Since the end of last year, amplification attacks have been increasingly used by attackers and received heavy media coverage. Everyday protocols not given much thought before, like Network Time Protocol (NTP), can be asked in a very short remote command to send a very large response (list of 600 clients last connected to the NTP server) to a spoofed IP address (the target) by the requestor/attacker.

This is just one example—there are many other common protocols that have been leveraged and could grow into significant attack vectors. There are SNMP, NetBIOS, SSDP, gaming-related custom protocols and many others that could spring into popularity as attackers leverage the “small request to large response ratio” and easy capability of spoofing the source IP address of UDP traffic. Vulnerability to spoofing is a commonality for all UDP-based protocols.

Don’t count on the middleman.

We cannot rely on the middleman to fix all the vulnerabilities in the leveraged protocols, as he has very little incentive. He is not the one being attacked. He is simply the unwitting facilitator with no direct motivation to undergo any labor or capital-intensive patching on the leveraged platforms. Be a good netizen? Would you bet your business on that motivating power?

BCP38 (ingress filtering) is one great recommendation, but is facing carrier indifference and inertia. After all, enacting BCP38 on a carrier network would drop packets, and carriers typically bill by utilization. The problem doesn’t originate with carriers, but they could be part of the solution given the proper motivation. Direct government regulation of the internet is not a popular concept.

There is a great study out of the University of Amsterdam that highlights the potential threat as well as some potential solutions. Please note that most if not all of these solutions fail to solve the motivational issue.

WordPress gets exploited (again).

One of the latest examples of amplification attacks again leveraged WordPress, which was infamously exploited by Al Qassam in 2012 to help spawn a botnet of datacenter-bred corporate server bots. These wielded far more bandwidth per bot (~30Mbps) than seen before in home user-based botnets.

The new WordPress-based exploit uses the pingback feature of WordPress blog entries, which is intended to deliver feedback that another site has linked to your blog. This feature delivers automatic feedback on linked sites and is on by default—it must be disabled by WordPress administrators to avoid abuse. WordPress is not a network utility protocol, but it is becoming yet another innately benign tool for attackers to abuse. Other content management platforms use a similar pingback feature.

The bottom line is that absent regulatory intervention, middlemen lack the incentive to lock down all of the vulnerable network protocols and common software tools exploited in DDoS attacks. There may even be some unintended consequences of attempts to regulate. At least for now, the onus is on the targets of the attacks to protect themselves while the internet at large proposes longer-term solutions like BCP38 and tries to create incentives to deploy these precautions.