The FT has reported recently that attacks on websites are becoming more common as new attacker toolkits are being sold that make it easier for cyber criminals to launch devastating (Distributed) Denial of Service (DDoS or DoS) attacks on websites. These kits mean that attackers need less skill to conduct the attacks and these are often being used as part of blackmail attacks on companies operating e-commerce websites. Gambling and betting sites have long been the favourite target of such attacks but increasingly all e-commerce operations are being targeted.
Criminals often conduct a short attack to get the businesses attention and then demand payment to stop further attacks. Businesses that are relying on their e-commerce store fronts to generate revenue, can suffer significant financial losses and reputation damage if they go offline even for a short period of time as a result of an attack.
New DDoS attacks to watch for
The latest kid on the block in terms of DDoS attacks is the NTP amplification DDoS attack. This has become headline news recently due to the number of attacks using this method. The attack is characterised by the ability to generate huge volumes of bandwidth consuming traffic to overwhelm a target.
The attack uses a feature of the NTP (Network Time Protocol, a networking protocol for clock synchronization ) call where a NTP server will return details of up to the last 600 machines that the NTP server has interacted with. This is known as the MONLIST. A small request of just 234 bytes can generate of 48k of data in return if the maximum number of addresses are returned (600 machines).
The IP traffic works by returning requested information to the source address in the requesting packet. If the source address in the requesting packet has been modified or spoofed, the data is not sent to the originating machine but to the machine whose address has been spoofed.
- If an attacker sends out a single packet with a request to a single NTP server with a spoofed address, the target will see a stream of about 100 packets containing 48kB of data.
- If the attacker can arrange for a large of number of requests to be sent using a botnet to a number of NTP servers then the target address can be overwhelmed with data creating a DDoS attack.
This relies on the attacker finding NTP servers, from which they can request the MONLIST. Unfortunately this is too easy to do with a large number of vulnerable NTP servers available for attackers to use.
Preventing the attacks takes two approaches:
1 – Reducing the number of publicly available NTP servers that can be used in these attacks
This is a long term approach. The MONLIST issue was classed as a NTP vulnerability covered by CVE-2013-5211 and can be remediated by ensuring the NTP server is running version 4.2.7p26 or greater, version 4.2.7p26 was released in March 2010 so the fix has been available for a while. If there is a need for a list of machines that have contacted the NTP server, a more secure version of the MONLIST is available, the MRULIST requires proof the requesting command came from a non-spoofed IP address and so should be used as an alternative to MONLIST.
For those who are running a network or a service provider, the countermeasures to prevent spoofing in general such as implementing BCP-38 and the related BCP-48 would eliminate not only spoofing attacks on NTP but all variants of spoofing attacks.
A Vulnerability Assessment (ITG PenTest level 1) of public facing infrastructure can identify Time Servers that are vulnerable to being exploited in a NTP amplification DDoS attack, along with identify if the infrastructure is vulnerable to a comprehensive number of weaknesses, exploits and threats
There is a lot of information from vendors about hardening their products and for those running NTP servers. The vendor may have a patch or solution that better meets the needs of securing a particular piece of equipment.
2 – Reducing the effect of a DDoS attack on your network
There are a number of generic approaches to this. Provided that the DDoS attack is against a protocol or an application and your pipe to your ISP is not being overloaded then filtering and dropping the malicious packets can ease the burden of the attack. For when the bandwidth of the attacking traffic is greater than the bandwidth of the pipe to your ISP; than the defence needs to be moved to your ISP or use a cloud mitigation provider.
IT Governance Technical Services can provide consultancy on your infrastructure and how to protect and remediate against threats and we can provide a cyber-health check service.