Speech by Wenmao Liu of NSFOCUS: Research on New Vectors of UDP-based DDoS Amplification Attacks of IoT

Speech by Wenmao Liu of NSFOCUS: Research on New Vectors of UDP-based DDoS Amplification Attacks of IoT

junho 2, 2021 | Jie Ji

As the world’s largest cybersecurity industry conference, the RSA Conference held its 30th annual event in 2021. It has been a driving force behind sharing, innovation, and progress in the global cybersecurity community. NSFOCUS stood out at the RSA Conference 2021 by making a debut on the conference speech podium as a Chinese security vendor. Dr. Wenmao Liu, Director of Innovation Center, NSFOCUS, delivered a speech themed “Research on New Vectors of UDP-based DDoS Amplification Attacks of IoT” in the SAT-M19 session on behalf of the company’s IoT security research team.

To learn what NSFOCUS shared at the conference, please read on.

1. Global exposure of IoT assets

As more and more devices are connected to the Internet, the number of IoT devices is increasing day by day. By scanning the devices on the Internet, we found more than 70,000 IoT services worldwide using WS-Discovery, OpenVPN, and CoAP protocols.

Security vendors can see these exposed IoT assets; so can attackers. After discovering these IoT assets with scanners, botnets, and whatever they can use, attackers can exploit such vulnerable assets to launch attacks.

2. The USA suffers most from amplified reflection DDoS

By using IoT honeypots to capture and collect the victim IP addresses, we analyzed the locations of these IP addresses and found that the USA suffers most from amplified reflection DDoS.

Either ransomware or DDoS attacks can be used for hacking purposes. DDoS for hire has been available on the dark web for some time. Exposed vulnerable IoT devices have become a potential attack weapon for hackers. Considering its large-scale business and IT industries, the USA has become the biggest target of cyber criminals.

3. WS-Discovery protocol

WS-Discovery is a UDP-based, unicast protocol for web service discovery. It works as follows: The client sends a UDP probe message to search for services and then waits for a reply. Then how is the protocol abused? An attacker sends a 3-byte request with the payload of “\x3c\xaa\x3e” and a spoofed source address, and the service will return a 1590-byte response.

Here, we use the concept of BAF, short for bandwidth amplification factor, which was proposed in a paper titled “Amplification Hell: Revisiting Network Protocols for DDoS Abuse” in NDSS 2014. To calculate the BAF, one can send payloads to all services exposed with real source addresses to validate the response data obtained. In our test, the length of requests we sent is 3 bytes, and the average length of responses we received is 1330, so the BAF is 443. Exploitation of the WS-Discovery protocol can generate malicious traffic that is over 400 times larger than the request.

4. ADDP helps attackers find devices affected by Ripple20

ADDP, short for Advanced Device Discovery Protocol, is a UDP-based multicast protocol developed by Digi International. It allows devices on a local network to be found regardless of the network configuration. In our thorough scanning test, the length of the request we sent is 14 bytes, and the average length of the response we received is 141.7, so the BAF is 10.1.

In fact, ADDP has been used by many digital network devices that may be prone to Ripple20 vulnerabilities. Therefore, attackers can launch attacks after finding exposed ADDP services and verifying the existence of Ripple20 vulnerabilities.

Apart from WS-Discovery and ADDP, the report analyzes the vulnerability of the OpenVPN protocol. Besides, NSFOCUS analyzes SSDP, DHDiscover, and Ubiquiti protocols in its 2018, 2019, and 2020 annual IoT cybersecurity reports. These IoT protocols are similarly vulnerable: They are UDP-based and support unicast, with the length of responses much larger than that of requests, so they are easy to exploit to launch DDoS attacks. Actually, after 2007, carrying out DDoS attacks via IoT protocols has become an important choice for attackers.

5. Some recommendations and opinions

Recommendations for IoT vendors:

Firstly, set up a chief security officer (CSO) and a security team. Secondly, during the design phase, disable the service/device discovery functionality by default and have devices respond only to multicast requests from intranets. Lastly, during the operations phase, establish an emergency response procedure and promptly release security patches.

Recommendations for end users and organizations:

Identify IoT devices of their own and check configurations and access control policies; continuously use cyberspace survey and mapping technology to monitor exposed assets; build a closed-loop identify-evaluate-eliminate IoT security operation workflow, and integrate IoT security to their unified security operations system.

Solution to IoT customers:

NSFOCUS’s IoT Umbrella solution keeps tabs on hidden hazards to and in the IoT in cities and enterprises, providing the big picture of the risk situation in various IoT verticals and threats to various regions and departments. It provides insight into the IoT security situation with multi-system data, such as terminal SDK, firmware detection, access gateways, IoT SIM analysis, and IoT security evaluation.

Keeps tab on hidden hazards to and in the IoT in cities and enterprises, providing the big picture of the risk situation in various IoT verticals and threats to various regions and departments.

For some time to come, vulnerabilities of more IoT protocols and devices will keep emerging. NSFOCUS combines research, industry, and application by allying its Innovation Center, Gewu Lab, and IoT Security Product Department. In addition, it protects IoT security scenario customers via the IoT Umbrella solution.

NSFOCUS has been committed to IoT security research for a long time, achieving remarkable research results in the security of IoT SDK and the Internet of vehicles (IoV).

NSFOCUS’s cybersecurity solution for the Cooperative Vehicle Infrastructure System (CVIS) focuses on large-scale CVIS application. It adopts an end-to-end collaborative security architecture that combines an on-board trusted security SDK, an infrastructure-side intelligent security gateway, and a security operations platform to build security capabilities of monitoring, detection, alert, defense, response, and emergency handling. Furthermore, it comprehensively covers protection scenarios on the awareness side, transmission side, and platform/application side, contributing to cybersecurity in the field of intelligent transportation.

Thanks to the probes deployed for IoV terminals and platforms, the solution can collect security data information within CVIS networks. Furthermore, it, based on big data correlation analysis and processing, can provide active probing, passive trapping, and traffic analysis, and detection of botnets/trojans/worms, DDoS attacks, and APTs, thus forming comprehensive capabilities of monitoring, detection, alert, defense, response, and emergency handling. Meanwhile, it combines security consulting, penetration testing, lifecycle security and risk control and other security services to establish a CVIS security operations system. The solution can meet the urgent needs of CVIS safety compliance and new infrastructure network security construction and further guarantee the safe, controlled, and healthy development of the entire CVIS application.