoS Attack Gets a Lot of Bang for a Hacker's Buck on 2024-04-20 02:25:42