Shulou(Shulou.com)06/02 Report--

This article shows you how ONVIF-based IoT devices participate in DDoS reflection attacks. The content is concise and easy to understand. It will definitely make you shine. I hope you can gain something through the detailed introduction of this article.

I. Overview

According to previous attacks launched by IoT devices, most of them are flooding attacks. The notorious mirai virus exploits vulnerabilities in IoT devices, invades a large number of IoT devices, and builds botnets to carry out DDoS attacks. However, this attack is different from previous flooding attacks. This attack takes advantage of the characteristics of the Internet of Things, which uses UDP protocol extensively, to launch a reflection amplified DDoS attack.

II. Attack research

When the intelligent cloud shield system detects an attack, it automatically samples the attack traffic, and security experts conduct in-depth analysis and drill on the sampling package in time. The attack involved a total of 1665 reflective sources.

2.1 Attack packet analysis

Through the attack sampling packet on Zhiyun Shield, it is found that the source port of reflected traffic is 3702. The red arrow in the figure below points to the reflection source port:

Figure 1 Source port diagram of attack in sampling packet

The payload display data format in the data packet is soap xml format, and the soap xml data format is shown in Figure 2 below:

Figure 2. Soap xml data content

Here we extract the payload content of the packet separately, as shown in Figure 3 below:

Figure 3 Soap xml data content extracted separately

In response to this attack, we extracted the corresponding request traffic data from the Zhiyun Shield Threat Center for analysis. This is a reflection attack using the ONVIF protocol. Zhiyun Shield security experts analyzed that this reflection attack is similar to previous reflection attacks, except that it uses Internet of Things devices as reflection sources.

The principle of reflex attack will be explained in detail below.

2.2 attack principle

Reflection-type DDoS attacks do not directly attack the victim's IP, but construct UDP packets based on the victim's IP and send forged packets to the reflection source. The traffic response from the reflection source to the victim's IP far exceeds the attacker's forged UDP traffic data. DDoS hackers rely on this method to implement DDoS attacks on the victim. The reflection type is shown in Figure 4 below:

Figure 4 Schematic diagram of reflex attack

In Figure 4, the hacker sends a forged UDP packet to the amplifier. After the Zhiyundun team reproduces the DDoS attack and modifies the standard WS-DISCOVERY request packet, the payload string after modification is as follows:

urn:uuid:

Using UDP transmission mode, send the string to port 3702 of the specified target, and the server returns WS-DISCOVERY response packet. Does not meet WS-DISCOVERY definition of soap xml format, the interface drops the request packet does not respond.

2.3 magnification

According to our previous research on reflection magnification, when using scientific statistical magnification, the packet header of the request response and even the network gap should be taken into account.

We try to reproduce the request packet intercepted by the hacker for reflection attack by Zhiyundun Threat Center, and optimize the request content, reducing the payload size of the request to 211 bytes, and the response packet length of a single video device address is 1515 bytes (with fragments, fragment header is 34+4+20=58). Figure 5 below is the reproduction screenshot:

Figure 5 Screenshot of WS-DISCOVERY reproduction

Therefore, the magnification calculated is (1515+66+58)/(211+66)= 5.92 times.

From the actual situation of the intelligent cloud shield attack sampling packet, it is found that the response content is up to 3558 bytes, fragmented into 3 response packets, the total length can reach 3558+66+58*2=3740 bytes, and the maximum magnification in this case is 3740/277=13.5 times.

Therefore, from the current observation, we speculate that the magnification is 5-14 times.

III. Analysis of reflection sources

Zhiyun Shield security experts found through investigation of reflection source IP that the main source of reflection source used is video camera equipment, and the IP of these equipment spans 60 countries and regions around the world. The reflection sources are mostly distributed in China Taiwan, Hungary and USA.

All these equipments adopt ONVIF protocol as communication management protocol.

3.1 Introduction to ONVIF Protocol

ONVIF is committed to advancing the application of network video in the security market through global open interface standards, which will ensure interoperability between network video products produced by different vendors. The interfaces defined in the Device Management and Control section of the ONVIF specification are provided as Web Services. The data interaction between server and client adopts soap xml data format.

The WS-DISCOVERY interface used by this hacker is the device discovery interface defined by ONVIF protocol, and the data transmission is realized by UDP.

3.2 WS-DISCOVERY Interface Defect

ONVIF protocol requires that devices implementing ONVIF protocol services support device discovery and detection, device discovery is what we will say below WS-DISCOVERY.

WS-DISCOVERY: The client sends a broadcast message to port 3702 of the reflection source IP, waiting for the ONVIF protocol device in the network to respond to its IP, UUID, EP Address and other information.

Strictly speaking, UDP ports exposed to public network services should strictly follow the relationship of request to response size ratio of 1:1, but port 3702 used by ONVIF for device detection does not follow this principle, resulting in port 3702 exposed to public network being used as a reflection source.

3.3 ONVIF protocol port 3702 public network exposure status

Retrieving 3702-related ports from SHODAN, it is found that about 210,000 hosts worldwide have exposed 3702 ports. If ONVIF protocol is supported, they may be used as reflection source attacks, as shown in Figure 6 below:

Figure 6. Port 3702 distribution diagram (data from shodan.io)

The analysis of reflection sources involved in attack events captured by Zhiyun Shield includes a large number of Internet of Things devices exposed to the public network, most of which are video devices, a small number of which are printers and other Internet of Things devices, involving many manufacturers, including some well-known video equipment manufacturers.

IV. Trends in DDoS reflection attacks

This attack is that the service detection interface defined by the network video specification is used as the reflection source, the reflection attack multiple is large, and the Internet of Things device is used for reflection, which is harmful. Compared to traditional DRDoS attacks, this attack exploits protocol vulnerabilities in IoT devices, and similar attacks will increase as IoT becomes more popular.

With the help of Internet of Things devices to launch DDoS attacks, Mirai mentioned in the overview uses Internet of Things devices as infection targets to form a huge botnet to launch DDoS attacks. Different from this attack event, using Internet of Things devices to launch reflection attacks can be realized without invading devices to build a huge botnet. The popularity of Internet of Things also provides convenience for hackers to carry out large-traffic attacks.

V. Prevention recommendations 1) Internet services

a) Disable UDP, when it cannot be disabled, ensure that the request and response do not have a multiple relationship

b) Enable authorization verification

2)for enterprise users

a) If there is no UDP-related traffic, UDP packets can be filtered at upper layers or local firewalls.

b) You can seek operators to provide UDP black hole IP network segments for external website services

c) Optional access to DDoS cloud security services

3) For Internet of Things users

a) If there is no public network access requirement, IoT devices do not enable public network IP.

b) If there is a need for public network access, firewall rules should be added to restrict access to IP and reduce Internet exposure.

c) TCP communication is preferred in equipment communication configuration during initial equipment configuration.

The above is how ONVIF-based IoT devices participate in DDoS reflection attacks. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.