Homework SourseUSCERT TA14017A httpswwwuscertgovncasalertsTA14017A Links to
US-CERT TA-14-017A (https://www.us-cert.gov/ncas/alerts/TA14-017A (Links to an external site.)) discusses UDP amplification attacks. What is a “reflected” attack and why are protocols using UDP preferred for this attack? What does it mean for such an attack to be “amplified” and how does a high amplification factor facilitate a DDoS attack?
Solution
UDP : User Datagram Protocol.
A distributed Reflective Denial of Service attack is a form of Distributed Denial of Service that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic. UDP is design is a connection-less protocol that does not validate source IP addresses.
Recently certain UDP protocols have been found to have a particular responses to certain commands that are much larger than the initial request. Previously attackers were limited linearly by the number of packs directly sent to the target to conduct a dos attack; now a single packet can generate tens or hundred of times the bandwidth in its response. This is called an \" AMPLIFICATION ATTACK \" .
PROTOCOLS: DNS, NTP, SNMPv2, SSDP, NetBIOS etc.,,,
REFLECTION ATTACK : In system security, a Reflection attackk is a method of attackin a challange authentication system that uses the same protocol in both directions. That is, the same challange-response protocol is used by each side to authenticate the other side. They use a service attacks makes use of a potentially legitimate third party component to send the attack traffic to a victim, ultimately hiding the attackers own identity.
To measure the potential effect of an amplification attack , a metric called the bandwidth amplification factor(BAF) is used. this can be calculated as the number of UDP payload bytes that an amplifer sends to answer a request, a complete to the number of UDP payload bytes of the request.
Detection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. Network operates of these exloitable services may apply traditional DoS mitigation techniques. To detect a DRDOS attack, watch out for abnormally large response to a particular IP address, which may indicate that an attacker is using the service.
if you are avictim of DRDoS attack,there are a few things you can do to attack such activity and responsd:
-> Detect and Alert large UDP packets to higher order ports.
->Detect and Alert on any non-stateful UDP packets.
