Amplification DDoS Attacks Come Again

Amplification DDoS Attacks Come Again

fevereiro 26, 2021 | Jie Ji

Just in February, another two amplification DDoS attacks caught our attention. They are respectively abusing Plex Media Servers and Powerhouse VPN servers to amplify junk traffic to victims.

Abuse Plex Media Server for Amplification Attacks

On 3rd February, according to ZDNet, DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify DDoS attacks.

Not surprisingly, the attack protocol is SSDP, which has been commonly used to launch amplification DDoS attacks. SSDP is a protocol for advertisement and discovery of network services and presence information. It’s said that Plex Media Server discovers a local router that has SSDP service enabled and then will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.

The amplification factor is up to 4.68. That means attackers send 52 bytes request packets will lead to 281 bytes respond packets back. Attacks can easily forge the source IP, directing all the respond traffic to a victim.

Abuse Powerhouse VPN for Amplification Attacks

According to ZDNet, a researcher who goes online as Phenomite found that attackers can abuse Powerhouse VPN via UDP port 20811 to launch amplification DDoS attacks.

Attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet. However, the root cause of this new DDoS vector is a yet unknown service.

For threat actors, the effect of amplification attack is obvious but the cost is low. More and more amplification attack vectors have been weaponized for DDoS-for-hire services today.

Rely on NSFOCUS for Service Continuity

Customers who subscribe NSFOCUS Cloud DDoS Protection Service could be rest assured that the NSFOCUS SOC team has already responded to add corresponding policies to protect customers against these two amplification attacks.

For customers who adopt NSFOCUS on-premises solution, we recommend that you add custom attack alert rules on Network Traffic Analyzer (NTA) for attack detection and add reflection protection rules on Anti-DDoS system (ADS) for mitigation. If NSFOCUS customers need any assistance to configure, please feel free to contact NSFOCUS support team.