Technical blog
"We must view with profound respect the infinite capacity of the human mind to resist the introduction of useful knowledge." - Thomas R. Lounsbury
| github | goodreads | linkedin | twitter |
ansible 2 / elasticsearch 2 / kernel 2 / leadership 1 / linux 2 / mnemonics 1 / nginx 1 / paper 40 / personal 5 / rust 1 / tools 2 /WC 239 / RT 2min
TweetAdversaries send requests to public servers (e.g., open recursive DNS resolvers) and spoof the IP address of a victim. These servers, in turn, flood the victim with valid responses and – unknowingly – exhaust its bandwidth.
Attackers can abuse these protocols to multiply their attack bandwidth by factors from 3.8 (BitTorrent, NetBios) up to 4670 (NTP).
Exclude all TCP-based protocols from our analysis, as IP address spoofing is restricted to the start of the TCP handshake. Although the TCP handshake fulfils the reflection criterion, it does not allow for easy amplification (since a TCP ACK is not larger than a TCP SYN packet). However, we show that 14 popular UDP-based network protocols are suitable candidates for DRDoS attacks.
SNMP v2, NTP, DNS, NetBios, SSDP, CharGen, QOTD, BitTorrent, Kad, Quake 3, Steam, ZAv2, Sality, Gameover
An attacker A aims to consume all available bandwidth of a victim V . Reflective means that A does not directly send traffic to V , but instead uses systems that reflect the attack traffic to V (so called amplifiers). Distributed accounts for the fact that A abuses thousands of amplifiers and V thus faces thousands of attack sources.
BAF = len(UDP payload) amplifier to victim / len(UDP payload) attacker to amplifier
PAF = number or packets amplifier to victim / number of packets attacker to amplifier
DRDoS - distributed reflective denial-of-service
BAF - bandwidth amplification factor
PAF - packet amplification factor