Executive Summary

Informations
Name TA14-017A First vendor Publication 2014-01-17
Vendor US-CERT Last vendor Modification 2014-02-09
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.

Description

UDP, by design, is a connection-less protocol that does not validate source IP addresses.  Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [7].  When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request.  Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response.  This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks.  

To measure the potential effect of an amplification attack, we use a metric called the bandwidth amplification factor (BAF).  BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request.

The list of known protocols, and their associated bandwidth amplification factors, is listed below.  US-CERT would like to offer thanks to Christian Rossow for providing this information to us.

ProtocolBandwidth Amplification FactorVulnerable Command
DNS28 to 54see: TA13-088A [1]
NTP556.9see: TA14-013A [2]
SNMPv26.3GetBulk request
NetBIOS3.8Name resolution
SSDP30.8SEARCH request
CharGEN 358.8 Character generation request
QOTD 140.3 Quote request
BitTorrent 3.8 File search
Kad 16.3 Peer list exchange
Quake Network Protocol 63.9 Server info exchange
Steam Protocol 5.5 Server info exchange

 

Impact

Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.

Solution

DETECTION

Detection of DRDoS attacks is not easy, due to their use of large, trusted servers that provide UDP services.  As a victim, traditional DoS mitigation techniques may apply.

As a network operator of one of these exploitable services, look for abnormally large responses to a particular IP address.  This may indicate that an attacker is using your service to conduct a DRDoS attack.

MITIGATION

Source IP Verification

Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victim’s IP, the first step to reducing the effectiveness of UDP amplification is for Internet Service Providers to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [3][4].  The changes recommended in these documents would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible.  Note that it will not explicitly protect a UDP service provider from being exploited in a DRDoS (all network providers must use ingress filtering in order to completely eliminate the threat).

To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [5].

Traffic Shaping

Limiting responses to UDP requests is another potential mitigation to this issue.  This may require testing to discover the optimal limit that does not interfere with legitimate traffic.  The IETF released Request for Comment 2475 and Request for Comment 3260 that describes some methods to shape and control traffic [6] [8].  Most network devices today provide these functions in their software. 

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA14-017A.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24449
 
Oval ID: oval:org.mitre.oval:def:24449
Title: Network Time Protocol (NTP) vulnerability in AIX
Description: The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Family: unix Class: vulnerability
Reference(s): CVE-2013-5211
Version: 6
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26210
 
Oval ID: oval:org.mitre.oval:def:26210
Title: SUSE-SU-2014:0937-1 -- Security update for ntp
Description: The NTP time service could have been used for remote denial of service amplification attacks.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0937-1
CVE-2013-5211
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): ntp
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 316
Os 1
Os 2

ExploitDB Exploits

id Description
2014-04-28 NTP ntpd monlist Query Reflection - Denial of Service

Snort® IPS/IDS

Date Description
2018-01-11 RPC Portmapper getstat request attempt
RuleID : 45166 - Revision : 4 - Type : POLICY-OTHER
2018-01-11 RPC Portmapper version 2 dump request attempt
RuleID : 45165 - Revision : 4 - Type : POLICY-OTHER
2018-01-11 RPC Portmapper version 3 dump request attempt
RuleID : 45164 - Revision : 4 - Type : POLICY-OTHER
2018-05-23 SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt
RuleID : 45157-community - Revision : 4 - Type : SERVER-OTHER
2018-01-11 SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt
RuleID : 45157 - Revision : 4 - Type : SERVER-OTHER
2015-05-19 NTP mode 6 UNSETTRAP denial of service attempt
RuleID : 34114 - Revision : 4 - Type : SERVER-OTHER
2015-05-19 NTP mode 6 REQ_NONCE denial of service attempt
RuleID : 34112 - Revision : 4 - Type : SERVER-OTHER
2014-02-15 ntp monlist denial of service attempt
RuleID : 29393 - Revision : 6 - Type : SERVER-OTHER

Metasploit Database

id Description
2020-05-23 Ubiquiti Discovery Scanner

Nessus® Vulnerability Scanner

Date Description
2017-10-27 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2017-0165.nasl - Type : ACT_GATHER_INFO
2017-02-08 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2017-0038.nasl - Type : ACT_GATHER_INFO
2016-09-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-3613.nasl - Type : ACT_GATHER_INFO
2016-09-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-3612.nasl - Type : ACT_GATHER_INFO
2015-12-30 Name : The remote VMware ESX / ESXi host is missing a security-related patch.
File : vmware_VMSA-2014-0002_remote.nasl - Type : ACT_GATHER_INFO
2015-05-22 Name : The remote VMware ESXi 5.5 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_5_build_1623387_remote.nasl - Type : ACT_GATHER_INFO
2015-01-29 Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_1_build_1743201_remote.nasl - Type : ACT_GATHER_INFO
2015-01-29 Name : The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_0_build_1749766_remote.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_ntp_20140417.nasl - Type : ACT_GATHER_INFO
2014-09-19 Name : The remote device is missing a vendor-supplied security patch.
File : juniper_jsa10613.nasl - Type : ACT_GATHER_INFO
2014-08-01 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-474.nasl - Type : ACT_GATHER_INFO
2014-07-31 Name : The remote openSUSE host is missing a security update.
File : suse_12_3_openSUSE-2014--140722.nasl - Type : ACT_GATHER_INFO
2014-07-31 Name : The remote openSUSE host is missing a security update.
File : suse_13_1_openSUSE-2014--140722.nasl - Type : ACT_GATHER_INFO
2014-07-30 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_ntp-140721.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV59636.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV58413.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV58068.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV56575.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV56324.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV56213.nasl - Type : ACT_GATHER_INFO
2014-06-17 Name : The remote AIX host is missing a security patch.
File : aix_IV55365.nasl - Type : ACT_GATHER_INFO
2014-03-12 Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2014-0002.nasl - Type : ACT_GATHER_INFO
2014-02-14 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-044-02.nasl - Type : ACT_GATHER_INFO
2014-01-20 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201401-08.nasl - Type : ACT_GATHER_INFO
2014-01-15 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_3d95c9a77d5c11e3a8c1206a8a720317.nasl - Type : ACT_GATHER_INFO
2014-01-02 Name : The remote NTP server is affected by a denial of service vulnerability.
File : ntp_monlist_enabled.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2020-05-23 13:17:15
  • Multiple Updates
2016-11-29 00:28:33
  • Multiple Updates
2014-02-09 21:19:11
  • First insertion