In a new blog post, Imperva researchers reveal findings on a newly discovered evasive DDoS amplification attack method that could put any company with an online presence at risk.
The attack represents a paradigm shift in what’s known about amplification assaults and how they need to be mitigated.
In the post, Imperva researchers explain how the attack could take place using a well-known, yet unplugged, security issue in UPnP devices. The implications of their findings are extensive and point to the need for DDoS security providers to adjust their mitigation strategies before these attacks become more common.
According to Avishay Zawoznik, security research team leader at Imperva, “We have discovered a new DDoS attack technique, which uses known vulnerabilities, and has the potential to put any company with an online presence at risk of attack. The technique highlights the need for DDoS mitigation vendors to adapt their defensive techniques and introduce additional defences against amplification attacks that go beyond only blocking assaults from certain source ports.”
Amplification attack vectors are some of the most commonly used tools in the DDoS attacker’s arsenal. In the last quarter of 2017, Imperva researchers saw NTP amplification employed in roughly 33 percent of all DDoS assaults against their customers, while DNS and SSDP amplification vectors played a part in 17 percent and 13.7 percent of attacks, respectively.
For bad actors, amplification vectors offer a shortcut to launching bandwidth-heavy assaults without the need for equally large botnet resources. From a mitigation point of view, however, they represent a diminished threat as, by now, most mitigation services have scaled to a point where attack bandwidth is no longer a chief concern—or any concern at all.
More importantly, the source port headers of amplification payloads follow a predictable pattern, making them easy to filter at a network border. For example, blocking all packets with source port 53 is considered a tried-and-true method for mitigating DNS amplification attacks.
The full blog post can be found here