The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex, and, according to security experts, the next DDoS vector to be concerned about is SNMP (Simple Network Management Protocol) amplification attacks.
Yesterday afternoon, the SANS Internet Storm Center reported SNMP scans spoofed from Google’s public recursive DNS server searching for vulnerable routers and other devices that support the protocol with DDoS traffic and are opened to the public Internet.
"We are receiving some reports about SNMP scans that claim to originate from 220.127.116.11 (Google's public recursive DNS server)," wrote Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center. "This is likely part of an attempt to launch a DDoS against Google by using SNMP as an amplifier/reflector."
Simple Network Management Protocol (SNMP) is a UDP-based protocol designed to allow the monitoring of network-attached devices by querying information about their configuration. SNMP-enabled devices with such configurations can be found both in home and business environments and is typically used in devices such as printers, switches, firewalls and routers.
The ISC is investigating the magnitude of SNMP attacks, and discovered few packets that were targeting default passwords used by SNMP.
According to Ullrich, the attack uses the default "read-write" community string of "private." SNMP command is actually a "set" command that uses this default string as a password, and "private" is a common by-default password.
If the attack is successful, it tries to modify the configuration variables in the affected device, the TTL (Time To Live) variable is set to 1 which, according to Ullrich, "would make it impossible for the gateway to connect to other systems that are not on the same link-layer network." It also sets the Forwarding variable to 2, which turns off IP forwarding.
Ullrich said ThreatPost that he’s continuing his research on the attack, and admins should be on the lookout for packets from the source IP 18.104.22.168, which is Google’s public recursive DNS server, with a target UDP port of 161.
Many Large-scale DDoS attacks in the past year have used misconfigured DNS (Domain Name System) and NTP (Network Time Protocol) servers for amplification or reflection, in order to amp up the amount of traffic directed at a target.
In DNS reflection attacks, hackers take advantage of the millions of misconfigured DNS, known as open recursive resolvers or open recursors, on the Internet to amplify a much smaller attack into a larger data flood in an effort to get high attack bandwidth. Also earlier this year, more than 24 million home routers were targeted in DNS-based amplification attacks, from which more than five million were used during February alone as the starting point for DDoS attacks.
In Network Time Protocol (NTP) amplification attack, hackers have reached new heights of about 400 Gbps at its peak of traffic, which was greater than ever in history of the Internet. Hackers abuses the NTP servers by sending small spoofed 8-byte UDP packets to the vulnerable server that requests a large amount of data (megabytes worth of traffic) to be sent to the DDoS'd target IP Address.
The distributed reflection and amplification (DrDoS) attack allows an attacker to use a little skill and relatively small amount of resources in an attempt to create a larger data flood, therefore has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet, and with time, it will rise.