Massive,Distributed,Reflection computer Massive Distributed Reflection Denial of Service (DrDoS) DoS


----------------------------------------------------------Permission is granted for the below article to forward,reprint, distribute, use for ezine, newsletter, website,offer as free bonus or part of a product for sale as longas no changes a Gone are those times when the companies and the organisations didn't need a hi-tech system to handle them. Owing to the considerable increase in the business sector and thus, an enormous increase in the complexity of the organisational struc


DDoS attacks with a few thousand infected windows PCs SYN flooding a network have been taking a back seat to the next generation of Denial of Service attacks, known as Distributed Reflection Denial of Service (DrDoS) attacks. A packet kiddie doesn’t even need to compromise servers and PCs anymore to launch an attack. Many of the administrators of the servers being utilized in the attacks have little awareness they are partaking in an attack. Reflection attacks actually are not something new to the world of network security, you may have heard of the original amplification attack “smurf”.  In a smurf attack large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network would, by default, respond to this by sending a reply to the source IP address. This attack was so devastating that several non-profit organizations began making awareness of the issue, one in particular was netscan.org which when began published over 122,945 misconfigured networks that would respond to spoofed ICMP echo request, by 2005 the number was down to a few thousand with minimal responses from each network.Here is a snapshot of what the internet looked like in early 2000, the chart below shows the broadcast address and the amount of times it will respond to a single ping request:Last rescan: Thu Feb 24 10:15:39 PST 2000 RESP      ADDR               EMAIL ADDRESSES———————————————————————124273    208.158.191.027545     210.45.224.25512501     193.76.71.010679     202.178.229.010483     200.255.9.09818      210.72.81.09617      207.34.70.08176      207.112.112.07222      207.112.112.2556681      206.130.55.06316      206.130.55.2556003      210.243.91.2555358      208.192.16.2554658      209.132.220.2554413      206.144.34.2554207      206.144.35.2553146      207.34.70.2552418      170.118.254.02416      170.118.254.255 And a snapshot as of today from Powertech.no who has kept Netscan’s operation going:Current top ten smurf amplifiers (updated every 5 minutes)(last update: 2015-08-09 20:01:02 CET)Network             #Dups  #Incidents  Registered at     Home AS212.1.130.0/24         38           0  1999-02-20 09:41  AS9105204.158.83.0/24        27           0  1999-02-20 10:09  AS3354209.241.162.0/24       27           0  1999-02-20 08:51  AS701159.14.24.0/24         20           0  1999-02-20 09:39  AS2914192.220.134.0/24       19           0  1999-02-20 09:38  AS685204.193.121.0/24       19           0  1999-02-20 08:54  AS701198.253.187.0/24       16           0  1999-02-20 09:34  AS22164.106.163.0/24       14           0  1999-02-20 10:11  AS706612.17.161.0/24         13           0  2000-11-29 19:05  not-analyzed199.98.24.0/24         13           0  1999-02-18 11:09  AS6199 Netscan offered a script that checked the number of times that x.y.z.0 and x.y.z.255 reply to a single ping packet. If either number is greater than 1, the network is misconfigured and its administrator should be notified. Networks responding more than 10 times per ping were likely to be used in smurf broadcast amplifier lists. Netscan shut its doors after helping to eliminate the number of available networks to be abused in smurf attacks. Some organizations criticized Netscan for publishing the lists of networks being used in attacks (an attacker could simply copy the vulnerable networks into a list and use them in an attack) but they will always be remembered as the ones who saved the internet. In today’s world there are a whole new set of protocols that can be abused in reflection attacks. A snapshot of 2015 with the protocol and amplification factor charted below: UDP-based Amplification AttacksProtocolBandwidth Amplification FactorNTP556.9CharGen358.8DNSup to 179QOTD140.3Quake Network Protocol63.9SSDP30.8Kad16.3SNMPv26.3Steam Protocol5.5NetBIOS3.8BitTorrent3.8 There are no organizations publishing lists of known misconfigured protocols these days as that might result in lawsuits and jail time as denial of service attacks are not taken lightly anymore.DNS amplification attacks:This type of attack takes advantage of open or misconfigured DNS servers that respond to outside recursive DNS queries. In this type of attack it does not matter if the nameserver is authoritative or not, the DNS servers will respond to any queries regardless. In a reflection attack the attackers have the ability to create a TXT record attack which will associate arbitrary and non-formatted text to a domain or host to amplify the size of the response.Reflection/Amplification based on authoritative or non-authoritative name servers. If the nameserver is an authoritative name server for the domain being queried. The attacker issues a DNS ANY query which retrieves all cached records available for the domain name and the attacker spoofs the reply to be sent to the victim. Furthermore, RFC 2671 makes it possible to increase the buffer size of the request. If the requestor-side specification of the maximum buffer size is changed responders can be made to send messages which are too large for intermediate gateways to forward thus leading to potential ICMP storms between gateways and responders.An “A record attack” occurs when an attacker issues multiple queries for A records to victim DNS servers, the request have malformed domain names so the DNS server responds with registry code or RCODE. Large numbers of these queries from a large number of sources can create devastating results.Simple Network Management Protocol (SNMP) DrDoS attacksSNMP operates at layer seven (application layer) to manage devices such as routers, switches, VoIP, video systems and other devices. SNMP will transmit data about the devices it has records for and can even be used to manage some devices. SNMP is broken into three parts, the device, the agent which are software modules that are within the devices and collect various info and the management software which does just like you’d think, maintains and manages records for all devices it manages. SNMP uses UDP port 161 to transmit messages and 162 to catch or “trap” messages. There are three versions of SNMP, v1,v2 and v3. SNMPv2 and v3 use additional protocol data units which are “GetBulkRequest” and “InformRequest”. Since SNMP is transmitted using UDP, IP address spoofing is possible as it is a stateless protocol. The DrDoS is performed after an attacker scans the internet for SNMP hosts and their community strings. Using this information the attacker can send a BulkGetRequest which is around 100 bytes and the response from the SNMP server is around 400 bytes an amplification ratio around 1:4. Attackers can also use the GetBulkRequest and enumerate all the Management Information Bases (MIBs) which can increase the amplification ratio to around 1:7 making it far more efficient for DrDoS attacks. Network Time Protocol (NTP) DrDoS attacksNTP uses UDP port 123 to synchronize computer time clocks, specifically network clocks using a set of clients and servers. Attackers scan and build a database of NTP servers that respond to outside request (they should be ACL’d to prevent abuse). The attacker issues an NTP mode 7 command which request a “monlist” which is a function built into the protocol for monitoring. There is a packet size minimum set fourth in the RFC which returns a more even response for the request. Attackers can circumvent this restriction by removing the padding from the request allowing them to issue the monlist request with a much smaller request. The request without padding was calculated at 60 bytes while the response returned 2604 bytes giving this attack a whopping reflection multiplier of 43:1. Character Generator Protocol (CHARGEN) DrDoS attacksCHARGEN uses TCP and UDP, the TCP generator service is not vulnerable to amplification attacks as the connection is oriented. The UDP based CHARGEN service listens on port 19 for incoming datagrams, when one is received the server answers with a random number of characters between zero and 512. This means the attacker will not be able to always successfully amplify the response but more often than not it will be. Open source information estimates an average reflection multiplier of about 17. Here is an actual example of what a CHARGEN attack looks like in a packet:2015-04-16 06:17:16.392098 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443.>..E…26..q……”…..-$c..w!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh“#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghi#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghij$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijk%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijkl 2015-04-16 06:17:16.393881 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443.>..E…27..q……”…..-$c..w!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh“#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghi#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghij$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijk%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijkl 2015-04-16 06:17:16.398694 IP 180.189.3.34.61997 > 192.168.1.103.9315: UDP, length 443.>..E…2<..q……”…..-$c..w!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg!”#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh“#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghi#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghij$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijk%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijkl  In the wild there have been reports of NTP DoSNETs attacking with over 100GB/S, SNMP DoSNETs capable of 40 GB/S, DNS attacks at 10 GB/S, CHARGEN DoSNETs at about 20MB/S. If one attacker or group of attackers can leverage all of these types of attacks at the same time it would be devastating to virtually any server on the net. Currently, you can buy or rent these DoSNETs on the hacker underground forums and IRC channels for as little as $5 for a 30 minute attack.

Massive,Distributed,Reflection

computer

Equipment Rental Software – Features And Cost

Equipment rental management software is an essential thing these days for any equipment rental company.A well-developed equipment rental software provides you with a variety of features that can really help you maintain and organise your cus ...

computer

5 Big Reasons Why I Migrated From Angularjs To React

I have 5 main reasons for my angularjs to react migration. No, it's not a comparison on which is better. A comparison between apples and oranges would make no point. React is a library, and angular is a framework. Both can do stuff in their ...

computer

How to troubleshoot McAfee error 2318?

Security software means McAfee! For many computer users, McAfee antivirus is the only choice for security software as it provides all the features and tools which are necessary for device and data protection. This robust antivirus merely sho ...

computer

Manage Multiple Counter With AlignBooks Point of Sale

Fulfilling your businesss needs which can grow your firm is our aim. AlignBooks is better known for providing a strong pillar to newly started or midway businesss. Those companies who dont want to fall back with irregularity manage the inven ...

computer

How to Autoplay Embedded YouTube Videos

Source: How to Autoplay Embedded YouTube VideosEmbedding a video or audio enables the users to share their videos with any of their preferred sites or any social networking platforms. They can do so by copying the embedded link of the parti ...

computer

3 Major Mistakes to Avoid in Retail Business

Truth be told, nearly half of the retail businesses survive longer than four years and which can be something to ponder for a newbie before stepping into the industry. However, this being said, it is also true that you can excel in the indus ...

computer

Start Your Own Computer Repair Business

1. Know your street value. In the early 90's, running a PC repair business centered around selling parts and products, with service on the side. Today, it's about selling hours. If you run a business, you need to consider the X3 rule. That m ...

computer

How Establishments Show Up in Restaurant Searches

The revolutionary rise of technology has made things easy-peasy for consumers in the restaurant industry. Unlike the old days, the availability of innumerable platforms has made it possible for diners to choose from various searching options ...

computer

GuildWars 2 :

The last expansion pack for Guild Wars 2 was Path of Fire, which was released in 2017 and brings you a new enemy-Balthazar, the evil god of war. Although this doesn't sound like another expansion pack currently in production, some fans ma ...

computer

Customer Support at the time of COVID-19 Pandemic

COVID-19 is the worst crisis of our time as we observe social distancing protocols being imposed all around the world. While these measures are a step in effectively managing the COVID-19 pandemic, Hospitality and Retail businesses are confr ...

computer

How to Choose a Contract Management Solution (CLM)?

Contract life cycle management (CLM) systems can simplify and automate contract creation, negotiation, execution and storage. They are an intelligent alternative to the tedious hand tools formerly used for these tasks, which lacked visibili ...

computer

Contacting Google Live Person to Resolve Your Issues

Users are fond of all the Google supported products and look forward to the best services. Also, Google as a whole has never disappointed its users and helped them at every point with its commendable services. Also, being a customer-oriente ...

computer

how to uninstall discord

How to Uninstall Discord in Windows 10? has supported open source technologies, our tool is secure and safe to use. To uninstall a discord from your windows, you'll use this method which is given below.USING THIRD PARTY TOOLS1. Firstly, you ...