http://www.prolexic.com | Some DDoS and DrDoS attacks target IP-based devices such as printers and routers to take advantage of vulnerabilities inherent in these standard network protocols. By taking advantage of the functionality of the SNMP, NTP and CHARGEN protocols, attackers can turn mild-mannered network devices into malicious attacking bots. This short presentation from Prolexic highlights the problem as well as steps you can take to protect yourself.
2. The DrDoS attack: A popular cyber attack
• Distributed reflection and amplification denial of
service attack, or DrDoS
• Malicious use of Internet protocols
• Difficult to trace back to the origin, because
spoofing can mask the origin of the attack
• Sysadmins can take specific actions to reduce the
vulnerability of their network devices and servers
2
CONFIDENTIAL
www.prolexic.com
3. Even printers may be hijacked by criminals
using DrDoS attacks
• Support for common network
protocols allows devices on your
network to be employed in denial of
service attacks
• Vulnerable devices include:
–
–
–
–
–
–
3
Printers
Cameras
Routers
Hubs
Sensors
Other network devices
www.prolexic.com
4. Secure your IT devices and infrastructure
• Three vulnerable network protocols used in
devices:
– Simple Network Management Protocol (SNMP)
– Network Time Protocol (NTP)
– Character Generation Protocol (CHARGEN)
• Like many other network protocols, these
protocols were written with functionality, not
security, in mind
• Can be used to misdirect and amplify responses to
the attacker’s target
4
CONFIDENTIAL
www.prolexic.com
5. Simple Network Management Protocol (SNMP)
• For communicating with IP-based devices, such as
routers, switches, servers, printers, modems, IP video
cameras, IP phones, network bridges, hubs, alarms
and thermometers
• Transmits data about device components,
measurements, sensor readings and variables
• Allows users to monitor these devices
• Use of human-readable cleartext makes SNMPv1 and
v2 vulnerable to interception and modification
• The origin of the transmission cannot be verified
•
5
The white paper explains how to mitigate vulnerability to SNMP DrDoS attacks
www.prolexic.com
6. Network Time Protocol (NTP)
• For synchronizing time and date information on computer clocks
on the Internet
• Implemented on all major operating systems, network
infrastructure devices and embedded devices
• Susceptible to spoofing, like the User Datagram Protocol (UDP)
upon which is it built
• Attacker may cause multiple requests for time updates to be sent
to multiple NTP hosts, directing their responses to the attacker’s
target
• Team-Cymru authored a secure NTP server template that can be
used as a baseline for DDoS protection against NTP reflection
attacks
•
6
The white paper provides a link to the Team-Cymru NTP server template
www.prolexic.com
7. Character Generation Protocol (CHARGEN)
• Can be used for debugging network connections, network
payload generating and bandwidth testing
• Two types of CHARGEN services:
– TCP and UDP
– UDP version is vulnerable to spoofing
• Misuse of the testing features may allow attackers to craft
malicious network payloads and direct the responses to
the attacker’s target
• The U.S. cyber security organization CERT recommends
reconsidering whether these protocols are needed in your
organization
•
7
The white paper provides a link to details about the CERT recommendation
www.prolexic.com
8. Why protocol-based DrDoS attacks happen
• DrDoS protocol reflection attacks are possible due to
the inherent design of the original architecture and
structure of these protocols
• Closing the security gaps permanently would require
creating new protocols, which is unlikely to happen in
the short term
• By disabling or restricting unneeded functionality,
sysadmins can eliminate these vulnerabilities
• Prolexic customers are protected from these attacks as
part of our DDoS protection and mitigation services
8
www.prolexic.com
9. Learn more in the white paper
• Download the DrDoS white paper: SNMP, NTP and
CHARGEN attacks
• In this white paper, you’ll learn:
– Three common network protocols used in reflection attacks
– How SNMP, NTP and CHARGEN can be used malicious actors
– How your printers and network devices may be employed by
cyber attackers
– Specific action to minimize your network’s exposure and
mitigate protocol attacks
– What the internet community could do to reduce the risk
9
www.prolexic.com
10. About Prolexic
• Prolexic Technologies is the world’s largest and
most trusted provider of DDoS protection and
mitigation services.
• Prolexic has successfully stopped DDoS attacks for
more than a decade.
• We can stop even the largest attacks that exceed
the capabilities of other DDoS mitigation service
providers.
10
www.prolexic.com