TFTP Servers Face R-DDoS Attacks

Friday, March 11, 2016 @ 04:03 PM gHale

Improperly configured Trivial File Transfer Protocol (TFTP) servers can end up leveraged to carry out reflection DDoS attacks, a new study found.

These attacks can have an amplification factor of 60, one of the highest such values, according to researchers at Edinburgh Napier University.

Attacking an ICS from ‘Inside Out’
ICS-CERT BlackEnergy Report
Breach at IN Utility
Tracking ICS Threats Difficult

TFTP is a simple file transfer protocol developed as an alternative to the main FTP protocol, as a simpler way to support file transfers in limited conditions.

Ever since being created in 1981, the protocol mainly sees use to transfer files over a network, usually needed for the boot process. Even if considered highly insecure, the protocol continued to see use regardless.

On the other hand, reflection DDoS attacks, also known as R-DDoS, DRDoS, or Distributed Reflective Denial of Service attacks, are a more dangerous version of regular DDoS attacks.

Reflection DDoS attacks rely on an attacker sending traffic to an intermediary point with a bad return address (the victim’s IP). By crafting malformed network traffic packets, and abusing flaws in a protocol or server setup, this traffic is then sent to the return address (the victim’s IP) multiple times over. The number of times a packet goes back is the reflection DDoS attack’s amplification factor.

Most of these attacks range from a 2 to 10 amplification factor. Last summer, hackers managed to discover flaws in some of the BitTorrent protocols that provided an amplification factor of 120.

Other reflection DDoS attack methods surfaced last fall, when Akamai found attackers could leverage the NetBIOS name servers, Sentinel licensing servers, and RPC portmaps.

This past February, Akamai found the DNSSEC protocol could end up leveraged in the same way, with an amplification factor of 8. But most of the times, for launching reflection DDoS attacks, bad guys tend to use the DNS protocol, due to the large number of available servers, and its hard-to-mitigate design flaws.

As a team of researchers from the Edinburgh Napier University discovered, a combination of flaws in the TFTP protocol and publicly-exposed TFTP servers provides the perfect opportunity for attackers to abuse these setups for reflection DDoS attacks.

Researchers said by running a simple scan of Internet-exposed ports (TFTP uses port 69), they were able to find 599,600 publicly open TFTP servers.

These servers could end up used as intermediary points in reflection DDoS attacks that have an amplification factor of 60, way above many other protocols.

The vulnerable TFTP servers can be used to launch attacks on other Internet-available services, or used as a gateway for targets inside a closed network, because natural LAN setups dictate that the TFTP server must be available to all connected clients, and so providing the attacker with a path to previously unreachable targets.

Click here to view the researchers’ paper entitled, “Evaluation of TFTP DDoS amplification attack.”