The faster we can detect new attack vectors in the area of security and network operators, the sooner we can find ways to slow or stop their growth. To achieve this, level 3 monitors threat indicators on the network and seeks to mitigate attack trends for our customers. Additionally, we are in a unique position as a global backbone operator that often sees multiple stages of an attack, not just the final stage targeting the victim. This allows you to block attackers and work with unsuspecting third parties to mitigate future risks.
In recent weeks, with the introduction of a new managed ddos services, Portmapper, we have seen surprising trends in both traffic behavior and DDoS methods.
Active DDoS reflection attacks are seriously hurting both businesses and consumers. The most notorious was the NTP attack in early 2014, which peaked at hundreds of gigabits per second. The vector is the last method for this type of attack. It has already been used in many attacks and has had the biggest impact on the organization from August 10-12. These attacks target only a subset of industries that primarily target gaming, hosting, and Internet infrastructure. The goal of Level 3 Threat Research Labs is for the industry to use this early warning to stop or delay future impacts.
Distributed denial of service (DDoS) attacks can interfere with various resources on the Internet. It's rare that a week goes by without websites or company news affected by the attack. Although there are various attack methods, volume attacks are always popular due to the lack of significant impact and the advanced technology required.
In recent years, various UDP based services have become popular, especially DNS, NTP, and SSDP. Attackers use it to mask their sources and increase the bandwidth of volume attacks. As each of these vectors has become popular, security researchers and network operators work together to eliminate open amplification hosts, track attackers, and block attack requests entirely.
Among other security bulletins on this subject, US-CERT provided details at https://www.us-cert.gov/ncas/alerts/TA14-017A and maintained alerts listing known vectors. doing.
Portmapper (also known as rpcbind, portmap, or RPC portmapper) is a mechanism that Remote Procedure Call (RPC) services register to allow calls to the Internet. Think of it as an RPC directory service. If the customer tries to find a suitable service, they will contact Portmapper for help. This means that when you run a query, the size of the response can vary greatly, depending on the RPC service running on your host.
As an example:
$ rpcinfo -T udp -p AAA.BBB.CCC.DDD
Program and protocol
100000 2 tcp 111 port mapper
The port mapper can run on TCP or UDP port 111, and UDP is required to receive amplified responses for false requests.
This particular response was one of the smallest sizes received, and the 68-byte query returned a 486-byte response with 7.1x amplification. At the high end of the spectrum, a response of up to 1930 bytes was observed for a 28.4x amplification.
To quantify the average amplification size, the average response size was measured for over 300 of the major speakers found throughout the network. The result was approximately 1241 bytes (factor 18.3x). Then we compare this number with the values found in the DDoS attack example. I found the value to be 1348 bytes (19.8x amplified).
Obviously, these amplification factors are awkward sizes for DDoS vectors.
Level 3 Threat Research Labs referred to the Portmapper query size as a 68-byte IP packet destined for UDP port 111. However, this is witness to the behavior of the single test machine used in the analysis. Users looking to filter these types of requests are important to understand how other query sizes actually appear. To do this, look at the network information to see the distribution of packet sizes destined for UDP port 111.
The breakdown of the packet size directed to the Portmapper UDP service during the sample period (late June to mid-August) is as follows.
78 bytes - 25%
69 bytes - 19%
... Everything else is not significant below 1%
This represents a packet size for filtering queries to the Portmapper service.
Other reflection attack methods have been fairly stable in the past few weeks, while this particular vector has grown substantially.
Comparing the last seven days of June with the seven days through August 12, global port map traffic increased 22-fold. However, when comparing Portmapper's global traffic usage with other popular UDP services, it is clear that the overall volume of traffic is still small.
The port mapper is so small that it rarely registers as a red line at the bottom of the graph. Despite the recent increase, this represents a great opportunity to start filtering requests and removing reflective hosts from the Internet before the popularity of the attack grows and causes more damage. I will.
Portmapper represents a new vector of reflection and amplified DDoS attacks through the Internet. All administrators and organizations must ensure its continued use as an Internet service available in their environment. But it is not the only vector revealed here. Many of the RPC services on vulnerable hosts are also available on UDP ports. These are not listed directly, but they should all be considered risks used for DDoS reflection or amplification. Of course, it is good practice to question existence on the Internet and disable it.
As a primary option, we recommend disabling Portmapper along with NFS, NIS, and all other RPC services on the open Internet. In situations where the service needs to remain live, configure a firewall that allows the IP address to reach the service, and then switch to TCP only to prevent future unknown participants in DDoS attacks.
Submitted 16 day(s) ago by squarecashhelps