In today’s interconnected world, the Distributed Denial-of-Service (DDoS) attack has become a persistent threat in the Network Security domain. Among various types of DDoS attacks, one popular attack is UDP amplification attack which exploits the User Datagram Protocol (UDP) for overwhelming target networks with a large volume of traffic.
Figure 1: UDP reflected amplification attacks statistics by Microsoft Security
How UDP Amplification Attack Works
UDP is connectionless transport layer (Layer 4) protocol which is widely used in the time-sensitive applications like streaming media, online gaming, DNS etc. Unlike TCP, UDP does not establish a connection before data transfer which makes it faster but less secure than TCP. This absence behavior of connection establishment and verification are what makes UDP vulnerable for amplification attacks.
Figure 2: UDP Amplification Attack Overview
Here’s how the attack typically works:
- Spoofing Source IP:
First, the attacker creates a UDP packet and sets its source IP address to the victim’s IP (IP spoofing) to ensure that all the responses are directed towards the victim.
- Sending Requests to Server:
Then the attacker sends these small size request packets to servers which are running vulnerable services on the internet. These servers could be DNS servers, NTP servers, BitTorrent servers, LDAP servers etc. which produce relatively larger response packets than the request packets.
- Amplification Factor:
The amplification factor or bandwidth amplification factor (BAF) is used to measure the potential impact of a UDP amplification attack. It is calculated as the ratio of a response packet size and a request packet size as shown below –
Figure 3: Calculation of BAF
In case of UDP amplification attacks, large BAF can be achieved by exploiting vulnerabilities or misconfiguring server’s protocols.
- Flooding the Target:
Finally, the victim’s network or server is flooded by a large volume of amplified response produced from different servers, causing denial of service.
Example of A UDP Amplification Vector
As an example, we can consider the BACnet (Building Automation and Control networks) protocol, which is a widely used for building automation and control systems, facilitating communication between various devices such as HVAC systems, lighting controls, access controls etc. It runs over UDP transport and typically uses port 47808.
Figure 4: Distribution of BAF for generic ReadPropertyMultiple amplification payload
BACnet is vulnerable to UDP Amplification DDoS attack following the below mentioned process –
- The attacker starts the process by sending a small “ReadPropertyMultiple” request packet to the Amplification Server by spoofing the source IP to make it appear as if it originates from the Victim.
- Upon receiving the spoofed request packet, the BACnet device/server responds with a large “ReadPropertyMultiple Complex-ACK” message to the Victim device that can be significantly larger than the original requests.
- The flood of amplified traffic directed towards the victim’s network causes a denial-of-service situation, where legitimate users are unable to access the victim’s services due to the congestion caused by the malicious traffic.
The above PCAP shows a sample of BACnet UDP Amplification Attack, simulated using BreakingPoint DDoS Lab. In this scenario, the BACnet “ReadPropertyMultiple Complex-ACK” response is being flooded towards the Target.
UDP Amplification DDoS Attacks in Keysight ATI
At Keysight Technologies, our Application and Threat Intelligence (ATI) team, researchers have examined the traffic pattern of various UDP-based amplification DDoS attacks, and they have published the network traffic pattern of different such UDP Amplification/Reflection attacks of DNS, Memcached, QoTD, BACnet/IP, ISAKMP (IPSec), NetBIOS Name Service, Chargen, SNMP, RPCBomb etc., till now as part of BreakingPoint System’s DDoS Lab. So please stay tuned for the upcoming ATI’s StrikePack releases for the other UDP amplification DDoS attacks.
Figure 6: Available UDP Amplification DDoS Attacks in BreakingPoint
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.