Identifying DDoS Attack Traffic on a Corporate Network
By Lizzette Pérez, Computer Weekly Executive Editor for Latin America
Originally published in Computer Weekly on 3 October 2023
Fortaleza, Brazil. – LACNIC 40 is being held this week in Northern Brazil. Within the framework of this event, the Latin American and Caribbean Network Operators Group (LACNOG) has scheduled various working sessions.
Highlights of LACNOG 2023 include the conference by Rich Compton, member of the Latin American and Caribbean Anti-Abuse Working Group (LAC-AAWG), who gave a remote presentation on how to identify spoofed Denial-of-Service (DDoS) amplification attacks in a network.
Rich Compton is an expert on DDoS attack detection and mitigation, botnet control, and BGP security who works at Charter Communications, where he is responsible for network infrastructure security.
In his presentation, Compton explained that the most common UDP DDoS amplifications include DDoS attacks on DNS, NTP, WS-Discovery, LDAP, Apple Remote Desktop, Multicast DNS (mDNS), and Plex. Amplifications have also been observed using only SYN/ACK, PSH, and RST.
According to the expert, TCP Middlebox Amplification is a new type of attack that began to be noticed recently. In his opinion this type of threat should actually be called “HTTP Middlebox Amplification,” as it attacks the middleboxes on the network by sending large amounts of HTTP traffic so that some packets will be lost, and then injecting traffic to block the connections. In this case, pornographic content is typically used, he explained.
Why is this such a problem? According to the speaker, when customers with open amplifier have slow internet speed, they usually contact customer service. However, if no unusual activity is detected, the suggestion will be to purchase more bandwidth, which does not solve the problem and can sometimes affect other customers.
“New vulnerable devices are added to the network every day. We can’t get everyone to fix their devices. And even if 99% of devices are fixed, the remaining 1% will still be a problem,” Compton said.
Compton explained that the easiest way to identify this malicious activity is to check if Source port is 80 or 443 and Destination port is an open amplifier below 1023. “No false positives,” he stressed.
Compton then mentioned some useful tools that can help with this task. For example, Shadowserver, a nonprofit security organization, provides a free daily report of open amplifiers on your network via API, and now also provides the amplification factor so that users can prioritize.
The presenter also shared information on Tattle Tale, a project he is leading on Github.
To conclude, he demonstrated how to use the tools above and included suggestions such as Source Address Validation and the CAIDA Spoofer Project, a service that generates spoofed packets and provides reports.
However, he added, not everything is bad news, as, according to Netscout, traffic from DDoS amplification attacks is declining.
So, what are the next steps? Compton recommends that more ISPs and Internet Exchange Providers (IXPs) look for spoofed amplification traffic, so that they can block DDoS traffic and thus minimize the impact on end users.