Classification:TLP-GREEN
RISKLEVEL:MEDIUM
Release Date: 6.1.16
ThreatAdvisory:TrivialFileTransferProtocol(TFTP)ReflectionDDoS
1.0/OVERVIEW/AkamaiSIRTisinvestigatinganewDDoSreflectionandamplificationmethodthat
abusesTFTP.ThisisyetanotherUDP-basedprotocolthathasbeenaddedtothelistofDDoS
amplificationscriptsavailableformalicioususe.
AweaponizedversionoftheTFTPattackscriptbegancirculatingaroundthesametimeaspublications
regardingresearchonthepossibilityofthisattackmethodwereposted.Theresearchwasconductedby
EdinburghNapierUniversity.
AsofApril20,2016,Akamaihasmitigated10attacksusingthismethodagainstourcustomerbase.
Mostoftheattackcampaignsconsistedofmulti-vectorattackswhichincludedTFTPreflection.An
indicationthatthismethodhaspossiblybeenintegratedintoatleastonesiteofferingDDoSasaservice.
DetailsoftheseattacksfollowalongwitharevealinglackofdistributionbasedonIPsourcesobserved
duringearlyattacks.
2.0/HIGHLIGHTEDCAMPAIGNATTRIBUTES/Herearethebasicdetailsofwhatisinvolvedinthese
attacks:
●
●
●
●
●
Peakbandwidth:1.2Gigabitspersecond
Peakpacketspersecond:176.4ThousandPacketspersecond
AttackVector:TFTPReflection
Sourceport:69(TFTP)
Destinationport:Random
Attackpayloadresponsewithdefaultsize512+4bytedatablock
16:00:11.497689IPx.x.x.x.69>x.x.x.x.10009:516DATAblock1
16:00:11.497833IPx.x.x.x.69>x.x.x.x.10009:516DATAblock1
Attackpayloadresponsewithserverdefaultresponse1456+4bytedatablock
13:12:34.511256IPx.x.x.x.69>x.x.x.x.19636:1460DATAblock1
<snip>...PXE->EB:...PXENV+at.!PXEat.NoPXEstackfound!
.entrypointat.
UNDIcodesegment.,datasegment.(.kB)
. UNDIdeviceisPCI.
UnabletodetermineUNDIphysicaldevice.,type.(workaround
enabled)......kBfreebasememoryafterPXEunload
.
UNDIAPIcall.failed:statuscode.
<snip>
1
Attackpayload3
08:53:03.540217IPx.x.x.x.69>x.x.x.x.51716:1460DATAblock1
08:53:03.541582IPx.x.x.x.214.69>x.x.x.x.46625:1460DATAblock1
Attackpayload4
18:38:18.086417IPx.x.x.x.69>x.x.x.x.41886:516DATAblock1
<snip>.L.!ThisprogramcannotberuninDOSmode.
<snip>
18:38:18.090832IP209.242.10.150.69>185.34.104.45.62798:516ERRORENOTFOUND"Can'topen
fileforread/write"
Figure 1: Payload samples from all 4 attacks. Only the first block of DATA (block 1) is sent to the target.
Figure 2: Respresents source ASN information of reflectors used in DDoS attacks against our customers.
3.0/ATTACKCHARACTERISTICS/TrivialFileTransferProtocolhasbeenaroundforyears.Itcanbeused
forfiletransfersoffirmwareandconfigurationfiles,typicallyfornetworkingdevices,butit'snotlimited
tojustthosedevices.
2
Itssimpledesignleavesoutmanyfeatureslikeauthenticationanddirectorylistingcapabilities.This
simplicityalsomakesitidealforuseinPXE(PrebooteXecutionEnvironment)deploymentswhichare
normallyonlyLANaccessibleandlistenonUDPport69bydefault.Maliciousactorshavenowaddedthis
protocoltothegrowingarsenalofreflectionbasedamplificationDDoSattackvectorsusingTFTPservers
thatareexposingthisporttotheinternet.
Still,therearesomelimitationstotheeffectivenessofthisattackusingthecurrentlyobservedmethods.
Basedonobservedattackpayloads,thebehaviorseemsconsistentwithwhatisexpectedanddescribed
inRFC1350.ThetargetsoftheTFTPreflectionDDoSarefloodedwithRRQ(readrequest)DATA
responses.Theattacktool,describedlater,makesadefaultrequestforafile,"/x"inthiscasefromthe
TFTPserver.ThevictimTFTPserverreturnsdatatotherequestingtargethostasaresultofthisrequest
regardlessofthefilenamemismatch.
AsimilarrequestcanbemadeusingatftpclientfromthecommandlineonLinux.Runningacommand
suchas"tftplocalhost-cget/x"willresultintherequestpayloadbelowwhichwouldsubsequently
timeoutunlesstestedagainstarealtftpserver.
Command:tftplocalhost-cget/x
15:21:43.291149IP(tos0x0,ttl64,id58345,offset0,flags[none],proto
UDP(17),length42)
x.x.x.x.49915>x.x.x.x.69:[udpsumok]14RRQ"/x"netascii
E..*[email protected]../x.netascii.
Figure 3: Payload sample of basic tftp read request for file "/x" using regular TFTP client.
Basedonlabtesting,mostTFTPserverswon'trespondtothisrequest.Theresultwouldnormallybea
filenotfoundorothererrormessage.AswithotherpopularmethodsofreflectionlikeNTP,SSDP,and
DNS,therequestsaresentatalarmingratesandsimultaneouslytomultipleTFTPservers.
TherequestisforgedinawaythatforcesthevictimTFTPservertorespondbacktothemaliciousactors
intendedtargetIP.
AlthoughtheTFTPreflectorsusedthusfarcontainlargefiles,sometimesover20Kbytes,onlyalimited
portionisreturned.TFTPsendsbackdatainspecificblocksizes,bydefaultthisis512bytesofdata+an
additional4bytesofoptions(516totalbytes).Thelargestrepliesobservedinattackshavecontained
1,460bytesalltogetheraspartofthepayload.
Thisputsamplificationat36.86and104.29forthosetwopayloadsrespectivelywithouttakingIPand
UDPheadersintoconsideration.LuckilyTFTPonlysendsoutdatainspecificblocksizesandrequires
acknowledgementofeachblockbeingreceived.Sincethetargetoftheattackwillneveracknowledge
thedata,onlythefirstblockissent.Thismitigatesthepotentialofhigheramplificationbasedonsingle
requests.
3
Thenextsectionwilldelveintoaweaponizedversionofthisattacktoolalreadyinthewild.
4.0/AMPLIFICATIONDDOSTOOL/Notmuchtimewaswasteditseemsbymaliciousactorsincreatinga
scriptedattacktoolforTFTPDDoS.Atotalof4attackshavebeenobservedsofarstartinginMarch14th.
ThelargestattackusingonlyTFTPreflectionpeakedat1.2Gbps.Thereleaseoftheattackscriptalso
seemstocoincidewithmediapublicationsregardingtheresearchintothepossibilityofthisattack
method.
TheattacktoolborrowsmuchofthesamecodeasotherUDPbasedreflectiontools.Thecommandline
issimilaraswell.TheinputrequiredisatargetIP(usedasthesourceoftheattacktoolrequests),the
port(usuallyseenasthedestinationportatthetarget),filelistingTFTPserveraddresses,numberof
threads,packetpersecondratelimit,andattackruntime.
Theattacksobservedinmostcasesignoredtheportparameterandresultedinrandomports.Belowisa
sampleoftherequestsgoingoutasseenintcpdumpwithinalabenvironment.
13:37:28.646587IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.647979IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.648357IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.648617IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.651597IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.652093IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.653410IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.655413IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.656291IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
13:37:28.657912IPx.x.x.x.44235>x.x.x.x.69:14RRQ"/x"netascii
Figure 4: Ten packet sample of the attack tool flood of requests.
Thepayloadintheattackrequestisthesameasthecommandlineversionperformedpreviously.The
codecontainsasectiondefiningtheparametersusedintheattackrequestpayloadasshownbelow.
memcpy((void*)udph+sizeof(structudphdr),
"\x00\x01\x2f\x78\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00",14);
Figure 5: Attack script tool payload portion.
4
ThevaluestranslatetothefollowingTFTPoptions:
0001-opcode1=readrequest(RRQ)
2f78-/x=filenamespecified
00=filenameterminatingbyte
6e65746173636969-modenetascii=usingmodenetascii
00=modeterminatingbyte
Figure 6: Represents the byte translation of TFTP options.
ThesamevaluescanbeseeninwiresharkwhenexaminingeitheraregularTFTPrequestdonefromthe
commandlinewithmode"netascii"orusingtheattacktool.
Figure 7: Wireshark view of tftp request payload.
Thespecificreasoningbehindusing"/x"asafilenameisunknownatthispoint.Thisislikelythe
firstthingthatworkedtoinitiateafiletransferonsomeTFTPservers.Inspectionofattack
payloadssofarseemstoindicatethattheaffectedvictimsbeingleveragedforthisreflectionare
partofPXEdeployments.TestingwithregularstandaloneTFTPserversrevealsthatthesearenot
suitablereflectors.Acommonerrorfromtheseserversisasimplefilenotfoundmessage.
5.0/RECOMMENDEDMITIGATION/Thismethodofattackwillnotgenerateahighpacketratebutthe
volumegeneratedmaybeenoughtoconsumebandwidthatthetargetsite.Sofarthepeaktrafficfora
singlevectorTFTPonlyattackhasbeenmeasuredatjustover1Gbps.
TFTPisnotrecommendedtobeusedovertheinternet.Assuchherearesomeprecautionsthatmay
mitigatefurtheruseofthisreflectionmethod.
ForthosehostingTFTPservers:
- AssesstheneedtohaveUDPport69exposedtotheinternet.
Thisshouldbefirewalledandonlyallowedtotrustedsources.
- SnortorasimilarIDScanbeusedtodetectfortheabuseof
TFTPserversinyournetwork(ruleprovidedbelow)
CustomizedSnortDetection:
5
alertudp$EXTERNAL_NETany->$HOME_NET69\
(msg:"TFTPDDoSAbuserequest";\
flow:to_server;\
content:"|00012f78006e6574617363696900|";dsize:14<>14;\
classtype:Reflection-Abuse;\
sid:201600003;rev:1;)
FortargetsofTFTPamplificationDDoS:
- UpstreamfilteringofUDPsourceport69canbeappliedifpossible
- ADDoSmitigationprovidercanalsobeleveragedtoabsorbattacktrafficgenerated
5.0/CONCLUSION/Thisattackwilllikelyseemoreuseaspartofmulti-vectorattackcampaigns.The
appearanceofthisvectorinmulti-vectorcampaignsisearlyevidenceofpossibleinclusionintooneor
moresitesofferingDDoSasaservice.
Alone,TFTPhasproduceda1.2Gbpsattackbutmulti-vectorcampaigns,whereTFTPisjustoneofmany
vectors,havepeakedatjustover44Gbps.Sofar,sourcesofTFTPreflectionattackscollectedduringthe
earlystagesofattacksarepoorlydistributed.MostlytheseareoriginatingoutofAsiawithlaterattacks
addinginsourcesfromEurope.
ThisattackisalsolimitedbythenatureofTFTPasit'sdesignedtodeliverfiles,typicallyconfiguration
files,buttoalimitednumberofhostsatatime.Infact,messageslike"Outofmemory"inattack
signaturesalludetoTFTPserversnotbeingabletohandletherapidfirequeriessentbytheTFTPflood
attacktool.
Asstatedabove,werecommendthefollowingstepstomitigatethethreat:
ForthosehostingTFTPservers,assesstheneedtohaveUDPport69exposedtotheInternet.This
shouldbefirewalledandonlyallowedtotrustedsources.SnortorasimilarIDScanbeusedtodetectfor
theabuseofTFTPserversinyournetwork.
CustomerswhobelievetheyareatriskandneedadditionaldirectioncancontactAkamaidirectly
throughCCareat1-877-4-AKATEC(USAndCanada)or617-444-4699(International),theirEngagement
Manager,oraccountteam.
Non-customerscansubmitinquiriesthroughAkamai’shotlineat1.877.425.2624,thecontactformon
ourwebsiteathttp://www.akamai.com/html/forms/sales_form.html,thechatfunctiononourwebsite
athttp://www.akamai.com/orontwitter@akamai.
6
Toaccessotherwhitepapers,threatbulletinsandattackreports,pleasevisitourSecurityResearchand
IntelligencesectiononAkamaiCommunity.
7