Since we began our studies in the Master's degree on ICT security at the European University, drew our attention the possibility of doing a project under the guidance of Alejandro Ramos (@aramosf), a professional of the scene that we admire. After several ideas and proposals by both parties, we decided to make a project about finding new attack vectors on distributed reflection denial of service attacks (DRDOS). Recently this blog talked about it in a article focused on SNMP vulnerability, publishing also a tool for exploitation.
We set ourselves the objective of finding some new amplification in various protocols.
To do this, first we made a research about already known
vulnerabilities which were published by CERTs and some communities
related to computer security. Swiftly we realized the technical
complexities with the conditions that had to have the vulnerabilities:
based on UDP, not having authentication, with an amplification of at
least 2 times the bytes sent, implemented on a large number of sites...
and they have to been undiscovered.
We classified our search into three frames where to look:
- Common UDP-based protocols (such as DNS or NTP)
- Media streaming and game platforms.
- Private Applications that use UDP
SIP protocol: Options method
SIP is a signaling protocol for VoIP
whose implementation is identical to HTTP-based messages. The main
difference, apart from its utility, is that SIP can operate on UDP port
5060. After a Shodan search we saw that there are over 40 million
devices connected. Doing some deep research through the RFC we conclude
that it was possible to reduce the "OPTIONS" request to some bytes and
obtain an amplified response. Those servers that implement a response to
"OPTIONS" with SDP information can have a big amplification.
RESPONSE TO "OPTIONS" REQUEST WITH SDP PROTOCOL IMPLEMENTED.
The returned messages had an average multiplier factor of 5 times for every byte sent, slightly above some of the protocols published by the US-CERT.
Nowadays, there are over 2 million computers with this multiplier
factor, so a highly distributed attack could make a dent on a big
company.
Amplification in mobile games
The growth of multiplayer games is something that excited us, a very cool place to research. However, many of these games do not use UDP as transport layer, preferring to use APIs under TCP. Fortunately, most interactive games tend to use UDP, here we found serious vulnerabilities with quite high multiplication factors, some of them 500 to 700 times per byte sent The problem is that those services are not usually large enough to be considered hazardous. Additionally, some mobile gaming platforms like exitgames.com implements triple handshake implemented over UDP, which completely prevents such attacks..
BIG AMPLIFICATION ON “DEADZONE” GAME FOR IOS
Citrix ICA protocol amplification
In an almost obsessive quest to find
large amplification factors, we detect that there was a property on a
private protocol which had not been taken into account as a possible
vector amplification UDP. The affected protocol is the Citrix ICA
protocol, designed for shared application servers.
One of the features in certain
versions of the protocol, is to communicate the client what shared
applications exists, and also the available servers. This message is
transmitted by UDP on port 1604 and it does not implement
authentication. When the list of applications and servers is large
enough, this information disclosure becomes an attack vector for DRDoS
attacks.
AMPLIFICATION ON CITRIX ICA BROWSER.
With a simple payload of 84 bytes, a response with an amplification
factor of 25 to 40 times for every byte sent is received. The
interesting thing about this vulnerability is that in our discovery
phase we detected over 12,000 Citrix servers and corroborated that at
least 2,000 were vulnerable.
Operating Tool: r2dr2 DRDoS attack tool
To make our proof of concept, we have developed a full-featured UDP
amplification attacks program, called "r2dr2". The main difference from
other tools, is that it receives a JSON file with the configurations.
There you can especify the payload of the running service in hexadecimal
format, which makes it highly customizable. Our aim is that the tool
will be able to exploit vulnerabilities found not only for us but also
any other researcher; we have found that works very well with many
protocols.
The following video demonstrates, on a real environment, a distributed
amplification attack using UDP with only 10 Citrix ICA servers, that can
deny service to a real server on the Internet.
Dowload JSON configuration file for r2dr2
Download application: r2dr2 DRDoS UDP Amplification
Conclusions
This project has taught us much more than we expected; this is the final conclusion. Find vulnerable protocols it is not a trivial task, but as we demonstrated in the video, effectiveness is large. There will be ways to do DRDOS attacks for a long time, mitigation depends on the talent and budget of each organization.
Fonte:
Daniel Ferreira (@daniel0x00)
Pablo Alobera (@IllegalPointer)
0 comentários:
Postar um comentário