Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jim Clausing, Principal Member of Technical Staff, AT&T, Stan Nurilov, Lead Member of Technical Staff, AT&T and Andy Benavides, Professional - Technology Security, AT&T.
Stan: Hey, Jim. What's the story you have for us today?
Jim: This is an interesting one that I came across this week. Over the years on the show, we've talked about a lot of reflective DDoS attacks using various UDP methods. You know, the first ones were probably DNS and NTP, but we've also had SSDP. Well, I happened across an article this week on a DDoS using Web Services Dynamic Discovery (WSD), which is UDP port 3702, and it's basically a SOAP-over-UDP. It has these structured queries they're doing in UDP packets, and you send a relatively small query, and get a large response. Since it's UDP, it can be spoofed, and so this has been turned into another reflective DDoS vector. But what I thought was interesting about this, is it’s another case where this particular protocol isn't as widespread as some of the other ones we've talked about, as NTP and DNS and SSDP. But it is found in printers, webcams, online DVR-type appliances, obviously, all things that shouldn't be exposed to the internet.
The article I was looking at, the ZDNet one, said that they became aware that it was being used for DDoS in the May timeframe. So I went and took a look at our data just to see what I could see, and what I discovered is it looks like it may have been discovered back in December of last year. If you take a look below at the graph of the flows, I'm showing 365 days, and you'll see there's a baseline there. And then there's a spike sometime around Christmas of last year, and then another spike in January. Then it started ramping up slowly, and then all of a sudden, in the last month or so, traffic really ramping up since, say, the middle of August, so maybe the last six weeks or so.
But I took another look, and I really believe that somebody discovered that it could be used for amplification - likely last December. Because when I looked at the bytes per flow, very few until that same spike in late December of last year. Since then, there has been a fair amount of these spikes. Surprisingly, while the number of flows has increased greatly in the last six weeks or so, the number of bytes per flow has actually dropped down considerably. I think some of those flows are scanning to see if they can find vulnerable systems. While the number of flows goes way up in the last six weeks and the number of DDoS has increased in six weeks. I think a fair amount of this may be scanning to find the vulnerable devices and not just the DDoS's themselves.
Whenever I see UDP used for distributed denial-of-service, I think, A), what are those devices doing directly connected to the internet? None of these devices - none of your printers, your webcams, your DVRs, need to be directly connected to the internet. And B), what are the ISPs doing as far as egress filtering so that the spoofed traffic isn't allowed to exit the local networks on to the internet in the first place?
Stan: I know one of the challenges for some of that egress filtering might be the ISP has a lot of IP space that the adversary can still spoof quite a bit of IP address space. But they'll be localized, so still important to do things like that.
Jim: Yes. It really is incumbent on the edge nodes to be filtering their egress. Because once it's gotten past the edge network, there’s not much we can do as a big network service provider, because we're connecting lots and lots of networks, we have to rely on them to do the filtering when exiting their network onto our backbone. But the edge networks, the leaf nodes if you will, are the ones that really need to be watching their egress and trying to filter it. Because you're right, once it's on the ISP's network, they've got so much space and so many different networks that you could still have a lot of significant DDoS traffic just within that one space.
Stan: Another thing that you said that resonated with me is that first spike being around Christmastime of last year, which I think we've seen before, definitely heard before. A lot of this type of DDoS may be related to gaming activity, and a lot of people who like to do gaming may also go to school, and they have a break for Christmastime. And this is where they get to experiment with some of these tactics or some of these new techniques, especially something like this. Like, it's a new port that maybe somebody has discovered, and then they try it out. They scan in, and, "Oh, wow, this works."
Jim: And I think that's what that spike was. I think that spike was the initial discovery and then playing around and seeing how much amplification they could get. And then the actual DDoS's didn't start for some months yet after that.
Jim: Yes. And then building it up, and then others adopting it and hearing about it, and then using it within their toolkits. And then you see those other bigger spikes where, all of a sudden, others are scanning for it now and maybe trying to utilize the technique.
Andy: Any devices that you own, printers, security cameras - things that are not computers but ultimately have computers, make sure they're not accessible on the internet. A lot of the time, when you buy a new security camera and you're sending it up on your network, you want to do your due diligence and make sure that if you're sitting outside of your network, you can't talk to it. Because if you can talk to it and it's running the service, somebody can actually go in and turn it into a bot.
