A Study on Exploitable DRDoS Amplifiers in Europe

Abstract

One of the best-known cyber attacks, distributed denial of service (DDoS), is evolving. It has become much more malefic and effective with the use of amplification power of reflected messages. This attack is known as the distributed reflected denial of service (DRDoS) or the amplification attack. Attackers abuse UDP-based protocols’ connectionless property for this attack and achieve an attack volume of hundreds of Gbps. The attack occurs by botnets’ spoofing a victim’s IP address and demanding some service from unhardened servers. Attackers generally prefer protocols that have high a “amplification factor” such as NTP and Memcached, or protocols where it is hard to differentiate legal requests from malicious ones, such as DNS. At this point, an important defensive strategy against these attacks is to harden servers not to play a role as amplifiers. In this paper, we carried out a detailed research of servers in 41 European countries and focused on three UDP-based protocols most commonly abused by attackers: DNS, NTP, and Memcached. We searched these servers by automatic regional scans and analyzed whether they have been hardened against DRDoS attacks.