The key to any secure network in stopping 100% of UDP-based DNS amplification DDoS attacks is simple: follow BCP38. You ask, “but it’s 2014, and BCP38 came out in 2000, why bring it up?” Well, simply not enough networks are following the Best Common Practice.
Why I Bring Up BCP38
This last week saw the largest NTP amplification attack in history: 40 Gbps to be exact, exploiting a known bug in the NTP protocol. Take a look at Cloudflare’s technical details of the attack. This really simple attack focused on exploiting the MONLIST command in NTP.
This Week’s NTP Amplification Attack Details
A rogue server/workstation out there figured out where a few vulnerable NTP servers on the Internet existed. So like a good script-kiddie, they launched a MONLIST command which simply just asks the NTP server for a “list of up to the last 600 IP addresses that last accessed the NTP server.” Once they discovered a handful of these vulnerable servers, they decided to do what’s called IP-spoofing. IP-spoofing means they forged the source address of the NTP packet. Since UDP (which DNS, SNMP and NTP uses) does not require a a session set-up handshake like TCP, the NTP server will just send that list of 600 servers back to the IP that sent it. Now multiply this with a few hundred NTP requests with hundreds of different source IPs and you have yourself a mess. Sadly, because too many networks don’t follow BCP38.
BCP38 or IETF RFC 2827
BCP38 is also known as Network Ingress Filtering. This is the most simplest and most effective way to defeat every form of UDP-based DDoS attacks utilizing spoofed source IPs. All you have to do is create an access-list on your perimeter allowing ONLY your subnets to exit your network with the IP space you are responsible. For example, in Cisco IOS it looks like this if your IP space is 18.104.22.168/16:
ip access-list extended egress permit ip 22.214.171.124 0.0.255.255 any deny ip any any log
and in IPv6 would look like this:
ipv6 access-list egress6 permit ipv6 2001:db8::/32 any deny ipv6 any any log
Then take those access-lists and apply them to your interface going to your ISP like this:
interface GigabitEthernet0/2 description External ISP ip access-group egress out ipv6 traffic-filter egress6 out end
I recommend doing more than just the bare minimum by adding more ports/protocols than that. However, that ACL blocks all UDP-based spoofed IPv4 and IPv6 DDoS amplification attacks. Yes, that’s it. It’s that easy but yet most of the Internet still doesn’t get it.
Some other UDP-Based DDoS Amplification Attacks
Here’s a few other UDP-based DDoS amplification attacks utilizing the same spoofed-source IP varying on the protocol being used:
- DNS: https://www.watchguard.com/infocenter/editorial/41649.asp
- SNMP: http://www.nothink.org/misc/snmp_reflected.php
- SIP: http://www.researchgate.net/publication/238710542_Addressing_an_Amplification_Vulnerability_in_Session_Initiation_Protocol_%28SIP%29_Forking_Proxies
Please contact us if you have any questions or need follow up on information security related network issues today!