Yep, it’s time to use this title again. This time we’re talking about Distributed Denial of Service (DDoS) amplification attacks. One of the lists I monitor posted the following:

Christian Rossow has done some great work on DDoS.  The two interesting papers are:
“Exit from Hell? Reducing the Impact of Amplification DDoS Attacks,” read here.

The authors also look at DNS, NTP, SNMP, SSDP, CharGen, QOTD and NetBIOS. The last sentence of this paper, “We measured almost 46 million amplifiers for all scanned UDP-based protocols.”

“Hell of a Handshake: Abusing TCP for Reflective Amplification
DDoS Attacks,” 
read here.

The quote from the Kuhrer paper is a depressing read:

“The basic idea is to send relatively small requests with spoofed source address to public hosts (e.g., NTP servers), which reflect significantly larger responses to the victim of the attack.”

Why? In 2000, I was part of a Fed/SANS Institute Task Force that wrote a Consensus Roadmap to defeating DDOS attack doc. In there, we stressed the importance of setting your (the collective your) network ingress/egress filters correctly in order to prevent spoofed packets from leaving your network.

The above quote says to me that we’ve (the collective we) has forgotten this basic defense technique. So, my question to the list is “have you set your ingress/egress filters on ALL of your network devices to prevent spoofed packets from leaving your nets. If so, you’ve taken a giant step in reducing the impact of an amplification attack.

The weird sense of humor in me says that the admins who were around in 2000 and set their filters have moved on or retired and their replacements looked at those ACLs and said “WTF? Let’s take these out.”

It’s been 14 years now and spoofed packets are still an issue.

I’m just saying…:-)


Leave a Reply