For the last 3 years we have been working on a research project on UDP services who could be and are being abused in relation to DDoS Attacks.

The original idea was to attempt to identify why a large part of DDoS attacks were originating from Russia and China, could this be due to the amount of services in the different countries or ?

The answer to this was not conclusive as the services abused had a high amount in the two countries there were no direct evidence onto why.

A guess could be that take-downs of vulnerable services in these countries, were not seen as much but again nothing conclusive.

The research covered 20 different UDP services, with 21 different attacks scenarios.

During this research as often happens when you go down the rabbit hole you end up in another place and the research turned from defensive to offensive.

By using the large dataset collected in this case only on UDP the attack scenario of “MaxPain” came to life. The thought behind this is that the closer to the target and attacker can come.

Looking at a “standard” anti-DDoS solution it could look like the below illustration

When applying the attack analysis of MaxPain you start searching as close to the victim for and work you way out. This can have the effect that instead of having to reach the DDoS size of 1-2 Tbit/s you just need to reach line speed on the internet connection.

It was also during this research that I found another UDP protocol that can be abused in DDoS attacks, in this case an IoT protocal named CoAP

“The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things.

The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.”

The service was not really being used when the research project started, however around between november 2017 and december 2018 it jumped from 6500 instances to 26.000 and last month it was close to 600.000 just in China and still raising.
This can be due to implementation in a service in China providing “The worlds first decentralized mobile network” (http://qlink.mobi)

Presenting the research

I has been an honor to present this research at RVASec 2018 (US), Hack.lu(LU), IDA Driving IT(DK) and Erhvervsakademi Aarhus(DK)

RVASec 2018, Richmond VA
https://github.com/eCrimeLabs/RVASec2018

Hack.lu in Luxembourg
https://github.com/eCrimeLabs/Hack.lu-2018

Raw data set from 2016-2018

Now this research project has come to an end and we are happy to announce that Censys has allowed eCrimeLabs to share the raw scanning dataset on the scans.io project page - https://scans.io/study/ecrimelabs-amplifiers.

The dataset consist of 3 large *.tar files, that again contains a lot of bz2 compressed json files.

If you like to work with PCAP’s instead a JSON file, the json2pcap conversion tool is located on Github. This can be used as “simulated” attacks, in your security products.

The structure of the JSON

Remeber

DIGITAL HYGIENE – Put demands to your ISP/Hosting provider, If you are an ISP/Hosting provider put demands to your customers.

http://bgpranking.circl.lu/

https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

https://www.cybergreen.net/

https://stats.cybergreen.net/country/denmark/

https://www.caida.org/projects/spoofer/