Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Denial-of-service attack
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Amplification=== Amplification attacks are used to magnify the bandwidth that is sent to a victim. Many services can be exploited to act as reflectors, some harder to block than others.<ref>{{cite web |last=Paxson|first=Vern |year=2001|url=http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html |title=An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks |publisher=ICIR.org}}</ref> US-CERT have observed that different services may result in different amplification factors, as tabulated below:<ref>{{cite web |date=July 8, 2014 |title=Alert (TA14-017A) UDP-based Amplification Attacks |publisher=US-CERT |url=http://www.us-cert.gov/ncas/alerts/TA14-017A |access-date=2014-07-08}}</ref> {| class="wikitable" |+ UDP-based amplification attacks |- ! Protocol ! Amplification factor ! Notes |- | [[Mitel]] MiCollab | 2,200,000,000<ref>{{cite web| url=https://blog.cloudflare.com/cve-2022-26143-amplification-attack/ |title=CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks|website=[[Cloudflare]] Blog|date=2022-03-08|access-date=16 March 2022}}</ref> | |- | [[Memcached]] | 50,000 | Fixed in version 1.5.6<ref>{{cite web| url=https://github.com/memcached/memcached/wiki/ReleaseNotes156 |title=Memcached 1.5.6 Release Notes|website=[[GitHub]]|date=2018-02-27|access-date=3 March 2018}}</ref> |- | [[Network Time Protocol|NTP]] | 556.9 | Fixed in version 4.2.7p26<ref>{{cite web|url=http://support.ntp.org/bin/view/Main/SecurityNotice#April_2010_DRDoS_Amplification_A|title=DRDoS / Amplification Attack using ntpdc monlist command|publisher=support.ntp.org|date=2010-04-24|access-date=2014-04-13}}</ref> |- | [[CHARGEN]] | 358.8 | |- | [[DNS]] | up to 179<ref>{{Cite book |last=van Rijswijk-Deij|first=Roland |title=Proceedings of the 2014 Conference on Internet Measurement Conference |chapter=DNSSEC and its potential for DDoS attacks: A comprehensive measurement study |year=2014|pages=449β460 |publisher=ACM Press|doi=10.1145/2663716.2663731 |isbn=9781450332132 |s2cid=2094604 |url=https://research.utwente.nl/en/publications/dnssec-and-its-potential-for-ddos-attacks--a-comprehensive-measurement-study(cb44e199-21c2-4486-ba0e-8a27c80b8a4f).html }}</ref> | |- | [[QOTD]] | 140.3 | |- | [[Quake engine#Network play|Quake Network Protocol]] | 63.9 | Fixed in version 71 |- | [[BitTorrent]] | 4.0 - 54.3<ref>{{cite web |last=Adamsky|first=Florian |year=2015|url=https://www.usenix.org/conference/woot15/workshop-program/presentation/p2p-file-sharing-hell-exploiting-bittorrent|title=P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks}}</ref> | Fixed in libuTP since 2015 |- | [[CoAP]] | 10 - 50 | |- | ARMS | 33.5 | |- | [[Simple Service Discovery Protocol|SSDP]] | 30.8 | |- | [[Kad network|Kad]] | 16.3 | |- | [[SNMPv2]] | 6.3 | |- | [[Steam (service)|Steam Protocol]] | 5.5 | |- | [[NetBIOS]] | 3.8 | |} [[Domain Name System|DNS]] amplification attacks involves an attacker sending a DNS name lookup request to one or more public DNS servers, spoofing the source IP address of the targeted victim. The attacker tries to request as much information as possible, thus amplifying the DNS response that is sent to the targeted victim. Since the size of the request is significantly smaller than the response, the attacker is easily able to increase the amount of traffic directed at the target.<ref>{{cite web |year=2006|url=http://www.isotf.org/news/DNS-Amplification-Attacks.pdf |title=DNS Amplification Attacks |publisher=ISOTF |archive-url=https://web.archive.org/web/20101214074629/http://www.isotf.org/news/DNS-Amplification-Attacks.pdf |archive-date=2010-12-14|author1=Vaughn, Randal |author2=Evron, Gadi }}</ref><ref>{{cite web |date=July 8, 2013 |title=Alert (TA13-088A) DNS Amplification Attacks |publisher=US-CERT |url=http://www.us-cert.gov/ncas/alerts/TA13-088A |access-date=2013-07-17}}</ref> [[Simple Network Management Protocol]] (SNMP) and [[Network Time Protocol]] (NTP) can also be exploited as reflectors in an amplification attack. An example of an amplified DDoS attack through the NTP is through a command called monlist, which sends the details of the last 600 hosts that have requested the time from the NTP server back to the requester. A small request to this time server can be sent using a spoofed source IP address of some victim, which results in a response 556.9 times the size of the request being sent to the victim. This becomes amplified when using botnets that all send requests with the same spoofed IP source, which will result in a massive amount of data being sent back to the victim. It is very difficult to defend against these types of attacks because the response data is coming from legitimate servers. These attack requests are also sent through UDP, which does not require a connection to the server. This means that the source IP is not verified when a request is received by the server. To bring awareness of these vulnerabilities, campaigns have been started that are dedicated to finding amplification vectors which have led to people fixing their resolvers or having the resolvers shut down completely.{{citation needed|date=May 2022}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)