Shulou(Shulou.com)05/31 Report--

This article will explain in detail the global detection and analysis of how to achieve DDoS reflection magnification attacks. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Update version time description first edition completed the first round of data statistics in 2017-08-07, output report, improved document format the second edition completed the second round of data statistics in 2017-08-14, output report, improved document format the third edition completed the third round of data statistics in 2017-11-15, on the basis of the second round, the fourth edition completed the fourth round of data statistics in 2018-03-05. Add the detection of Memcached on the basis of the third round II.

DDos attack is a resource-exhausted network attack. Attackers use large traffic attacks, targeted vulnerabilities and other attacks to exhaust the resources of the target host to achieve the purpose of denial of service.

Reflection magnification attack is a kind of DDoS attack with great attack power. Attackers only need to pay a small price to generate huge traffic to the targets to be attacked, and put great pressure on network bandwidth resources (network layer), connection resources (transport layer) and computer resources (application layer). In October 2016, Dyn's DNS server suffered a DDoS attack, resulting in a large-scale network outage in the United States. Post-attack traffic analysis shows that DNS reflection magnification attack and SYN flood attack are the main forces of the denial of service attack which caused the network outage in the United States. Because the reflection magnification attack is harmful, low cost and difficult to trace, it is loved by practitioners in the black industry.

Third, the data analysis of the fourth round of magnification attack

[note: the following statistics are based on the fourth round of 2018-03-05]

In the fourth round of detection, the ZoomEye cyberspace detection engine increases the detection of Memcached attacks on the basis of the detection of six kinds of DDoS attacks in the previous two rounds.

3.1 CHARGEN

Through the ZoomEye cyberspace exploration engine, 90, 000 (95010) hosts opened 19 ports. Then the magnification of these 90, 000 hosts was detected. In fact, only 10, 000 (10122) hosts opened the 19:00 port, accounting for 10.65% of the total. Among the hosts with 19 ports open, there are 6 thousand (6485) hosts whose magnification can reach more than 10 times, accounting for 64.07% of the total, and the magnification of the remaining hosts is mainly concentrated in 2 times. The relevant data is shown in figure 3.1-1:

According to the statistics of host traffic with magnification of more than 10, we sent a total of 870KB (891693 byte) request traffic and got 71m (74497401 byte) response traffic, resulting in 83 times magnification traffic. Assuming that a host can successfully respond to 100 request packets within 1 minute, it is calculated that the attack traffic has 947Mbits/s. According to the statistics of the maximum magnification in this round of detection, it is found that the maximum traffic magnification of a single request response of Chargen protocol can be magnified by 319 times.

Comparing the above data with the previous two data, the harm of Chargen DDoS attacks does not decrease, but tends to increase.

According to the detection results of ZoomEye cyberspace exploration engine, the global distribution statistics of available Chargen hosts are carried out, as shown in figure 3.1-2:

Global distribution map of hosts available for port 19 of the 3.1-2 Chargen protocol

It can be seen from the picture that South Korea still has the largest number of hosts that can be used to carry out DDos reflection magnification attacks, while China ranks second. Below, statistics are made on the situation of various provinces in China, as shown in figure 3.1-3:

3-1.3 Chargen protocol 19 ports can use the national distribution map of hosts

3.2 NTP

Through the ZoomEye cyberspace exploration engine, 140000 (147526) hosts with UDP ports open are obtained. Using these data for magnification detection, only 1, 000 (1723) hosts have UDP ports open, accounting for 1.17% of the total, and only 4 hosts with magnification greater than 10, accounting for 0.23% of the total number of responding hosts. The specific number is shown in figure 3.2-1:

Compared with the results of the last detection, the hidden danger of using NTP to carry out reflection DDoS attacks is basically eliminated, and both the total number of NTP servers and the number of servers that can be used are greatly reduced, especially in this probe, only four NTP servers are found to be available, and these four are all located in Japan. NTP servers that can be used have not been detected in our country.

3.3 DNS

20 million (21261177) hosts related to UDP port 53 were obtained through the Zoomeye cyberspace detection engine, and magnification detection was carried out on these hosts. In fact, only 3.84 million (3847687) hosts opened 53 ports, accounting for 18.1% of the total number of scans. Among the hosts with port 53 enabled, 30,000 (31999) hosts have a magnification of more than 10 times, accounting for only 0.83% of the total, while the number of hosts with a magnification of 1 is 2.77 million (2776027). The details are shown in figure 3. 3-1:

Compared with the previous version of the data, the number of DNS servers and the number of DNS servers available on the Internet are in a state of decline.

Next, let's take a look at the global distribution of these 30,000 hosts with magnification greater than 10, as shown in figure 3.3-2. We can see that compared with the previous round, the ranking of the number has not changed much, and the United States still ranks first. We also made statistics on the distribution of available hosts in China. As shown in figure 3. 3-3, compared with the previous round, the number of DNS servers in Hubei Province has increased significantly.

3. 3-2 DNS protocol port 53 makes use of the global distribution map of hosts

3. 3-3 DNS protocol port 53 can use the national distribution map of hosts

3.4 SNMP

10 million (11681422) hosts related to UDP port 161were obtained through the Zoomeye cyberspace detection engine, and magnification detection was carried out on these hosts. In fact, 1.67 million (1677616) hosts opened port 161s, accounting for 14.36% of the total number of scans. Among the hosts with port 161 enabled, 610000 (617980) hosts have a magnification of more than 10 times, accounting for 36.84% of the total. The specific data is shown in figure 3.4-1:

Compared with the previous round of data, the number of SNMP hosts detected increased, while the number of available hosts decreased.

Next, let's take a look at the global distribution of these 610000 hosts with magnification greater than 10. As shown in figure 3.4-2, we can see that the number of hosts in China has risen to the second place. We also made statistics on the distribution of available hosts in China. As shown in figure 3.4-3, Taiwan, Beijing and Heilongjiang are still one of the most affected provinces.

3.42161port of SNMP protocol can use the global distribution map of hosts.

3.43161port of SNMP protocol can use the national distribution map of hosts.

3.5 SSDP

Through the Zoomeye cyberspace exploration engine, we obtained 30 million (32522480) hosts related to UDP port 1900, and detected the magnification of these hosts. In fact, 600000 (609014) hosts opened port 1900, accounting for 1.87% of the total number of scans. Among the hosts with port 1900 enabled, 570000 (572936) hosts have a magnification of more than 10 times, accounting for 94.08% of the total. The specific data are shown in figure 3.5-1:

Next, let's take a look at the global distribution of these 570000 hosts with magnification greater than 10. As shown in figure 3.5-2, there is no significant change compared with the data detected in the previous round. Then carry on the statistics to our country's data, as shown in figure 3.5-3, Taiwan is still the province with the largest number of hosts that can be used in China, far more than other provinces in our country.

3. 5-2 SSDP protocol port 1900 can use the global distribution map of hosts

3. 5-3 SSDP protocol port 1900 can use the national distribution map of hosts

3.6 CLDAP

400000 (403855) hosts related to UDP port 389 were obtained through the Zoomeye cyberspace detection engine, and magnification detection was carried out on these hosts. In fact, 10 million (17725) hosts opened port 389, accounting for 4.39% of the total number of scans. Among the hosts with port 389 enabled, 10,000 (17645) hosts have a magnification of more than 10 times, accounting for 99.55% of the total. The specific data is shown in figure 3.6-1:

Next, let's take a look at the global distribution of these 20, 000 hosts with magnification greater than 10. As shown in figure 3.5-2, we can see that the United States is still the country with the largest number of CLDAP servers that can be used, and China still ranks third.

We have also made statistics on the distribution of available hosts in China. As shown in figure 3.5-3, Taiwan is still the province with the largest number of hosts that can be used in China, and together with Hong Kong, it far exceeds other provinces and regions in China.

3. 6-2 LDAP protocol port 389 can use the global distribution map of hosts.

The national distribution map of hosts can be used at port 389 of LDAP protocol.

3.7 Memcached

Memcached is a free open source, high-performance, distributed in-memory object caching system. Memcached is a software developed by Brad Fitzpatric of Danga Interactive, a subsidiary of LiveJournal. Now it has become an important factor to improve the scalability of Web applications in many services, such as mixi, hatena, Facebook, Vox, LiveJournal and so on.

Memcached is a memory-based key-value storage used to store small chunks of arbitrary data (strings, objects). This data can be the result of database calls, API calls, or page rendering.

Memcached is simple and powerful. Its concise design facilitates rapid development, reduces the difficulty of development, and solves many problems of large amount of data cache. Its API is compatible with most popular development languages.

In essence, it is a simple key-value storage system. The purpose of general use is to reduce the number of database visits by caching database query results, so as to improve the speed and scalability of dynamic Web applications.

Memcached Server also opens port TCP/UDP 11211 by default, and you can use Memcached's storage service without authentication. On March 2, 2018, ZoomEye opened port UDP 11211 to the whole network and detected the Memcached without authentication. A total of 14142 targets were obtained, and the global distribution of these targets was counted, as shown in figure 3.7-1:

Global distribution map of 3. 7-1 Memcached exploitable hosts

From the above picture, we can clearly see that there is still a big gap between China and foreign countries in paying attention to security issues. Among the 14142 valid targets, the IP addresses of 11368 targets are located in China. The following is the national distribution statistics of our country's goals, as shown in figure 3.7-2:

National Distribution Map of 3. 7-2 Memcached usable hosts

When Memcached authentication is not enabled, anyone can access the Memcached server, store key-value pairs, and then obtain value through key. So, we can store a data with key as 1byte and value as 1kb in Memcached, and then we can get the value through the key, which produces a magnification of nearly 1000 times. Memcached also opens the UDP port by default, so this causes Memcached to be used for DDoS radiation magnification attacks. How many times Memcached can be magnified depends on:

1.Memcached server bandwidth

The maximum length of values that can be stored by 2.Memcached

To do a test with your own server, first let the available Memcached store a value of 1kb length, and then get the value from all targets at the same time, so that you can receive the traffic of 886Mbit/s, as shown in figure 3.7-3:

3.7-3 flow statistics

IV. Summary

Compared with the data detected in the previous three rounds, in the fourth round of detection, the biggest change is the NTP service. The current NTP server on the Internet can no longer cause DDoS reflection magnification attacks with large traffic. In contrast, other protocols have more or less reduced the number of hosts that can be utilized. DDoS reflection amplification attack is still very harmful, and DDoS defense is still urgent.

From the data detected by ZoomEye, compare it with the Memcached service on the public network:

4-4 ZoomEye probe number of 11211 ports

In ZoomEye's database, there are 540000 targets for opening port 11211, including 230000 for the United States and 130000 for China, but only 14142 of the data with UDP 11211 ports open, of which the United States has 1070 targets and China has 11368 target hosts.

From the comparison of these data, we can see that the United States has a very fast response to such security incidents, and there is still a big gap between China and the United States.

In terms of magnification, although the available targets have been reduced to the order of 10, 000, they can still cause DDos attacks with large traffic.

For Memcached users, we recommend closing their UDP port and enabling SASL authentication. For operators, it is recommended to add uRPF (Unicast Reverse Path Forwarding) mechanism on the router, which is a unicast reverse route lookup technology to prevent network attacks based on source address spoofing. Using this mechanism, UDP reflection attacks can be invalidated.

This is the end of the global detection analysis on how to achieve DDoS reflection magnification attacks. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.