Saturday, March 30, 2013

Amplifying DDoS data volume by using spoofed UDP packets

Audio amplifier image
Recently Spamhaus and Cloudflare was hit by a massive DDoS attack. Where the 300Gbits/s is impressive, it is worth mentioning that situation it's not as dramatic as media described.

Attackers used public DNS servers (with enabled recursive resolving) to amplify volume of data. In short it works because DNS uses UDP protocol which is stateless (there is no "handshaking") and source address can be spoofed easily. What is more DNS servers respond to spoofed IP with even 100x bytes more than they've received therefore they are widely used as a data volume "amplifiers". Keeping in mind that this method succeeded mainly because of UDP nature, internet architecture and routing, we can use other applications based on UDP to amplify volume of data. Problem is not new and back in 2000 document "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing" was created. You can read more on CNETs "How the Spamhaus DDoS attack could have been prevented"

Lets check some other possible "amplifiers". Online game servers will be a good start, because games commonly use UDP and many servers allow to query them for fetching their status, settings, players etc. Of course number of game servers can't be compared to number of "vulnerable" dns servers, which is 25 million according to Open DNS Resolver Project.

So today I've recreated my research I did couple years ago. I chose 5 popular (IMO) games and for each game I picked up 5 random empty servers from gametracker.com. Games that I've chosen are: Quake 3, Call of Duty 4, Counter Strike 1.6, Counter Strike Source and Team Fortress 2.

Here are the results:
sent
packet
size
server 1
response
size
server 2
response
size
server 3
response
size
server 4
response
size
server 5
response
size
average
response
size
% gainratioservers @ gametrackerservers @
game-monitor
Q3569237579339881007921.6164616.464001290
COD456450448538585523508.89099.0955355392
CS 1.657207021041730211120282008.6352435.243066950054
CS:S108169635251806171721912187202520.25969616963
TF2108231925893723277528372848.6263826.38656013875

So it is clear that the best candidate for "amplifier" from my small test set is Counter Strike 1.6 because of average 35-to-1 ratio and the biggest estimated number of public servers. Nevertheless it can't be compared to DNS open recursive resolvers.

PS. Both Q3 and COD4 use same network protocol in application layer (Quake3). Same situation is with TF2 and CS:S (Source).

PS 2. In the past there was similar issue with spoofed ICMP protocol packets and it is called Smurf attack