Unbeknownst to you, your printer could be moonlighting as a malicious bot for a DDoS attacker in another country. And a temperature sensor could be up to misdeeds as well. Networked devices often support network protocols that allow them to be monitored and controlled remotely – and not just by the white hats in your IT department.
A type of distributed denial of service attack called a Distributed Reflection and Amplification Denial of Service attack, or DrDoS attack, has grown increasingly popular with cyber attackers. Some reflection attacks target Internet protocol (IP) based devices, such as printers and routers, to take advantage of vulnerabilities inherent in three common network protocols – Simple Network Management Protocol (SNMP), Network Time Protocol (NTP) and Character Generation Protocol (CHARGEN).
Attackers can turn network devices into malicious bots using these protocols by misdirecting and amplifying device responses to send unwanted data to the attacker’s target. By harnessing enough devices to send a flood of traffic all at once, the attacker may succeed in causing the target to crash, and thus cause an outage.
When these Internet protocols were developed, the Internet was in its infancy. Since then, malicious actors have found ways to use protocol responses to cause other people’s devices to launch denial of service attacks against websites and networks. Some of the types of networked devices that often support SNMP, NTP and CHARGEN are printers, security cameras, routers, hubs and temperature sensors. Support for these protocols puts these devices at risk.
SNMP: A simple protocol lies behind complex attacks
SNMP is used to communicate with IP-based devices, such as routers, switches, servers, printers, modems, IP video cameras, IP phones, network bridges, hubs, alarms and thermometers. The protocol transmits data about device components, measurements, sensor readings and variables to allow users to monitor and interact with these devices. The use of human-readable cleartext, however, makes SNMPv1 and v2 vulnerable to interception and modification. What’s more, the origin of the transmission cannot be verified, making it difficult to trace back to its source.
NTP: Asking the time over and over again
The clocks in computers and other networked devices stay synchronized with date and time information from the Internet using the NTP protocol. NTP is implemented on all major operating systems, network infrastructure devices and embedded devices. It is as susceptible to spoofing as the User Datagram Protocol (UDP) upon which it is built.
In a DrDoS attack, the malicious actor(s) may cause multiple requests for time updates to be sent to multiple NTP hosts, directing their responses to the target. By involving a large number of NTP-supporting devices, a malicious actor can cause an unusually high amount of data to reach the target to cause an outage.
CHARGEN: The alphabet attack is not child’s play
CHARGEN, which outputs a string of letters – the alphabet – and numbers and other characters, can be used as a source of non-specific data for testing and debugging network connections, network payload generating and bandwidth testing. It is supported by two Internet protocols – TCP and UDP. The UDP version is vulnerable to spoofing. Misuse of the testing feature of the CHARGEN protocol may allow attackers to craft malicious network payloads and direct the responses to a target.
Fortunately, there are steps you can take to ensure your networked devices do not become part of a malicious actor’s botnet. Information about protecting network devices from participation in these kinds of denial of service attacks is available in the DrDoS white paper: SNMP, NTP and CHARGEN attacks.
Michael E. Donner, Senior Vice President, Chief Marketing Officer, Prolexic Technologies