Author: know zoomeye topic of Chuangyu 404 laboratory: https://www.zoomeye.org/topic? Id = global detection and analysis of amplified reflection DDoS attacksbpdf version: download English version: https://paper.seebug.org/899/
1. Update
2. overview
DDoS attack is a kind of network attack that exhausts resources. The attacker uses the resources of the target host to achieve the purpose of denial of service through large traffic attack, targeted vulnerability attack and so on.
Reflection amplification attack is a kind of DDoS attack with great attack power. The attacker only needs to pay a small amount of cost, which can generate huge traffic to the target to be attacked, and cause huge pressure on the network bandwidth resources (network layer), connection resources (transport layer) and computer resources (application layer). In October 2016, the DNS server of dyn company in the United States suffered DDoS attacks, resulting in a wide range of network outages in the United States. The analysis of attack traffic after the event shows that DNS reflection amplification attack and SYN Flood attack are the main force of denial of service attack which causes the disconnection of us network. Because the reflection amplification attack is harmful, low cost and hard to trace, it is loved by black industry practitioners.
From August 3, 2017 to August 6, 2017, zoomeye cyberspace detection engine conducted the first round of detection on the whole network, counted the number of hosts that can be used for DDoS reflection amplification attack, released global detection analysis of DDoS reflection amplification attack - first edition, and then zoomeye cyberspace detection engine again detected the whole network from August 11, 2017 to August 13, 2017 , published the second edition of global detection analysis of DDoS reflection amplification attack. Then from November 13, 2017 to November 15, 2017, zoomeye cyberspace detection engine detected another active attack, cldap DDoS reflection amplification attack, and then carried out the third round of detection of DDoS reflection amplification attack, and released global detection analysis of DDoS reflection amplification attack - version 3.
On March 1, 2018, zoomeye detected frequent activities of memcached DRDOS in cyberspace, and carried out the fourth round of detection of DDoS reflection amplification attacks.
On May 6, 2019, zoomeye conducted DDoS reflection amplification attack detection on the frequently active COAP in cyberspace, and completed it as the fifth version.
3. Analysis of the enlarged attack data in the Fifth Edition
[Note: the following statistics are based on the fourth round of 2018 / 03 / 05 and 2019 / 05 / 06 COAP data]
On March 5, 2018, the fourth round of detection was carried out. Based on the detection of six DDoS attacks in the first two rounds, the zoomeye cyberspace detection engine increased the detection of memcached. On May 6, 2019, based on the fourth round, the detection of COAP was added and improved to the fifth edition.
3.1.CHARGEN
Through the zoomeye cyberspace detection engine, 90000 (95010) hosts were obtained and 19 ports were opened. Then, the 90 thousand hosts were tested for magnification. In fact, only 10 thousand (10122) hosts opened 19 ports, accounting for 10.65% of the total. Among the hosts with 19 ports turned on, 6000 (6485) hosts can achieve a magnification of more than 10 times, accounting for 64.07% of the total, and the rest hosts mainly focus on two times. Relevant data is shown in figure 3.1-1:
According to the statistics of the host's traffic with a magnification of more than 10, we sent 870kb (891693 byte) of request traffic in total, got 71m (74497401 byte) of response traffic, and generated 83 times of amplification traffic. Assuming that a host can successfully respond to 100 request packets in one minute, the attack traffic is 947 Mbits / s. In this round of detection, the maximum magnification is counted, and the maximum traffic magnification of single request response of chargen protocol is 319 times.
Comparing the above data with the previous two data, the harm of chargen DDoS attack does not decrease, but has an increasing trend.
According to the detection results of zoomeye cyberspace detection engine, the available chargen hosts are distributed globally, as shown in figure 3.1-2:
It can be seen from the figure that South Korea still has the largest number of hosts that can be used for DDoS reflection amplification attack, and China ranks second. Next, the statistics of each province in China are shown in figure 3.1-3:
3.2.NTP
140000 (147526) hosts with UDP 123 port turned on were obtained through zoomeye cyberspace detection engine. In fact, only one thousand (1723) hosts have opened UDP 123 port, accounting for 1.17% of the total number. Only four hosts with magnification greater than 10 account for 0.23% of the total number of response hosts. See figure 3.2-1 for the specific number
Compared with the results of the last detection, the hidden dangers of reflection DDoS attacks using NTP are basically eliminated. Both the total number of NTP servers and the number of servers that can be used are greatly reduced. Especially in this detection, only four NTP servers that can be used are found, and all of them are located in Japan. There is no NTP server that can be used in China.
3.3.DNS
20 million (21261177) UDP 53 port related hosts were obtained by zoomeye network space detection engine. In fact, only 3.84 million (3847687) hosts opened 53 ports, accounting for 18.1% of the total number of scans. Among the hosts with 53 ports open, 30000 (31999) hosts have a magnification of more than 10 times, accounting for only 0.83% of the total, while 2.77 million (2776027) hosts have a magnification of 1. See figure 3.3-1 for specific data
Compared with the previous version of the data, the number of DNS servers and available DNS servers on the Internet are in a declining state.
Next, take a look at the global distribution of these 30000 hosts with a magnification greater than 10, as shown in figure 3.3-2. It can be seen that compared with the previous round, the number ranking has not changed much, and the United States still ranks first. We also make statistics on the distribution of available hosts in China, as shown in figure 3.3-3. Compared with the previous round, the number of DNS servers in Hubei Province has increased significantly.
3.4.SNMP
10 million (11681422) UDP 161 port related hosts were obtained by zoomeye network space detection engine. In fact, 1.67 million (1677616) hosts opened 161 ports, accounting for 14.36% of the total number of scans. Among the hosts with 161 ports open, 610000 (617980) hosts have a magnification of more than 10 times, accounting for 36.84% of the total. See figure 3.4-1 for specific data
Compared with the data of the previous round, the number of SNMP hosts detected increases, while the number of available hosts decreases.
Next, let's look at the global distribution of 610000 hosts with magnification greater than 10. As shown in figure 3.4-2, we can see that the number of hosts in China has risen to the second place. We also make statistics on the distribution of available hosts in China, as shown in figure 3.4-3. Taiwan, Beijing and Heilongjiang are still among the most affected provinces.
3.5.SSDP
Through zoomeye network space detection engine, 30 million (32522480) UDP 1900 port related hosts were obtained. In fact, 600000 (609014) hosts opened 1900 port, accounting for 1.87% of the total number of scans. Among the hosts with 1900 port open, 570000 (572936) hosts have a magnification of more than 10 times, accounting for 94.08% of the total. See figure 3.5-1 for specific data:
Next, let's look at the global distribution of 570000 hosts with magnification greater than 10. As shown in figure 3.5-2, there is no significant change compared with the data detected in the last round. According to the statistics of China's data, as shown in figure 3.5-3, Taiwan is still the province with the largest number of hosts available in China, far more than other provinces in China.
3.6.CLDAP
400000 (403855) UDP 389 port related hosts were obtained by zoomeye network space detection engine. In fact, 10000 (17725) hosts opened 389 ports, accounting for 4.39% of the total number of scans. Among the hosts with 389 port open, 10000 (17645) hosts have a magnification of more than 10 times, accounting for 99.55% of the total. See figure 3.6-1 for specific data:
Next, let's take a look at the global distribution of these 20000 hosts with a magnification greater than 10. As shown in figure 3.5-2, we can see that the United States is still the country with the largest number of cldap servers available, and China is still ranked third. We have also made statistics on the distribution of available hosts in China. As shown in figure 3.5-3, Taiwan is still the province with the largest number of hosts available in China, far more than other provinces and regions in China along with Hong Kong.
3.7.Memcached
Memcached is a free and open source, high-performance, distributed memory object caching system. Memcached is a software developed by Brad fitzpatric of danga interactive company of livejournal. Now it has become an important factor to improve the scalability of web applications in many services such as mixi, hatena, Facebook, Vox, livejournal, etc. Memcached is a memory based key value store, which is used to store small pieces of arbitrary data (strings, objects). This data can be the result of database calls, API calls, or page rendering. Memcached is simple and powerful. Its simple design is convenient for rapid development, reduces the difficulty of development, and solves many problems of large data cache. Its API is compatible with most popular development languages. In essence, it is a simple key value storage system. The general purpose is to reduce the number of database accesses by caching the database query results, so as to improve the speed and scalability of dynamic web applications.
By default, the memcached server also opens TCP / UDP 11211 port, and can use the memcached storage service without authentication. On March 2, 2018, zoomeye opened UDP 11211 port on the whole network, and detected memcached without authentication. A total of 14142 targets were obtained, and global distribution statistics were made for these targets, as shown in figure 3.7-1:
It can be seen from the figure above that there is still a big gap between China's attention to security issues and that of foreign countries. Of the 14142 valid targets, 11368 have IP addresses in China. Next, the national distribution statistics of China's objectives are shown in figure 3.7-2:
When memcached does not have authentication enabled, anyone can access the memcached server, store the key value pairs, and then get the value through the key. Therefore, in order to find out the global availability of Memcache, we store a data with a key of 1 byte and a value of 1 kb in memcached, and then we get the value through the key, which produces a magnification effect of nearly 1000 times. Memcached also opens UDP port by default, so memcached can be used for DDoS radio amplification attack. How many times memcached can be magnified depends on:
- Memcached server bandwidth
- Maximum length of values that memcached can store
Use your own server to carry out a test. First, let the available memcached store a value of 1KB in length, and then get the value from all targets at the same time, and you can receive 886mbit / s traffic, as shown in figure 3.7-3:
3.8.CoAP
COAP (constrained Application Protocol) is an application layer protocol applied in the Internet of things network. Its detailed specification is defined in RFC 7252. Because most of the Internet of things devices are resource limited devices, such as limited CPU, ram, bandwidth and so on. For this kind of device, it is very luxurious to use TCP and HTTP of the existing network directly to realize the communication between devices. In order to make this part of resources limited devices can also access the network smoothly, COAP protocol came into being. COAP refers to the restricted application protocol, which is an HTTP like protocol based on UDP implementation. Compared with HTTP protocol, COAP inherits the characteristics of reliable transmission, data retransmission, block retransmission and IP multicast of HTTP protocol. And the COAP uses binary format to transmit data, which makes the COAP request more lightweight and occupies less bandwidth.
COAP protocol stipulates that the device providing service must provide the URI path of. / well-known / core and bind to port 5683 by default. On May 6, 2019, 857031 hosts related to UDP 5683 port were obtained through zoomeye cyberspace detection engine. In fact, 344462 hosts opened 5683 port, accounting for 40.19% of the total number of scans. Among the hosts with port 5683 open, 137207 hosts have a magnification of more than 10 times, accounting for 39.83% of the total. See figure 3.8-1 for specific data
The global distribution of response hosts is shown in figure 3.8-2. It can be seen that they are mainly distributed in Russia and China:
The domestic distribution of the response host is shown in figure 3.8-3, which is mainly distributed in Jiangxi, Sichuan and Xinjiang
In addition, we analyzed the response message of domestic equipment, and found that a large number of response data of equipment contain QLink keyword.
4. summary
Compared with the data from the previous three rounds of detection, the biggest change in the fourth round of detection is the NTP service. Currently, the NTP server on the Internet has no way to cause the DDoS reflection amplification attack with large traffic. In contrast, other protocols also reduce the number of hosts that can be used more or less. DDoS reflection amplification attack is still harmful, and DDoS Defense is still urgent.
Compare the data detected by zoomeye with the memcached service on the public network:
In zoomeye's database, the target of opening 11211 port is 540000, including 230000 in the United States and 130000 in China. However, the total amount of data of opening UDP 11211 port is only 14142, including 1070 in the United States and 11368 in China.
From the comparison of these data, it can be seen that the United States has a very fast response speed to such security incidents, and the gap between China and the United States is still large.
From the perspective of amplification effect, although the available targets have been reduced to 10000, it can still cause large traffic DDoS attacks.
For memcached users, we suggest to turn off their UDP port and enable SASL authentication. For operators, we suggest to add a unicast reverse path forwarding mechanism on the router. This mechanism is a unicast reverse route lookup technology to prevent network attacks based on source address spoofing. By using this mechanism, UDP reflection attacks can be invalidated.
In the fifth edition, the detection of COAP is added. From the above statistics and analysis data, it can be seen that the hosts that can be used for DDoS reflection amplification are mainly distributed in Russia and China, and there are many hosts whose amplification effect is more than 10 times. For Internet services using COAP, UDP can be disabled. If it can't be disabled, ensure that there is no multiple relationship between request and response, or enable authorization authentication. For enterprise users, if there is no UDP related business, they can filter out UDP packets at the upper layer or local firewall, and ask operators to provide IP segments of UDP black holes for external website services, or choose to access DDoS cloud security Full service or delete the default path of the protocol; for Internet of things users, if there is no public network access demand, Internet of things devices do not enable public network IP, if there is public network access demand, firewall rules should be added to restrict access to IP and reduce Internet exposure.
5. Reference link
1. Persistent simple DDoS protocol (SSDP) generates 100 Gbps DDoS. Https://blog.cloudflare.com/ssdp-100gbps/2. Theory and implementation of reflection attack based on SNMP. Http://drops.xmd5.com/static/drops/tips-2106.html3. Research on DRDOS denial of service attack technology based on memcached distributed system. Https://paper.seebug.org/535/4.zoomeye chargen dork.https://www.zoomeye.org/searchResult?q=port%3A195.ZoomEye NTP dork.https://www.zoomeye.org/searchResult?q=port%3A1236.ZoomEye DNS dork.https://www.zoomeye.org/searchResult?q=port%3A537.ZoomEye SNMP dork.https://www.zoomeye.org/searchResult?q=port%3A1618.ZoomEye LDAP dork.https://www.zoomeye.org/searchResult?q=port%3A3899.ZoomEye SSDP dork.https://www.zoomeye.org/searchResult?q=port%3A190010.ZoomEye Memcached dork.https://www.zoomeye.org/searchResult?q=port%3A1121111.ZoomEye CoAP dorkhttps://www.zoomeye.org/searchResult?q=port%3A5683
This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: https://paper.seebug.org/898/