The Federal Bureau of Investigation sent an alert last week warning about large-scale distributed denial of service (DDoS) attacks that abused new network protocols.
“Cyber actors’ abuse of built-in network protocols may enable DDoS amplification attacks to be carried out with limited resources and result in significant disruptions and impact on the targets” states the alert.
“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” reads the alert issued by the FBI.
The alert warns of DDoS attacks leveraging three network protocols (CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service)) and the Jenkins web application as attack vectors.
In December 2018, security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.
The researchers did not find security flaws in the CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.
“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.
“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”
Another protocol exploited by threat actors in the wild is the Web Services Dynamic Discovery (WS-DD), experts observed large scale DDoS attacks in May and August 2019. Some of the attacks observed by the experts peaked more than 350 Gigabits per second (Gbps, according to open-source reporting. Researchers noticed that IoT devices use the WS-DD protocol to automatically detect new Internet-connected devices nearby, a circumstance that expose them to this specific family of attacks. WS-DD uses UDP making it possible to spoof a victim’s IP address.
Another protocol exploited in attacks in the wild is the Apple Remote Management Service (ARMS).
Once enabled the Apple Remote Desktop (ARD) feature, the ARMS service will listen on port 3283 for incoming commands to remote Apple devices. The attackers could abuse the protocol to launch DDoS amplification attacks.
Another software abused in DDoS attacks is the built-in network discovery protocols implemented in Jenkins server. In February, Radware researchers reported that attackers were abusing the CVE-2020-2100 flaw in 12,000+ internet-facing Jenkins servers to mount reflective DDoS attacks.
The experts estimated that cyber actors could exploit vulnerable Jenkins servers to obtain an amplification factor of the malicious traffic of 100 in massive DDoS attacks.
According to the FBI, threat actors will continue to abuse the above protocols in attacks in the wild, for this reason, it recommends US companies to adopt the necessary DDoS mitigations.
Below the recommended mitigations:
(SecurityAffairs – hacking, FBI)