Building a bigger DDoS

New method that amplifies DDoSes by 4 billion-fold. What could go wrong?

New method also stretches out DDoS durations to 14 hours.

Dan Goodin – Mar 8, 2022 11:15 PM | 53

Credit: Getty Images

Cybercriminals who use giant floods of data to knock sites offline are leveraging a never-before-seen method that has the potential to increase the damaging effects of those floods by an unprecedented 4 billion times, researchers warned on Tuesday.

Like many other types of distributed denial-of-service attacks, the attacks send a modest amount of junk data to a misconfigured third-party service in a way that causes the service to redirect a much larger response at the intended target. So-called DDoS amplification attacks are popular because they lower the requirements needed to overwhelm their targets. Rather than having to marshal huge amounts of bandwidth and computing power, the DDoSer locates servers on the Internet that will do it for them.

It’s all about amplification

One of the oldest amplification vectors is misconfigured DNS servers, which increase DDoS volumes by about 54 times. New amplification routes have included the Network Time Protocol servers (about 556x), Plex media servers (about 5x), Microsoft RDP (86x), and the Connectionless Lightweight Directory Access Protocol (at least 50x). Just last week, researchers described a new amplification vector that achieves a factor of at least 65.

Previously, the biggest known amplifier was memcached, which has the potential to increase traffic by an astounding 51,000x.

The newest entrant is the Mitel MiCollab and MiVoice Business Express collaboration systems. Attackers have been using them for the past month to DDoS financial institutions, logistics companies, gaming companies, and organizations in other markets. A fleet of 2,600 servers is exposing an abusable system test facility in the software to the Internet through UDP port 10074, in a break with manufacturer recommendations that the tests be reachable only internally.

The current DDoS records stand at about 3.47 terabits per second for volumetric attacks and roughly 809 million packets per second for exhaustion forms. Volumetric DDoSes work by consuming all available bandwidth either inside the targeted network or service or get between the target and the rest of the Internet. Exhaustion DDoSes, by contrast, over-exert a server.

The new amplification vector provided by the misconfigured Mitel servers has the potential to shatter those records. The vector can do this not only because of the unprecedented 4 billion-fold amplification potential, but also because the Mitel systems can stretch out the attacks for lengths of time not previously possible.

“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” researchers from eight organizations wrote in a joint advisory. “A controlled test of this DDoS attack vector yielded more than 400mpps of sustained DDoS attack traffic.”

A single abusable node generating this much amplification at a rate of 80 thousand packets per second can theoretically deliver the 14-hour data flood. Over that time, “counter” packets—which track the number of responses the servers send—would generate roughly 95.5GB of amplified attack traffic destined for the targeted network. Separate “diagnostic output” packets could account for an additional 2.5TB of attack traffic directed toward the target.

A single packet is all it takes

The Mitel MiCollab and MiVoice Business Express services act as a gateway for transferring PBX phone communications to the Internet and vice versa. The products include a driver for TP-240 VoIP processing interface cards. Customers can use a driver feature to stress-test the capacity of their Internet networks. Mitel instructs customers to make the tests available only inside private networks rather than to the Internet as a whole, but about 2,600 servers have flouted that directive.

Mitel on Tuesday released software updates that will automatically ensure the test feature is available inside an internal network.

The DDoSers using this new method appear to still be experimenting with it, and so far the results are modest. The largest attack seen so far reached about 53Mpps and 23Gbps. The average packet size in that attack was about 60 bytes and lasted for roughly five minutes. The researchers said that, with refinements, these in-the-wild DDoSes could achieve the unprecedented amplification factors achieved in their lab experiments.

In the advisory, the researchers wrote:

As previously mentioned, amplification via this abusable test facility differs substantially from how it is accomplished with most other UDP reflection/amplification DDoS vectors. Typically, reflection/amplification attacks require the attacker to continuously transmit malicious payloads to abusable nodes for as long as they wish to attack the victim. In the case of TP-240 reflection/amplification, this continuous transmission is not necessary to launch high-impact DDoS attacks.

Instead, an attacker leveraging TP-240 reflection/amplification can launch a high-impact DDoS attack using a single packet. Examination of the tp240dvr binary reveals that, due to its design, an attacker can theoretically cause the service to emit 2,147,483,647 responses to a single malicious command. Each response generates two packets on the wire, leading to some 4,294,967,294 amplified attack packets being directed toward the attack victim.

For each response to a command, the first packet contains a counter which increments with each response that is sent. As the counter value increments, the size of this first packet will grow from 36 bytes to 45 bytes. The second packet contains diagnostic output from the function, which can be influenced by the attacker. By optimizing each initiator packet to maximize the size of the second packet, every command will result in amplified packets that are up to 1,184 bytes in length.

In theory, a single abusable node generating the upper limit of 4,294,967,294 packets at a rate of 80kpps would result in an attack duration of roughly 14 hours. Over the course of the attack, the “counter” packets alone would generate roughly 95.5GB of amplified attack traffic destined for the targeted network. The maximally padded “diagnostic output” packets would account for an additional 2.5TB of attack traffic directed towards the target.

This would yield a sustained flood of just under 393mb/sec of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length. This results in a nearly unimaginable amplification ratio of 2,200,288,816:1— a multiplier of 220 billion percent, triggered by a single packet.

There’s not much end users can do to protect themselves from this new form of DDoSes. Rather, it’s up to organizations deploying Mitel servers to configure them properly. The advisory—written by researchers from Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscout Arbor ASERT, Telus, Team Cymru, and the Shadowserver Foundation—provides other measures organizations can follow.

Listing image: Getty Images

Dan Goodin Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

53 Comments