Abstract
Distributed Reflective Denial of Service (DRDoS) attacks exploit Internet facing devices with the purpose to involve them in DoS incidents. In turn, these devices unwittingly amplify and redirect the attack traffic towards the victim. As a result, this traffic causes the extortion of the target’s network bandwidth and computation resources. The current work evaluates the amplification and reflective potentials of four UDP-based protocols, which are constantly reported as facilitators to DoS attacks. These are Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP), Constrained Application Protocol (CoAP) and Web Services Dynamic Discovery (WSD). Specifically, we conduct a countrywide network scanning across the four main Nordic countries, i.e., Denmark, Finland, Norway and Sweden, and enumerate the devices that respond to any of our probes and hence they can be exploited in DoS attacks. For each of the discovered devices, we assess its amplification capabilities in terms of Bandwidth Amplification Factor (BAF) and Packet Amplification Factor (PAF) that can contribute to a DoS incident. The outcomes show that from the four examined protocols, SSDP and SNMP are the most beneficial protocols from an attacker’s perspective, as a multitudinous group of reflectors is identified in each of the considered countries. Even worst, a significant portion of these devices produced a BAF over 30, a BAF that can multiply significantly the attack traffic stemming from the attacker’s side and hence causes a devastating impact on the victim’s infrastructure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
IP2Location: https://lite.ip2location.com/database/ip-country.
References
NexusGuard. Threat Report FHY 2021 Distributed Denial of Service (DDoS)
Anagnostopoulos, M.: Amplification DoS Attacks, pp. 1–3. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-642-27739-9_1486-1
Heinrich, T., Obelheiro, R.R., Maziero, C.A.: New kids on the DRDoS block: characterizing multiprotocol and carpet bombing attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 269–283. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_16
M. Anagnostopoulos, G. Kambourakis, S. Gritzalis, and D. K. Y. Yau. Never say never: authoritative TLD nameserver-powered DNS amplification. In: NOMS 2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–9 (2018)
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS) (2014)
Ferguson, P., Senie, D.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. Technical report (1998)
Beverly, R., Bauer, S.: The spoofer project: inferring the extent of internet source address filtering on the internet. In: Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2005). USENIX Association (2005)
Ryba, F.J., Orlinski, M., Waehlisch, M.,Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense-a survey and new perspectives. arXiv preprint arXiv:1505.07892 (2015)
Center for Applied Internet Data Analysis (CAIDA). State of IP Spoofing. http://spoofer.caida.org/summary.php (2022)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, New York, NY, USA, pp. 449–460. ACM (2014)
Goland, Y., Cai, T., Leach, P., Gu, Y., Albright, S.: Simple service discovery protocol/1.0 operating without an arbiter (1999)
Gondim, J.J., de Albuquerque, R.O., Orozco, A.L.S.: Mirror saturation in amplified reflection Distributed Denial of Service: a case of study using SNMP, SSDP, NTP and DNS protocols. Future Gener. Comput. Syst. 108, 68–81 (2020)
Shelby, Z., Hartke, K., Bormann, C.: RFC7252: The Constrained Application Protocol (CoAP) (2014)
Mattsson, J.P., Selander, G., Amsüss, C.: Amplification Attacks Using the Constrained Application Protocol (CoAP) (2014)
Respeto, J.: New DDoS vector observed in the wild: WSD attacks hitting 35/Gbps. http://www.akamai.com/blog/security/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps (2019)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (USENIX Security 13), pp. 605–620. USENIX Association (2013)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 111–125 (2014)
Anagnostopoulos, M., Lagos, S., Kambourakis, G.: Large-scale empirical evaluation of DNS and SSDP amplification attacks. J. Inf. Secur. Appl. 66, 103168 (2022)
Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H.H., Radford, A., Sivaraman, V.: Quantifying the reflective DDoS attack capability of household IoT devices. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017, New York, NY, USA, pp. 46–51. Association for Computing Machinery (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bjerre, A. et al. (2022). A Wide Network Scanning for Discovery of UDP-Based Reflectors in the Nordic Countries. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-22295-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22294-8
Online ISBN: 978-3-031-22295-5
eBook Packages: Computer ScienceComputer Science (R0)