Investigates a UDP-based protocol that is added to the list of DDoS amplification scripts available for malicious use
Akamai SIRT is investigating a new DDoS reflection and amplification method that abuses TFTP. This is yet another UDP-based protocol that has been added to the list of DDoS amplification scripts available for malicious use. A weaponized version of the TFTP attack script began circulating around the same time as publications regarding research on the possibility of this attack method were posted. The research was conducted by Edinburgh Napier University.
As of April 20, 2016, Akamai has mitigated 10 attacks using this method against our customer base. Most of the attack campaigns consisted of multi-vector attacks which included TFTP reflection. This is an indication that this method has possibly been integrated into at least one site offering DDoS as a service. Details of these attacks follow along with a revealing lack of distribution based on IP sources observed during early attacks.
Trivial File Transfer Protocol has been around for years. It can be used for file transfers of firmware and configuration files, typically for networking devices, but it’s not limited to just those devices. Its simple design leaves out many features like authentication and directory listing capabilities. Malicious actors have now added this protocol to the growing arsenal of reflection based amplification DDoS attack vectors using TFTP servers that are exposing this port to the internet.
Based on lab testing, most TFTP servers won’t respond to this request. The result would normally be a file not found or other error message. As with other popular methods of reflection like NTP, SSDP, and DNS, the requests are sent at alarming rates and simultaneously to multiple TFTP servers. The request is forged in a way that forces the victim TFTP server to respond back to the malicious actors intended target IP. Although the TFTP reflectors used thus far contain large files, sometimes over 20K bytes, only a limited portion is returned. Since the target of the attack will never acknowledge the data, only the first block is sent. This mitigates the potential of higher amplification based on single requests.
Not much time was wasted it seems by malicious actors in creating a scripted attack tool for TFTP DDoS. A total of 4 attacks have been observed so far starting in March 14th. The largest attack using only TFTP reflection peaked at 1.2 Gbps. The release of the attack script also seems to coincide with media publications regarding the research into the possibility of this attack method. The attack tool borrows much of the same code as other UDP based reflection tools. The command line is similar as well. The attacks observed in most cases ignored the port parameter and resulted in random ports.
Mostly these are originating out of Asia with later attacks adding in sources from Europe. This attack is also limited by the nature of TFTP as it’s designed to deliver files, typically configuration files, but to a limited number of hosts at a time. In fact, messages like “Out of memory” in attack signatures allude to TFTP servers not being able to handle the rapid fire queries sent by the TFTP flood attack tool.
To access other white papers, threat bulletins and attack reports, please visit our Security Research and Intelligence section on Akamai Community.