Dirt Cheap DDoS for Hire, via D/TLS Amplification

A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).

Typified by Cisco’s Netscaler ADC product, before a patch was released in January, some D/TLS servers don’t check for forged requests. That allows scrotes to misuse these high-bandwidth servers to deny internet service to people they want to extort money from.

This possibly includes Sony, whose LittleBigPlanet service has been AWOL for a week. In today’s SB Blogwatch, we ask the question.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: But is it art?

Dirty Deeds: DDoS D/TLS

What’s the craic? Dan Goodin reports in—“~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet”:

 DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections … the criminals respond with new ways to make the most of their limited bandwidth.

In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. … DDoS-for-hire services [are] adopting a new amplification vector … D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets.

The biggest D/TLS-based attacks Netscout has observed delivered about 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps.

Abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaler Application Delivery Controller didn’t always turn it on by default.

D/T-whatnow? Heed Dev Kundaliya’s pedagogy—“Citrix has updated its Netscaler ADCs and advises customers to upgrade”:

 The main function of D/TLS is to protect User Datagram Protocol (UDP) data packets from eavesdropping and forgery. … Citrix has now updated Netscaler ADCs and is advising its customers to upgrade their software to a version in which anti-spoofing is enabled by default.

Who discovered it? Netscout’s Roland Dobbins, Steinthor Bjarnason, Michele DiDedda, Jon Belanger and Chris Conrad compiled this “Threat Summary”:

 While an anti-spoofing mechanism was designed into D/TLS from the outset, it was described in the relevant IETF RFCs as ‘may’, rather than ‘must’ in terms of implementation requirements. As a result, some D/TLS implementations do not leverage this anti-spoofing mechanism by default.

The default D/TLS configuration for some Citrix Netscaler Application Delivery Controllers (ADCs) … versions did not initially enable the organic D/TLS anti-spoofing mechanism by default, resulting in a population of … ADCs that could abused. … There are other D/TLS implementations that, if misconfigured, could also be abused.

The amplified attack traffic consists of both initial UDP fragmented packets sourced from UDP/443 and non-initial fragmented UDP packets, directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. … D/TLS reflection/amplification has [now] been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services.

Systems administrators [should] either disable unnecessary D/TLS services or … patch or configure them to make use of the HelloVerifyRequest anti-spoofing mechanism. … Network operators should perform reconnaissance to identify and remediate abusable D/TLS servers on their networks and/or the networks of their downstream customers.

I wonder if it has anything to do with Sony’s woes? Tom Phillips updates us—“LittleBigPlanet servers offline”:

 PlayStation has thanked LittleBigPlanet fans for their patience as it works to bring the franchise’s servers back online. “We are aware of server issues with LittleBigPlanet and are working to get the issue fixed and the servers back online,” a PlayStation spokesperson [said].

A week on from [my] initial report, LittleBigPlanet servers remain unavailable. Fans have blamed the downtime on a persistent DDOS attack by a disgruntled fan … an individual unhappy with Sony’s treatment of the franchise.

Didn’t anyone see this coming? arglebargle_xiv is but one step away from crying “I told you so”:

 I was wondering how long it was doing to take before attackers started abusing D/TLS. Next will be how long it takes before they abuse all the stuff Google had shovelled into TLS 1.3 to make their content delivery more efficient. Have a look at 0RTT and similar, you almost couldn’t design a more abusable mechanism if you tried.

But Cisco admins have had three months. afidel can’t quite believe what they’re reading:

 The D/TLS workaround for Netscalers was released back in December, and the patch in early January. The admins who haven’t applied either yet are simply negligent.

And doesn’t anyone care about the cost? Not according to bustinbrains:

 Doesn’t this cost those companies money? … Once a network goes over its monthly bandwidth contract limit, the ISP starts charging companies per GB of transfer.

What are the finance departments at these companies doing? Shouldn’t they notice a major increase in that IT budget expenditure line item every month the company’s infrastructure was used in a global DDoS attack and ask the question, “Hey, what’s up with this?”

Every ISP should be tracking unusual traffic through their networks. When a sudden spike occurs in a given month outside of established norms … the owner of the system is notified of the increase.

I feel like we can collectively do a better job and eliminate exploitable vulnerabilities like this by building multiple layers of observation of our networks into existing processes.

But why are they DDoSing anyway? docbain follows the money:

 I once attended a talk by a national head of cyber crime policing. The DDoS attacks that they investigate mainly trace back to booster/stressor services run by teenagers. It’s profitable — one 13 year old they arrested had made $500k. The other common result was that the trail leads back to Russia, at which point the investigators give up.

Returning to LittleBigPlanet, Kadare agrees:

 Mean and nasty thing to do, although it has to be said that Sony treated this franchise really badly. LBP3 was a trainwreck of a game that was never fixed, even years after release. It ruined what had started out as a great franchise.

Of course, I wasn’t for one second trying to justify the DDoS attacks.

Meanwhile, here’s a radical suggestion from Mixyezpittleick:

 If they ever catch the individuals who are responsible for this kind of thing, they should cut their hands off.

And Finally:

DO NOT ADJUST YOUR SET

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Matt Becker (cc:by-sa)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 665 posts and counting.See all posts by richi