First it started out as a research paper on reflection distributed denial of service (DDoS) attacks, now it is going real life.
It all started three months after researchers from the Edinburgh Napier University published a study on how to carry out reflection DDoS attacks by abusing TFTP servers, security provider, Akamai, is now warning of real-life attacks.
Akamai SIRT, the company’s security team, found at least ten DDoS attacks since April 20, 2016, during which attackers leveraged TFTP servers to reflect traffic and send it tenfold toward their targets, in a tactic that’s called a “reflection” (or “amplification”) DDoS attack.
Attackers issued a small number of packets to TFTP servers, which contained various flaws in the protocol implementation, and then sent it back multiplied to their targets. The multiplication factor for TFTP DDoS attacks is 60, over the regular average for reflection DDoS attacks, which is between 2 and 10.
The attacks Akamai detected using TFTP servers were part of multi-vector DDoS attacks, during which bad guys mixed different DDoS-vulnerable protocols together, in order to confuse their target’s IT department and make it harder to mitigate, researchers said in a blog post.
Because the attack wasn’t pure, it never reached huge statistical measurements. Akamai reports the peak bandwidth was 1.2 Gbps, and the peak packet volume was 176,400 packets per second. These are low values for DDoS attacks, but enough to consume the target’s bandwidth.
Akamai SIRT said they started seeing a weaponized version of the TFTP attack script circulating online as soon as the Napier University study released.
The attack script is simple and takes user input values such as the victim’s IP, the attacked port, a list of IP addresses from vulnerable, Internet-available TFTP servers, the packet per second rate limit, the number of threads, and the time the script should run.
In the attacks it detected, Akamai said the crooks ignored to set the attacked port value, and their script sent out traffic to random ports on the target’s server.
Back in March, Napier University researchers said they found over 599,600 publicly open servers that had port 69 (TFTP) open.