A new reflection/amplification DDoS method is being used in attacks that provides a record-breaking amplification ratio of almost 4.3 billion to 1. Distributed Denial of Service (DDoS) attacks target servers or networks with many requests and high volumes of data, aiming to deplete their available resources and cause a service outage. The amplification ratio is critical when conducting attacks, as the higher the number, the easier it is for threat actors to overwhelm well-protected endpoints with less firepower.
A huge amplification level - As detailed in a report that Akamai recently provided detailing a new attack vector relies on the abuse of insecure devices that serve as DDoS reflectors/amplifiers.[1] Reflection attacks start with a small packet reflected inside a closed network while its size gets amplified with each bounce. When reaching the possible upper limit, the resulting volume of traffic is channeled to the target.[2]
For this new DDoS method, threat actors are abusing a vulnerability tracked as CVE-2022-26143 in a driver used by Mitel devices that incorporate the TP-240 VoIP interface, such as MiVoice Business Express and MiCollab.
“The abused service on affected Mitel systems is called tp240dvr (“TP-240 driver”) and runs as a software bridge to facilitate interactions with the TP-240 VoIP processing interface cards,” Akamai on the vulnerability. “The daemon listens for commands on UDP/10074 and isn’t meant to be exposed to the Internet, as confirmed by the manufacturer of these devices. It is this exposure to the internet that ultimately allows it to be abused.” Akamai has counted 2,600 exposed Mitel devices currently vulnerable to this amplification flaw, while the vendor is already handling remediation with the customers.
|
Diagram demonstrating a DDoS amplification attack |
The driver features a traffic generation command designed to stress-test the clients, used for debugging and performance testing. By abusing this command, attackers can generate massive network traffic from these devices. Unfortunately, this is possible because the risky command is activated by default. O n a positive note, the associated daemon runs on a single-thread mode preventing parallel leverage, and due to the limited hardware resources on Mitel devices, the potential for attack volume has a relatively low upper ceiling.
Last week, Akamai disclosed a very similar DDoS method called “TCP Middlebox Reflection,” which leverages vulnerable firewalls and content filtering policy enforcement systems in middleboxes to achieve an amplification factor of 65x.[3]
Attacks in the wild - The first signs of attacks abusing Mitel devices were noticed on January 8, 2022, while the first actual attacks leveraging the vulnerable driver began on February 18, 2022. The targets were governments, commercial enterprises, financial institutions, logistic firms, broadband access ISPs, and other important organizations. “Observed attacks were primarily predicated on packets-per-second, or throughput, and appeared to be UDP reflection/amplification attacks sourced from UDP/10074 that were mainly directed towards destination ports UDP/80 and UDP/443,” details Akamai in their report. “The single largest observed attack of this type to date was approximately 53 million packets-per-second (mpps) and 23 gigabits-persecond (gb/sec). The average packet size for that attack was approximately 60 bytes, with an attack duration of approximately ~5 minutes.”
One notable difference of this vector against most UDP reflection methodologies is that it can sustain lengthy DDoS attacks, lasting for up to 14 hours. When evaluated from this perspective, the packet amplification ratio reaches 4,294,967,296:1, and the attack traffic can go up to 400 mpps with a sustained flood of 393mb/sec.
Outlook and protection - Over the past month, DDoS attacks have become increasingly common, especially since Russia invaded Ukraine. Even before the invasion, Ukrainian government agencies and banks suffered numerous DDoS attacks that took down their websites with the aim of sowing chaos within the country.[4] Since then, DDoS attacks have been conducted by Ukraine’s IT Army attacking Russian interests and supporters of Russia attacking Ukrainian and western entities. With DDoS attacks becoming so widely used, it is essential to try and harden your infrastructure against these types of attacks, especially at the amplification levels seen in this new DDoS method.
Akamai says that monitoring UDP/10074 traffic and implementing active packet capture and analysts’ systems to block attacks using this port will help mitigate reflection/amplification attacks. However, legitimate traffic may be using this port that would also be blocked.
The best way to prevent this new DDoS method is for organizations that use the TP-240 interface to follow Mitel’s remediation instructions, enforcing firewall rules to block malicious initiator packets or disable the abused command.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.akamai.com/blog/security/phone-home-ddos-attack-vector
[2] https://www.bleepingcomputer.com/news/security/ddos-attacks-now-use-new-record-breaking-amplification-vector/
[3] https://www.bleepingcomputer.com/news/security/content-filtering-devices-abused-for-65x-ddos-amplification/
[4] https://www.bleepingcompute r.com/news/security/ukrainian-military-agencies-state-owned-banks-hit-by-ddos-attacks/
Comments