Trivial path for DDoS amplification attacks found by infosec bods
600,000 servers are vulnerable to this little-known protocol
Security researchers have discovered a new vector for DDoS amplification attacks – and it's quite literally trivial.
Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years.
Researchers at Edinburgh Napier University have discovered that the TFTP protocol (Trivial File Transfer Protocol) might be abused in a similar way.
Unlike DNS and NTP, TFTP has no business being exposed on internet-facing systems. Yet port scanning research indicated that there about 599,600 publicly open TFTP servers.
That’s bad in itself but the situation gets worse: the researchers discovered that TFTP offers a higher amplification factor than other internet protocols.
“The discovered vulnerability could allow hackers to use these publicly open servers to amplify their traffic, similarly to other DDoS amplification attacks like DNS amplification. If all specific conditions are met this traffic can be applied up to 60 times the original amount,” researcher Boris Sieklik told El Reg.
“I also studied effects of this attack on different TFTP software implementations and found that most implementations automatically retransmit the same message up to six times, which also contributes to the amplification.”
TFTP protocol (Trivial File Transfer Protocol) is a simplified version of FTP (File Transfer Protocol). It is generally used in internal networks and in environments where OS image transfers are required regularly. For instance, Cisco uses TFTP to send OS images to the VoIP phones and they can also be used by all Cisco equipment to update firmware or to transfer files as part of schemes to provide centralised storage of these images. The technology is also widely used during PXE booting of machines.
Essentially, any file can be transferred by TFTP.
Attackers could use this vulnerability to perform large amplification attacks to both external and internal targets, Sieklik warns. Sieklik worked together with Richard Macfarlane and Prof. William Buchanan, both of Edinburgh Napier University, in putting together the research, which also looked at ways to mitigate potential attacks and possible countermeasures.
DDoS reflection/amplification attacks in general allow an attacker to magnify the amount of traffic they can generate. Sending a dodgy request with a forged return address in the name of an intended target can generate a response, much bigger in size than the original request, hence the amplification terminology.
The trick ultimately relies on using misconfigured services at third-party sites in order to flood targeted websites with junk responses to forged web requests. Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the most high profile of which battered Spamhaus and buffeted internet exchanges back in March 2013.
Something along the same lines might be possible, at least in theory, when it comes to TFTP, the researchers warn. The computer scientists are unable to point to specific examples of DDoS attacks based on TFTP.
More details of the research were published in the March edition of publisher Elsevier’s Computers & Security journal (synopsis here).
"To my knowledge this vulnerability was not used for harm by hackers as of now," Sieklik told El Reg. "However, certain indications have been published on Russian and Chinese websites about this."
A brief search on Shodan, the machine data search engine, returned about 96 000 results when searching for TFTP. "This list might not be fully comprehensive," according to Sieklik.®