Researchers Discover New Vector for DDoS Amplification Attacks

Researchers Discover New Vector for DDoS Amplification Attacks

It’s no secret that critical network protocols such as DNS and NTP are being leveraged to launch large scale DDoS attacks across the internet. In 2015 Corero saw such attacks increase by a third, compared to previous years. Recently researchers in Scotland found a new vector for DDoS amplification attacks according to The Register, which reported; “Researchers at Edinburgh Napier University have discovered that the TFTP protocol (Trivial File Transfer Protocol) might be abused in a similar way.”

The news was also reported by Softpedia: “The vulnerable TFTP servers can be used to launch attacks on other Internet-available services, or used as a gateway for targets inside a closed network, because natural LAN setups dictate that the TFTP server must be available to all connected clients, and so providing the attacker with a path to previously unreachable targets.”

How Does the DDoS Attack Work in the TFTP Protocol?

With no provision for user authentication, there is no good reason for TFTP on any device to be accessible directly from the Internet, but default configuration settings and a lack of awareness means there are plenty out there for attackers to leverage. It is similar to the DNS vector, in that a small packet from the attacker with a spoofed source address of the target results in a much larger packet (up to 60x for TFTP) being sent to the target. Thus far it appears that hackers have not relied heavily on the TFTP protocol; however, you can be sure it will become popular with DDoS attackers because it has a maximum amplification factor of 60, which is greater than that of attacks using the DNS protocol.

How to Protect Against DDoS Attacks

That is the bad news, now for the good news. This newly discovered vector does not pose a problem for networks protected by Corero’s SmartWall® Threat Defense System, which automatically detects and mitigates DDoS protocol attacks with its Flex-Rule and Smart-Rule capability. The Smart-Rule detects the incoming spoofed TFTP packets and triggers automatic mitigation. In addition to deploying this DDoS protection system, security and network personnel should also carry out an internal security audit of network/servers and remove old and unwanted software and network protocols.

See how Corero can help protect your organization from DDoS attacks. Contact us today!