With COVID-19, Attacks Are on the Rise
With IT teams stretched particularly thin at the moment, bad actors can take advantage of the chaos to exploit vulnerabilities. This can take the form of launching volumetric attacks, network protocol attacks, or application-layer attacks—locking out employees and paralyzing business operations. In the case of DDoS attacks, we’re seeing an increase in:
- small-scale testing attacks
- small-scale throwaway attacks
- large-scale attacks
These large-scale attacks are no longer reliant on massive botnets and webs of zombie machines in order to get enough resources. Now they can be driven by a simple protocol nearly as old as the IP stack itself: User Datagram Protocol (UDP). An example of one such effort is an attack mitigated by the Neustar Security Operations Center (SOC) earlier this month.
It Was a Really Big One...
The attack was both a UDP amplification—including CLDAP and causing UDP fragmentation—and a large SYN flood with several smaller vectors, including ICMP flood. Accordingly, the SOC saw both high levels of very large (UDP amplification) packets and very small (SYN flood) packets, producing both huge (>1Tbps) attack volume and intensity (150Mpps). This attack would be highly effective at saturating the internet circuits of both ISPs in the path and actual customer circuits/connectivity, because of the volume of bps. As well, it would affect other internet infrastructure like routers or servers, due to the very high volume of very small packets, which are difficult for that hardware to process at that intensity. The attack waves targeted a single customer IP, and the majority of the attack traffic actually originated from the US (presumably compromised IoT devices).
UDP as the Attack Core
UDP is session-less and connectionless. By using UDP, an application can send information very quickly, as the addressee doesn’t actually need a connection to the server, and it doesn’t need to wait for an answer. This makes it an important protocol for acting as a mediator between the network and application layer and for fueling communication with modern-day applications saturating the web that are dependent on timely interactions. This functionality alone makes it very valuable for many web services; however, it also makes it vulnerable.
UDP is an exposure point because although it is a fundamental protocol of the internet, it is not inherently secure. It allows services to engage or exchange information without a traditional “handshake.” Deliberately introducing steps to secure UDP limits the value of having such a lightweight, easy-to-use protocol. The lack of a handshake leaves it open, though, especially to spoofing. A number of UDP protocols have high amplification factors, meaning that the attack size can be much larger than the resources put into kicking the attack off. These two things together make it exceptionally vulnerable to reflection/amplification style attacks.
Beyond traditional applications, UDP is being leveraged by web services on internet-connected (IoT) devices. An increased number of web applications leveraging UDP + an increased number of web connected devices taking advantage for underlying application functionality is leading to a whole host of new attack tools that don’t need to be compromised to be utilized.
UDP and Other Large-Scale Attacks
UDP has been an attack vector since the beginning of DDoS because the nature of its functionality makes it the perfect weapon for denial of service attacks. It was not as prevalent a protocol originally (it does date back to 1980). However, we can even see it in the history of attacks such as SIP floods and DNS attacks. In recent memory, it has been taken advantage of both for quick attacks and large-scale attacks: memcached, WS-Discovery, DNS, LDAP, and SSDP.
Leveraged CLDAP and UDP fragmentation as a large amplification attack, layered with SYN flood allowing for both high bandwidth and high packet count, leads to saturation of both internet circuits in path as well as customer circuits and connectivity. This can lead to ISPs black-holing customer traffic, adding an additional layer of damage to the target.
Why You Should Care
Attacks are on the rise, and UDP attacks are on the rise. UDP attacks allow users to do more damage, faster, with less resources—and have an inherent vulnerability related to how the protocol is created. We see this in the three largest attacks in recent memory (including the one that Neustar just mitigated). This lowers the barrier to entry for impactful attacks. No longer reliant on large-scale bot networks, a small number of bots spoofing a large number of UDP requests with a high amplification vector can do as much or more damage as the Mirai botnet of yesteryear. And because of spoofing, you don’t even need to compromise the devices if they aren’t truly secured.
Looks for More Record Attacks
As we continue to transition to WFH as the new paradigm, our networks are mission-critical. If we continue to rely on UDP to drive our applications interactions, then we increase their vulnerability and provide more weapons for threat actors and script kiddies alike. And additional various components (e.g., VPNs) are more vulnerable than ever as points of failure.
A new report from the Neustar International Security Council (NISC) indicates that nearly two-thirds (64 percent) of companies experienced at least moderate disruptions to their network security business practices—and nearly a quarter (23 percent) experienced major disruptions—due to the sudden shift to a work-from-home model as a result of the COVID-19 pandemic. The report, based on a recent survey of cybersecurity professionals, also reveals that 29 percent of companies did not have a fully executable business plan in place to keep their network secure in the event of a major crisis such as the current pandemic.