Exploration and Evaluation of a Novel DDoS Amplification Attack

Sieklik, B. (2013). Exploration and Evaluation of a Novel DDoS Amplification Attack (MSc ASDF Dissertation). Edinburgh Napier University (Macfarlane, R.).



Web threats are becoming a major issue for both governments and companies. Generally, web threats increased as much as 600% during last year (WebSense, 2013). This appears to be a significant issue, since many major businesses seem to provide these services. Denial of Service (DoS) attacks are one of the most significant web threats and generally their aim is to waste the resources of the target machine (Mirkovic & Reiher, 2004). Distributed Denial of Service (DDoS) attacks are typically executed from many sources and can result in large traffic flows. During last year 11% of DDoS attacks were over 60 Gbps (Prolexic, 2013a). The DDoS attacks are usually performed from the large botnets, which are networks of remotely controlled computers. There is an increasing effort by governments and companies to shut down the botnets (Dittrich, 2012), which has lead the attackers to look for alternative DDoS attack methods. One of the techniques to which attackers are returning to is DDoS amplification attacks.
Amplification attacks are using intermediate devices called amplifiers in order to amplify the attacker’s traffic. Amplifiers are generally running vulnerable service, which could be accessed and used by attackers. The principle of amplification attacks is to create and send IP packets with spoofed source IP address of a target, so that the many response packets generated by amplifiers are directed towards this target. There are several amplification attacks discussed in the literature, however it appears that there has been a major focus on DNS amplification and other traditional amplification attacks, as seen in Deshpande, Katsaros, Basagiannis, & Smolka (2002); whereas there is a little research considering other protocols.
Therefore, this work has investigated, described and evaluated a novel amplification attack based on the Trivial File Transfer Protocol (TFTP). Key requirements which an amplification attack should meet were identified and a hypothesis was presented that TFTP could be used for amplification attacks. In order to test this theory, testing environment was designed and implemented. Several metrics were identified in order compare the TFTP amplification attack to other previously researched amplification attacks and to evaluate its effects on the target system. This testing environment was then practically implemented together with the required measurement tools.
Evaluation of the proposed attack showed that TFTP could indeed be used for amplification attacks. This attack could have amplification factor of approximately 60, which rates highly alongside other researched amplification attacks. This could be a substantial issue globally, due to the fact this protocol is used in approximately 599,600 publicly open TFTP servers. Mitigation methods to this threat have also been considered and a variety of countermeasures are proposed. Effects of this novel attack on both amplifier and target were analysed based on the proposed metrics.
[Read More]


Areas of Expertise

Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects