Special thanks to Hardik Modi, Steve Siadak and Roland Dobbins for their contributions on this post.

Reflection amplification is a technique that allows cyber attackers to both magnify the amount of malicious traffic they can generate, and obfuscate the sources of that attack traffic. For the past five years, this combination has been irresistible to attackers, and for good reason.

This simple capability, of turning small requests into larger, ‘amplified’ responses, changed the Distributed Denial of Service (DDoS) attack landscape dramatically. In fact, NETSCOUT Arbor has called this the Hockey Stick Era of DDoS, where we saw a massive spikes in DDoS attack size due to the increasing use of reflection/amplification techniques. I was asking How likely is a DDoS Armageddon attack? I wondered whether a terabit attack was possible, and what the potential for collateral damage was.

Now, thanks to a disclosure from Akamai, we know the answer. Yes, we can, and did, have a terabit attack. Looking at the chart below, this was inevitable given the firepower in the hands of today’s sophisticated attackers. Between reflection amplification and the emergence of IOT botnets, this milestone was destined to happen.

Arbor has worked closely with our customer base, the service provider community, and the industry at large to develop and implement best current practices to prepare for situations such as this where the DDoS threat pivots. We expect the exploitation of this vector to continue so there will likely be attacks of similar or even greater magnitude coming. Please reach out to your local Arbor representatives for any assistance or consultation you need to ensure you are prepared.

Here’s a look back at how we got here, on the backs of attacker ingenuity and powerful reflection amplification attack capabilities.

2013-2014: The Time is Now Network Time Protocol (NTP) is designed to synchronize the clock on your laptop, smartphone, tablet, and network infrastructure devices. NTP has been implemented in all major operating systems, network infrastructure and embedded devices. There are over a hundred thousand NTP servers with administrative functions ill-advisably open to the general internet and vulnerable. In other words, compromising NTP represented a gold mine for attackers looking to amplify the size of their DDoS attack capabilities. The skilled attackers who pioneer new attack vectors often look to automate and monetize their new capabilities. Sure enough, in 2013, malware exploiting NTP was weaponized. Attack tools and booter/stresser attack services using the NTP protocol became widely available, making high volume NTP reflection/amplification DDoS attacks within reach of anyone with a grievance and an internet connection. At this time, NTP replaced DNS as the prominent reflection/amplification vector because of its amplification potential making even larger attacks a possibility.

Data from our ATLAS global threat intelligence system showed an unprecedented spike in volumetric attacks, driven by the proliferation of NTP reflection/amplification attacks.

Average NTP traffic globally in November 2013 was 1.29 GB/sec, by February 2014 it was 351.64 GB/sec

NTP was used in 14% of DDoS events overall but 56% of events over 10 GB/sec and 84.7% of events over 100 GB/sec

A series of NTP reflection/amplification attacks were launched against multiple online gaming services, causing widespread outages. As NETSCOUT Arbor CTO Darren Anstee commented at the time,

“Arbor has been monitoring and mitigating DDoS attacks since 2000. The spike in the size and frequency of large attacks so far in 2014 has been unprecedented.”

2015: Rise of IOB, the Internet of Botnets

Botnets have evolved significantly over the years. In the past few years alone, with the proliferation of IoT devices, and their inherent lack of security, there has been dramatic growth in both the number and size of botnets. Combined with reflection amplification capabilities, attackers now have unprecedented power in their hands.

The User Datagram Protocol (UDP) is at the core of the Internet. By 2015, UDP-based reflection/amplification attacks were responsible for generating some of the largest volumetric DDoS flood attacks ever observed. In July, in a report titled Amplifying Black Energy, NETSCOUT Arbor’s Security Engineering & Response Team (ASERT) flagged a new development related to reflection/amplification attacks. ASERT had been reporting on the Black Energy malware family since 2007, noting at that time that it was a “relatively unsophisticated” DDoS attack platform. But the newly emerging Black Energy 2 plugin (ntp.dll) allowed “BE2” botnets to launch and control truly distributed NTP reflection/amplification attacks.

A botnet is a network of internet-connected devices, e.g. PCs, servers, mobile devices and internet of things (IoT) devices that are infected with malware and controlled as a group. The exploitation of the Black Energy 2 plugin was significant because it represented one of the first Command and Controlled (C&C) – not standalone – Windows bots to correctly and effectively implement an NTP-based reflection/amplification attack. By combining these powerful reflection/amplification DDoS capabilities with the use of ‘traditional’ Windows botnets as the original emitting source of spoofed request floods, it was now possible for Black Energy to increase the intensity of these attacks even further.

2016: No Stone Unturned

Attackers are generally resourceful, or lazy, depending on your point of view. Sometimes they don’t need to find a new exploit, they simply return to old vulnerabilities that are left open for the taking. With over 28 million open DNS resolvers DNS is a prime example. 28 million open resolvers are tailor made for use in reflection/amplification techniques. Using large botnets such as Mirai or Satori makes generating very large attacks all too easy.

In 2016, ATLAS documented a strong resurgence of DNS as the dominant protocol being leveraged for reflection/amplification attacks. Throughout this year, the number of DNS reflection/amplification attacks being tracked per week nearly doubled, from approximately 10,500 to 18,500. other protocols were being used as well to a lesser extent; DNS, NTP and Chargen represented the top three reflection/ amplification attack vectors.

2017: Success Breeds Imitation

In 2017, attackers continued to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Perhaps due to some highly publicized successful exploits, DNS continued to be the most common reflection/amplification attack vector. In fact, the number of DNS reflection/amplification attacks was greater than all the other attack vectors combined. The number of DNS attacks were nearly double the second most common exploit, NTP reflection/amplification attacks. And attackers found a new exploit this year as we observed massive growth in the use of C-LDAP for reflection/amplification attacks during the second half of 2017.

In the 13th annual Worldwide Infrastructure Security Report, we specifically asked respondents about the protocols used to generate volumetric reflection/ amplification attacks. Nearly all protocols showed similar activity to 2016, with DNS and NTP remaining the most commonly used vectors.

New and novel attack vectors will always be developed by skilled attackers. What’s unfortunate is that attackers can continue, year-after-year, to leverage the same poorly configured or protected infrastructures to magnify their destructive capabilities.

2018: Here We Go Again

Already in 2018, another widely used application, memcached, has joined the ranks of high-bandwidth reflection/amplification exploits. Open source and free, memcached is a high-performance, distributed memory caching system designed to optimize dynamic web applications. February saw a significant increase in the abuse of misconfigured memcached servers residing on Internet Data Center (IDC) networks. “According to US-CERT, memcached has a bandwidth amplification factor of 10,000 to 51,000, which is by far the highest when compared with that of other UDP protocols.” Multiple independent researchers have observed these higher amplification factors in action. Because of this, the potential impact on the victim is now more based on the capacity of transit links from the systems being exploited in these reflection/amplification attacks.

Memcached servers are now being used as reflectors/amplifiers to launch extremely high-volume UDP reflection/amplification attacks. They are proving especially effective because memcached servers have high-bandwidth access links and reside on networks with high-speed transit uplinks. This makes memcached servers ideal for use in high-bandwidth reflection/amplification DDoS attacks.

The chart above reveals that memcached attacks have been observed at a fairly constant rate over the past few months. It's the intensity of these attacks that changed considerably earlier this year, as evidenced when you look at the aggregate bandwidth volume.

ASERT observed a considerable uptick in memcached reflection/amplification attacks ranging in size from a few hundred Mbps up to 500Gbps and larger.

“Arbor’s current assessment is that, as with most other DDoS attack methodologies, memcached DDoS attacks were initially – and for a very brief interval – employed manually by skilled attackers; they have subsequently been weaponized and made available to attackers of all skill levels via so-called ‘booter/stresser’ DDoS-for-hire botnets. The rapid increase in the prevalence of these attacks indicates that this relatively new attack vector was weaponized and broadly leveraged by attackers within a relatively short interval.”

In other words, here we go again.