Echo Echo Echo - New Strain of DDoS Amplification hits CDN

[rcmaehl]

Source:
Wired

Akami (DDoSee)
 

Summary:
A Massachusetts based CDN detailed a 35Gbps DDoS attack using a new Amplification technique exploiting WS-Discovery (WSD)

 

Quotes/Excerpts:

Quote

On Wednesday, researchers from Akamai's DDoS mitigation service Prolexic detailed a 35 gigabit per second attack against one of its clients. The attackers used a relatively new technique—one that can potentially yield a more than 15,000 percent rate of return on the junk data it spews at a victim. The new type of attack feeds on vulnerabilities in the implementation of the Web Services Dynamic Discovery protocol. WS-Discovery lets devices on the same network communicate, and can direct them all to ping one location or address with details about themselves. It's meant to be used internally on local access networks. Akamai estimates that as many as 800,000 devices exposed on the internet can receive WS-Discovery commands. Which means that by sending "probes," a kind of roll-call request, you can generate and direct a firehose of data at targets. Attackers can manipulate WS-Discovery by sending these specially crafted malicious protocol requests to vulnerable devices like CCTV cameras and DVRs. And because WS-Discovery is built on a network communication protocol known as User Datagram Protocol, the probes can spoof their IP address to make it look like the request came from a target's network. By implementing WS-Discovery without protections on devices that will be exposed to the public internet, manufacturers have inadvertently built a population of devices that can be abused to generate DDoS attacks. The spoofing enabled by UDP makes it difficult for defenders to see exactly what commands attackers send in any specific reflection DDoS. So the Akamai researchers don't know specifically what was in the tailored packets hackers sent to trigger the attack on the gaming client. If botnet operators start automating the process of generating WS-Discovery DDoS attacks, the barrages will crop up even more. Mursch says he sees evidence that's already happening. Akamai Prolexic fended off the 35 Gbps attack, and its client didn't have any downtime during the assault. But the researchers say that the industry needs to be prepared for bigger versions in the future. As with the infamous Mirai botnet that conscripted vulnerable Internet of Things devices to join a zombie gadget army, it will be difficult to fix the population of exposed WS-Discovery devices that's already out there.

My Thoughts:

While not as big as NTP amplification and other existing techniques, using newer forms of Amplification can leave victims scrambling to come up with a solution. Thankfully, this was a smaller attack and the CDN was able to successfully handle the traffic, but there will continuously be new ways to DDoS people.

[Windows7ge]

All I can say is people like us have screwed over everyone else like us by developing these hardwares without the security to prevent takeovers that started DDoS as a thing in the first place.

[Origami Cactus]

10 minutes ago, Windows7ge said:

All I can say is people like us have screwed over everyone else like us by developing these hardwares without the security to prevent takeovers that started DDoS as a thing in the first place.

wut?

 

Can't understand a single thing in this sentence.

[Windows7ge]

3 minutes ago, Origami Cactus said:

wut?

 

Can't understand a single thing in this sentence.

Using what is hopefully simpler terms I'm saying we basically only have ourselves to blame for designing hardware and IoT devices that lack the security to stop fraudulent traffic or takeovers which turn them into pinging machines.

[spartaman64]

16 minutes ago, Windows7ge said:

Using what is hopefully simpler terms I'm saying we basically only have ourselves to blame for designing hardware and IoT devices that lack the security to stop fraudulent traffic or takeovers which turn them into pinging machines.

i dont design the hardware so dont blame me

[bcredeur97]

18 minutes ago, Windows7ge said:

Using what is hopefully simpler terms I'm saying we basically only have ourselves to blame for designing hardware and IoT devices that lack the security to stop fraudulent traffic or takeovers which turn them into pinging machines.

the problem is ppl make IoT devices sit directly on or automagically open ports to the public internet with UPnP so you end up with all this crap that isnt protected by anything that anyone is free to scan for and exploit

[Windows7ge]

8 minutes ago, spartaman64 said:

i dont design the hardware so dont blame me

Lies! You do you just don't know it. 

 

7 minutes ago, bcredeur97 said:

the problem is ppl make IoT devices sit directly on or automagically open ports to the public internet with UPnP so you end up with all this crap that isnt protected by anything that anyone is free to scan for and exploit

I'm aware, that's why IoT devices are the biggest offenders. Even if not all attacks are stoppable we should be implementing securities to mitigate it. It's as if the people making these products are thinking "If we can't stop all of them why stop any of them?". The excuse of they're built down to a price I think is BS. Security should still be accounted for even if we the consumer have to pay for it.

[bcredeur97]

1 hour ago, Windows7ge said:

Lies! You do you just don't know it. 

 

I'm aware, that's why IoT devices are the biggest offenders. Even if not all attacks are stoppable we should be implementing securities to mitigate it. It's as if the people making these products are thinking "If we can't stop all of them why stop any of them?". The excuse of they're built down to a price I think is BS. Security should still be accounted for even if we the consumer have to pay for it.

I don’t think cost is the issue. It’s convenience. UPnP is super convenient but is also kinda bad  

[Windows7ge]

2 minutes ago, bcredeur97 said:

I don’t think cost is the issue. It’s convenience. UPnP is super convenient but is also kinda bad  

Old habits die hard.

[Salv8 (sam)]

bruh DDoS'ing be like:

that dragon get owned.

anyways, the IoT DDoS part of this story isn't new, in 2017 the entire internet was slowed down (yes even google!) due to a HUGE DDoS attack from IoT devices.

[williamcll]

I wonder do older DDOS software like the low orbital ion cannon still works.

[suicidalfranco]

happy i never jumped in to the iot band wagon