R2DR2: ANALYSIS AND EXPLOITATION OF UDP AMPLIFICATION VULNERABILITIES

Since we began our studies in the Master's degree on ICT security at the European University, drew our attention the possibility of doing a project under the guidance of Alejandro Ramos (@aramosf), a professional of the scene that we admire. After several ideas and proposals by both parties, we decided to make a project about finding new attack vectors on distributed reflection denial of service attacks (DRDOS). Recently this blog talked about it in a article focused on SNMP vulnerability, publishing also a tool for exploitation.

We set ourselves the objective of finding some new amplification in various protocols. To do this, first we made a research about already known vulnerabilities which were published by CERTs and some communities related to computer security. Swiftly we realized the technical complexities with the conditions that had to have the vulnerabilities: based on UDP, not having authentication, with an amplification of at least 2 times the bytes sent, implemented on a large number of sites... and they have to been undiscovered.

We classified our search into three frames where to look: 

• Common UDP-based protocols (such as DNS or NTP) 
• Media streaming and game platforms. 
• Private Applications that use UDP

Most undocumented protocols are just strings of bytes in and out. Each of them mean something, but, if the protocol is private, only the developer knows the meaning. After months of analysis and, some frustrations, we have managed to take advantage of several implementations based on UDP that can be used to make large-scale attacks:

SIP protocol: Options method 

SIP is a signaling protocol for VoIP whose implementation is identical to HTTP-based messages. The main difference, apart from its utility, is that SIP can operate on UDP port 5060. After a Shodan search we saw that there are over 40 million devices connected. Doing some deep research through the RFC we conclude that it was possible to reduce the "OPTIONS" request to some bytes and obtain an amplified response. Those servers that implement a response to "OPTIONS" with SDP information can have a big amplification.

RESPONSE TO "OPTIONS" REQUEST WITH SDP PROTOCOL IMPLEMENTED.

The returned messages had an average multiplier factor of 5 times for every byte sent, slightly above some of the protocols published by the US-CERT. Nowadays, there are over 2 million computers with this multiplier factor, so a highly distributed attack could make a dent on a big company.

Amplification in mobile games  
The growth of multiplayer games is something that excited us, a very cool place to research. However, many of these games do not use UDP as transport layer, preferring to use APIs under TCP. Fortunately, most interactive games tend to use UDP, here we found serious vulnerabilities with quite high multiplication factors, some of them 500 to 700 times per byte sent The problem is that those services are not usually large enough to be considered hazardous. Additionally, some mobile gaming platforms like exitgames.com implements triple handshake implemented over UDP, which completely prevents such attacks..

BIG AMPLIFICATION ON “DEADZONE” GAME FOR IOS

Citrix ICA protocol amplification

In an almost obsessive quest to find large amplification factors, we detect that there was a property on a private protocol which had not been taken into account as a possible vector amplification UDP. The affected protocol is the Citrix ICA protocol, designed for shared application servers.

One of the features in certain versions of the protocol, is to communicate the client what shared applications exists, and also the available servers. This message is transmitted by UDP on port 1604 and it does not implement authentication. When the list of applications and servers is large enough, this information disclosure becomes an attack vector for DRDoS attacks.

AMPLIFICATION ON CITRIX ICA BROWSER.

With a simple payload of 84 bytes, a response with an amplification factor of 25 to 40 times for every byte sent is received. The interesting thing about this vulnerability is that in our discovery phase we detected over 12,000 Citrix servers and corroborated that at least 2,000 were vulnerable.

Operating Tool: r2dr2 DRDoS attack tool

To make our proof of concept, we have developed a full-featured UDP amplification attacks program, called "r2dr2". The main difference from other tools, is that it receives a JSON file with the configurations. There you can especify the payload of the running service in hexadecimal format, which makes it highly customizable. Our aim is that the tool will be able to exploit vulnerabilities found not only for us but also any other researcher; we have found that works very well with many protocols.

The following video demonstrates, on a real environment, a distributed amplification attack using UDP with only 10 Citrix ICA servers, that can deny service to a real server on the Internet.

Configuring payloads on r2dr2 This video only exploit Citrix ICA protocol information disclosure vulnerability, with almost 25 to 45 bandwidth amplification factor, but in the JSON file that r2dr2 receives you can configure much more payloads from different services and set the amount of times you want to use each IP. This example shown the payload required for amplification in the Citrix ICA UDP, SIP, CHARgen, and NTP protocols.

Dowload JSON configuration file for r2dr2
Download application: r2dr2 DRDoS UDP Amplification

Conclusions
This project has taught us much more than we expected; this is the final conclusion. Find vulnerable protocols it is not a trivial task, but as we demonstrated in the video, effectiveness is large. There will be ways to do DRDOS attacks for a long time, mitigation depends on the talent and budget of each organization.


Fonte: 
Daniel Ferreira (@daniel0x00)
Pablo Alobera (@IllegalPointer)