Amplified reflection attacks are a type of DDoS attack that exploits the connectionless nature of UDPs with spoofed requests to misconfigured open servers on the internet. Amplified reflection attacks take the prize when it comes to the size of the attack.
The attack sends a volume of small requests with the spoofed victim’s IP address to accessible servers.
The servers reply with large amplified responses to the unwitting victim. The servers can do this because they are configured with services that the attackers sought out for their ability to aid in this attack.
The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP and other UDP-based services.
These attacks have resulted in record-breaking colossal volumetric attacks, such as the 1.3Tbps Memcached-based Github attack, and account for the majority of DDoS attacks.
Weapons used in amplified reflection DDoS attacks
Earlier, the tools being exploited were referred to as “misconfigured open servers.” A better description is “poor management hygiene.”
Servers may fulfil a specific purpose for the owner who deployed them but have no access controls in place, or may have been forgotten and left unmanaged, or may have been unintentionally exposed to the internet for no apparent reason.
For example, there are about 3 million SSDP servers repeatedly used for DDoS attacks that have amplification factor greater than 30x.
Defenses for amplified reflection DDoS attacks
Detecting a reflected amplification attack is easy, given the boisterous nature of volumetric attacks.
However, mitigating an attack is not as easy, because the responses come from legitimate sources that follow RFC structure and use some of the services that provide functions users depend on, like DNS and NTP.
The challenge is to surgically distinguish legitimate user workloads from reflected traffic. In many cases, a service under attack will see additional legitimate user traffic due to repeated retries in response to the sluggish response of that service. These retries can be mistakenly seen as DoS behavior.
Four strategies for mitigating amplified reflection DDoS attacks
1. Rate limiting: Rate limiting is a general category of DDoS mitigation strategies.
2. Regular Expression (Regex) filter: Applying traffic signature filters can be an effective defense against reflected amplification attacks.
3. Port Blocking: Blocking unneeded ports is always good security practice. The challenge is defending ports that are shared by both legitimate and attacker traffic.
4. Threat intelligence: Attackers continuously scan the internet looking for servers to employ in their DDoS campaigns. The identity of these vulnerable servers are available to as real-time feeds from threat intelligence companies.
How A10 Networks can help
Reflected amplification attacks are a menace that continues to grow. As the industry innovates with new applications and services, attackers find new tools to exploit.
As defenders, understanding attack strategies and knowing where an attack will come from can give us the upper hand to achieve DDoS resilience.
Applying aggressive port blocking and blacklisting IPs based on reputation carries a certain level of risk. Legitimate users can become collateral damage.
For example, an IPv4 address could be shared by a vulnerable server and potential legitimate user via NAT services.
However, during a DDoS attack, suspected traffic must be removed to prevent the targeted system from falling over.
To minimize collateral damage against legitimate users, A10’s Thunder TPS product has an innovative five-level automatic mitigation escalation strategy. This strategy lets DDoS defense operators apply predefined mitigation strategy at appropriate levels.
For example, at peacetime, or what we call Level 0, no mitigation is enforced.
When an attack is detected, our system automatically escalates to Level 1 though Level 4. Port blocking or threat intelligence can be assigned to any of the levels as an automated dynamic policy after other less invasive techniques have been exhausted.
Our actionable DDoS Threat Intelligence provides you large numbers of IPs that map the huge numbers of weapons available to attackers.
Many of the vulnerable services have millions of individual IPs, as you can see in our A10’s DDoS Threat Intelligence Map.
This DDoS Threat Intelligence is included with our Thunder TPS product, supporting the largest available class-lists of up to 96 million entries.
For additional information on how A10 Networks can increase your DDoS resilience, please contact Gidon Shwartz on the phone at +972508881972 or you can email him on: [email protected]
This article was published in partnership with A10 Networks.