Attacks in the Wild

UDP protocols are frequently reported as security risk. In many cases the information causes also some questions, so I'm not sure, what the final result will look like. For me, much of that mainly points to "rust", and requires some "action", in order to prevent the "rust" to turn into a "hole" over the time.

This history here doesn't claim to be complete,

December 2018

FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins

CoAP

In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, according to open source reporting. As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks.

"Abuse the multicast" makes me simply wondering. According Is multicast on the public internet possible? And if yes: How? it seems to be hardly possible.

January 2019

CoAP Attacks In The Wild

Beginning in the middle of January 2019, we began to see DDoS attacks leveraging CoAP. The targets were geographically and logically well distributed, with little commonality between them. An average attack lasts just over 90 seconds with about 100 packets-per-second generated by the attacker.

Not sure, 90s with 100 packets/s ? Maybe a typo? A raspberry PI can process without any trouble up to 1000 msg/s. Hard to see the attack.

January 2019

CoAP Attacks In The Wild

Comparing scans performed two weeks apart, only 20% of the addresses appear in both scans. Compared to SSDP which boasts a similar amplification factor, the transient nature of CoAP devices means attackers have to constantly scan for abusable addresses in order to be effective.

Using the current numbers of Shodan/coap about 350.000, or Shadowserver/coap about 340.000 and assuming, that there are about 3702258944 public ip-address the hit-ratio is about 1:10000. So either an assumption to narrow the search range is required, or you need 10000 request ahead to find a target for amplification.

December 2019

DDoS Attack Vectors Live or Die

To perform this research, we use a high-powered scanner as part of a research initiative to ferret out vulnerable devices, protocols, and applications. Scans conducted on December 31st, 2019 revealed the following:

~616k - Devices vulnerable to abuse for COAP Version 1
~689k - Devices vulnerable to abuse for COAP Version 2
~166k - Devices vulnerable to abuse for Ubiquiti Discovery Protocol

These numbers might seem negligible compared to the sheer number of IoT and other devices available on the internet. However, further analysis revealed that attackers utilize an even smaller percentage of the available devices for attacks:

The largest attack we observed for COAP Version 1 used ~2,800 (0.46%) of the available 616k+ devices
The largest attack we observed for COAP Version 2 used ~2,900 (0.42%) of the available 689k+ devices
    The largest attack we observed in ATLAS was 148.93 Gbps for both COAP versions in the second half of 2019.*
The largest attack we observed for Ubiquiti used 24.57% of available devices
    The largest attack we observed in ATLAS was 348.91 Gbps in the second half of 2019.* 

Really interesting numbers. 148 Gbps / 5,700 = 25Mbps per peer.

www.brighttalk.com/webcast

There "NETSCOUT Threat Intelligence Report 2H 2019".

The webcast declares for the COAP Version 1 an amplification of 34:1 and for version 2 of 6.5:1. That makes me belief, version 1 and 2 are not the versions of the protocol (with the 2 unknown), that are the versions (or better variants) of the that attack request.

March 2021

Datagram Transport Layer Security (D/TLS) Reflection/Amplification DDoS Attack Mitigation Recommendations

Misconfigured D/TLS servers that do not implement the HelloClientVerify anti-spoofing mechanism can be abused to launch UDP reflection/amplification attacks with an amplification ratio of 37.34:1. The amplified attack traffic consists of both initial UDP fragmented packets sourced from UDP/443 and non-initial fragmented UDP packets, directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.

Approximately 4,283 abusable D/TLS servers have been identified to date.

A common ClientHello is about 150-200 bytes. That would result in in a flight with 7K as answer from the server. I think, the most IoT use-case will not use such "monster-certificate-chains". And for sure, use a HelloVerifyRequest. But anyway interesting.

March 2022

TP240PhoneHome Reflection/Amplification DDoS Attack Vector

The average packet size for that attack was approximately 60 bytes

exposed system test facility can be abused

RFC7641 may benefit from using SAV (Source Address Validation) in order to provide protection against such kinds of DoS attacks.

NetScout - DDoS Threat Landscape - Russia

The "Attack Duration Analysis" indicates, that about 70% of the attack takes not longer than 10 minutes.

The "DDoS Attack Vector Analysis" doesn't list CoAP at all.

Bad Actors Innovate, Extort, and Launch 9.7 Million DDoS Attacks

Direct-path attacks are gaining in popularity. Adversaries inundated organizations with TCP- and UDP-based floods, otherwise known as direct-path or nonspoofed attacks.

FMPOV, just preventing outgoing amplification is not enough. It's also important to get effective protection for incoming malicious traffic, as DTLS 1.2 based firewall

April 2022

Using ML/AI for Better Network and DDoS Security Insights (April 6, 2022)

Traditional DDoS getting less important, misused botnets are increasing.