投稿者 :ブルーネット・ジャスティン

カテゴリ: IT News




このような攻撃は通常、攻撃の大きさに比例した大きなボットネットが必要ですが、増幅ベクトルはある意味でのショートカットになっております。この攻撃タイプは、増幅ペイロードに対して予測可能なパターンが存在するため、ほとんどが対策はされています。報告書の作者Avishay Zawoznik、Johnathan Azaria、Igal Zeifmanは言います。「たとえば、ソース·ポート53を持つすべてのパケットをブロックすることは、DNS増幅攻撃を緩和するための実証済みの方法と考えられています。」
しかし、4月には1900ポートで期待されていなかった珍しいSSDP増幅攻撃が発見されました。SSDPは、UPnPデバイスがUDP(User Datagram Protocol)データをポート1900で共有するプロトコルです。
Impervaのレポートは、Shodan検索エンジンを使用して、 "rootDesc.xml"というファイルを取得することで利用可能なUPnPゲートウェイデバイスを見つけ出すことから始まるコンセプト証明を発表しました。このレポートには、 "rootDesc.xml"はUPnPのサービスとデバイスをカタログ化されています。
このレポートでは、「ファイル内のスキームを使用すると、ポート1337に送信されたすべてのUDPパケットをポートUDP / 53経由で外部DNSサーバー(に再ルーティングする転送ルールを作成するSOAPリクエストを作成できます。」と言います。
攻撃者||---ソース Port: 80---(1)---先 Port: 1337--->UPnP Device ||---ソース Port: 1337---(2)---先 Port: 53--->DNS Server ||
被害者||<---ソース Port: 1337---(4)---先 Port: 80---UPnP Device ||<---ソース Port: 53---(3)---先 Port: 1337---DNS Server ||
攻撃者は、ポート(UDP / 1337)上のDNS要求をUPnPデバイスに送信して、難読化するDNSサーバ(UDP / 53)に送ります。 DNSサーバーはポート53に応答し、送信元ポートをUDP / 1337に戻します。


New DDoS Attack Using UPnP Bypasses Current Defenses
There has been a rise in DDoS attacks that utilize amplification attack vectors. These are exploitations of remote servers and databases exposed on the public internet to magnify the amount of data being set to them and turning into a DDoS attack.
In March of this year, GitHub was a target of the largest DDoS attack to date. Attackers used a memcached amplification method to sustain a 1.3 terabits per second traffic for over eight minutes. Though these attacks have been largely mitigated, researchers at Imperva discovered that UPnP protocols bypasses current defense methods.
Such attacks usually require an equally large botnet but the amplification vectors allow for a bit of a shortcut for hackers. These types of assaults have been mostly remedied because there are predictable patterns to these amplification payloads. Co-authors of the report Avishay Zawoznik, Johnathan Azaria and Igal Zeifman wrote, “For example, blocking all packets with source port 53 is considered a tried-and-true method for mitigating DNS amplification attacks.”
But in April researchers spotted an unusual SSDP amplification attack which did not come from the port they were expecting, port 1900. SSDP is a protocol that UPnP devices use to share UDP (User Datagram Protocol) data on port 1900.
The Imperva report lays out their proof-of-concept which starts by finding exploitable UPnP gateway devices using the Shodan search engine to get a file called “rootDesc.xml.” The report states, “Cataloged in rootDesc.xml are all of the available UPnP services and devices.”
When they locate a vulnerable device, the file shows all the commands that the device will accept remotely. The “AddPortMapping” command, for example, can be used to change the rules for port forwarding.
The report stated, “Using the scheme within the file, a SOAP request can be crafted to create a forwarding rule that reroutes all UDP packets sent to port 1337 to an external DNS server ( via port UDP/53.”
Attacker||---Source Port: 80---(1)---Destination Port: 1337--->UPnP Device ||---Source Port: 1337---(2)---Destination Port: 53--->DNS Server ||
Victim||<---Source Port: 1337---(4)---Destination Port: 80---UPnP Device ||<---Source Port: 53---(3)---Destination Port: 1337---DNS Server ||
The attacker sends a DNS request on port(UDP/1337) to the UPnP device to the DNS server to be  obfuscated (UDP/53). The DNS server responds to port 53 and changes the source port back to UDP/1337.
This proof of concept shows that source IP and port information is no longer reliable filters for defending against attacks. The research suggest that “he most likely answer is to perform deep packet inspection to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment.”
At the moment there are no clear cut approach against defending against these attacks which can leave networks with IoT devices vulnerable. The hope is by spreading the news of this exploit, it can help users be on the lookout for such attacks and reach those that may be able to find a solution.