This analysis will shed some light on the DDoS-Threat-Landscape and is dedicated to all technicians and interested people in this field. A basic knowledge on the subject is manadatory, so if you are new to the case, feel welcome'd as well, but please check the links in the reference-section first.
This analysis deals with the problem of UDP/Amplification/Reflection, additional articles for Botnets or HTTP/Amplification/Reflection will follow.
We wanted to know, how big a threat for each vector is. The biggest factors of influence for measuring are:
- amplification-factor
- numbers of potential misusable servers/devices available
Based on these facts we are able to evaluate, which vector poses the biggest threat, either based on max expected volume (unskilled attack), but also for skilled attacks, where an attacker doenst go full-force, but a low profile for each amplifier-source (max output 1 mbit/s) to fly as much under the radar as possible. for a skilled attacker, 100.000 amplifiers with 1mbit/s firepower is more valuable than 1.000 amplifiers with 100 mbit.
| Amplifier-Source | Factor | Open Servers | AttackScore | Expected Volume | out/server mbps | in/sized attack | out total sized attack |
|---|
- A/Score;Number of Servers * Factor / 1 Mio
- A/Volume ;when in 1k and out all; in GB
- A/Out per Server;traffic our per server; in mbps; when in 1k
- SA/In;input; when sized attack (out max 1mbps), in k
- SA/Total Volume;how many traffix; all servers; sized attack; in GB
References
General
WS-Discovery/SOAP over UDP
Memcrashed
- 2018-02
- Github: February 28th DDoS Incident Report
- Akamai: MEMCACHED UDP REFLECTION ATTACKS
- Cloudflare: Memcrashed - Major amplification attacks from UDP port 11211
- Arbor #MeeToo: NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack
- Rapid7: The Flip Side of memcrashed
- Memcached: Open Memcached Key-Value Store Scanning Project
Fragen? Kontakt: info@zero.bs