Cybercriminals who use giant floods of data to knock sites offline are leveraging a never-before-seen method that has the potential to increase the damaging effects of those floods by an unprecedented 4 billion times, researchers warned on Tuesday.
Like many other types of distributed denial-of-service attacks, the attacks send a modest amount of junk data to a misconfigured third-party service in a way that causes the service to redirect a much larger response at the intended target. So-called DDoS amplification attacks are popular because they lower the requirements needed to overwhelm their targets. Rather than having to marshal huge amounts of bandwidth and computing power, the DDoSer locates servers on the Internet that will do it for them.
It’s all about amplification
One of the oldest amplification vectors is misconfigured DNS servers, which increase DDoS volumes by about 54 times. New amplification routes have included the Network Time Protocol servers (about 556x), Plex media servers (about 5x), Microsoft RDP (86x), and the Connectionless Lightweight Directory Access Protocol (at least 50x). Just last week, researchers described a new amplification vector that achieves a factor of at least 65.
Previously, the biggest known amplifier was memcached, which has the potential to increase traffic by an astounding 51,000x.
The newest entrant is the Mitel MiCollab and MiVoice Business Express collaboration systems. Attackers have been using them for the past month to DDoS financial institutions, logistics companies, gaming companies, and organizations in other markets. A fleet of 2,600 servers is exposing an abusable system test facility in the software to the Internet through UDP port 10074, in a break with manufacturer recommendations that the tests be reachable only internally.
The current DDoS records stand at about 3.47 terabits per second for volumetric attacks and roughly 809 million packets per second for exhaustion forms. Volumetric DDoSes work by consuming all available bandwidth either inside the targeted network or service or get between the target and the rest of the Internet. Exhaustion DDoSes, by contrast, over-exert a server.