ECI Networks

is a leading award winning developer of e-business systems and software that enable companies and organizations to effectively collaborate and communicate with their trading partners, market their products and services online, generate new business opportunities and efficiently transact business globally.

Learn More

ecommerce-hands-globe-300

ECI Global

An American Export Trading and Management Company for manufacturers, producers, service providers wholesalers, foreign & domestic buyers, distributors and agents desiring entry to international markets. We are equipped to help you enter the global marketplace at whatever pace suits your business.

ECI Global

grid splash_measured_rsp

ECI Financial

We have developed an innovative suite of business solutions for financial management based on innovative infrastructure, networks, management resources, and eCommerce payment solutions that allow businesses to better extract profits from cash flows.

Learn More

grid 82319_001-200x200

E3 Technologies

To focus interdisciplinary effort on research in nanotechnology, autonomous systems, software, networks, water management, sustainable energy, information technology, biotechnology, and materials engineering.

Learn More

grid gene

BL-2-OC

BL2OC – (B)usiness (L)everage -2- (O)rganize (C)ommunities. Our purpose is simple and our results are sustainable.

Learn More

pic01_1

ECI Communiversity

Massive Open Online Courses, or MOOCs: Internet-based teaching programs designed to handle thousands of students simultaneously

Learn More

What We Do

Business-Security-Technology

08/31/2015 06:19 AM EDT – Original release date: August 31, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

Business-Security-Technology
08/17/2015 06:16 AM EDT – Original release date: August 17, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

Business-Security-Technology
08/10/2015 06:14 AM EDT – Original release date: August 10, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

Business-Security-Technology
08/03/2015 06:25 AM EDT -Original release date: August 03, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

ECI Networks is a solution provider specializing in state of-the-art, high-performance solutions for Web Applications, Network/Systems infrastructure, and Outsourcing. In strategic partnerships with top industry leaders, ECI develops solutions for use on Mid Market and Enterprise platforms. ECI’s professional services offers system design and implementation, software development and network administration.
learn More

As a management consulting firm focused on information security, ECI Networks offers a wide array of protection services to assure that your organization is secure. With our distinct systems of Audit and Compliance, Risk Management. Network Operations and Incident Response we can work with you to migrating your risks, while advancing from your current state to a secure and sustainable state.

learn More

ECI offers a managed network care solution that reduces the cost of IT-related ownership and performance by 35-50%  as outlined in the Gartner report dated March 10th 2008 – Effective Management Can Cut Total Cost of Ownership for Desktop PCs by 42%.  Our grid based and redundant systems provide high availability, performance, and back up security.  When disaster strikes, down time and disaster recovery has been less than one hour for servers, workstations and access to necessary business data.

More Details

Security Outline

Security Profile & Penetration.

Security assessments are the cornerstone of any strong information security program

Read More

Industries.

Each industry has its unique challenges when having to secure their organization

Read More

 

Privacy.

An effective security program does not equate to a solid privacy program.

Read More
techtip1_150x169

Systems Affected

Certain UDP protocols have been identified as potential attack vectors:

  • DNS
  • NTP
  • SNMPv2
  • NetBIOS
  • SSDP
  • CharGEN
  • QOTD
  • BitTorrent
  • Kad
  • Quake Network Protocol
  • Steam Protocol
  • RIPv1
  • Multicast DNS (mDNS)
  • Portmap

Overview

A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.

Description

UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [1]. When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. Previously, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale, DDoS attacks can be conducted with relative ease.

To measure the potential effect of an amplification attack, a metric called the bandwidth amplification factor (BAF) is used. BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [2 (link is external)] [3 (link is external)].

The list of known protocols—and their associated bandwidth amplification factors—are listed below. US-CERT offers thanks to Christian Rossow for providing this information. For more information on bandwith amplificatication factors, please see Christian’s blog (link is external) and associated research paper (link is external).

Protocol Bandwidth Amplification Factor Vulnerable Command
DNS 28 to 54 see: TA13-088A [4]
NTP 556.9 see: TA14-013A [5]
SNMPv2 6.3 GetBulk request
NetBIOS 3.8 Name resolution
SSDP 30.8 SEARCH request
CharGEN 358.8 Character generation request
QOTD 140.3 Quote request
BitTorrent 3.8 File search
Kad 16.3 Peer list exchange
Quake Network Protocol 63.9 Server info exchange
Steam Protocol 5.5 Server info exchange
Multicast DNS (mDNS) 2 to 10 Unicast query
RIPv1 131.24 Malformed request
Portmap (RPCbind) 7 to 28 Malformed request

In March 2015, Software Engineering Institute CERT issued Vulnerabilty Note (VU#550620) describing the use of mDNS in DRDoS attacks. Attackers can leverage mDNS by sending more information than can be handled by the device, thereby causing a DoS. [6]

In July 2015, Akamai Technologies’ Prolexic Security Engineering and Research Team (PLXsert) issued a threat advisory describing a surge in DRDoS attacks using the Routing Information Protocol version one (RIPv1). Malicious actors are leveraging the behavior of RIPv1 for DDoS reflection through specially crafted request queries [7 (link is external)].

In August 2015, Level 3 Threat Research Labs reported a new form of DRDoS attack that uses portmap.  Attackers leverage the behavior of the portmap service through spoofed requests and flood a victim’s network with UDP traffic. [8 (link is external)]

Impact

Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.

Solution

DETECTION

Detection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. Network operators of these exploitable services may apply traditional DoS mitigation techniques. In addition, watch out for abnormally large responses to a particular IP address, which may indicate that an attacker is using the service to conduct a DRDoS attack.

MITIGATION

Source IP Verification

Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victim’s IP, the first step to reducing the effectiveness of UDP amplification is for Internet service providers (ISPs) to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 in May 2000 and Best Current Practice 84 in March 2004. These documents describe how an ISP can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [9] [10]. Recommended changes would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for many popular types of DDoS attacks. As such, we highly recommend that all network operators perform network ingress filtering if possible. Note that such filtering will not explicitly protect a UDP service provider from being exploited in a DRDoS because all network providers must use ingress filtering to eliminate the threat completely.

To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [11].

Traffic Shaping

Limiting responses to UDP requests is another potential mitigation to this issue. This may require testing to discover the optimal limit that does not interfere with legitimate traffic. The IETF released Request for Comment 2475 and Request for Comment 3260 that describe some methods to shape and control traffic [12] [13]. Most network devices today provide these functions in their software.

References

Revisions

  • February 09, 2014 – Initial Release
  • March 07, 2014 – Updated page to include research links
  • July 13, 2015 – Added RIPv1 as an attack vector
  • August 19, 2015 – Added Multicast DNS (mDNS) and Portmap (RPCbind) as attack vectors

Login