Home / Blogs

Blocking Amplification Attacks: Sometimes the Incentives Work Against You

Since the end of last year, amplification attacks have been increasingly used by attackers and received heavy media coverage. Everyday protocols not given much thought before, like Network Time Protocol (NTP), can be asked in a very short remote command to send a very large response (list of 600 clients last connected to the NTP server) to a spoofed IP address (the target) by the requestor/attacker.

This is just one example—there are many other common protocols that have been leveraged and could grow into significant attack vectors. There are SNMP, NetBIOS, SSDP, gaming-related custom protocols and many others that could spring into popularity as attackers leverage the “small request to large response ratio” and easy capability of spoofing the source IP address of UDP traffic. Vulnerability to spoofing is a commonality for all UDP-based protocols.

Don’t count on the middleman.

We cannot rely on the middleman to fix all the vulnerabilities in the leveraged protocols, as he has very little incentive. He is not the one being attacked. He is simply the unwitting facilitator with no direct motivation to undergo any labor or capital-intensive patching on the leveraged platforms. Be a good netizen? Would you bet your business on that motivating power?

BCP38 (ingress filtering) is one great recommendation, but is facing carrier indifference and inertia. After all, enacting BCP38 on a carrier network would drop packets, and carriers typically bill by utilization. The problem doesn’t originate with carriers, but they could be part of the solution given the proper motivation. Direct government regulation of the internet is not a popular concept.

There is a great study out of the University of Amsterdam that highlights the potential threat as well as some potential solutions. Please note that most if not all of these solutions fail to solve the motivational issue.

WordPress gets exploited (again).

One of the latest examples of amplification attacks again leveraged WordPress, which was infamously exploited by Al Qassam in 2012 to help spawn a botnet of datacenter-bred corporate server bots. These wielded far more bandwidth per bot (~30Mbps) than seen before in home user-based botnets.

The new WordPress-based exploit uses the pingback feature of WordPress blog entries, which is intended to deliver feedback that another site has linked to your blog. This feature delivers automatic feedback on linked sites and is on by default—it must be disabled by WordPress administrators to avoid abuse. WordPress is not a network utility protocol, but it is becoming yet another innately benign tool for attackers to abuse. Other content management platforms use a similar pingback feature.

The bottom line is that absent regulatory intervention, middlemen lack the incentive to lock down all of the vulnerable network protocols and common software tools exploited in DDoS attacks. There may even be some unintended consequences of attempts to regulate. At least for now, the onus is on the targets of the attacks to protect themselves while the internet at large proposes longer-term solutions like BCP38 and tries to create incentives to deploy these precautions.

By Bryant Rump, IP Applications and Security Professional

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign