Akamai SIRT is investigating a new DDoS reflection and amplification method that abuses TFTP. This is yet another UDP-based protocol that has been added to the list of DDoS amplification scripts available for malicious use.
A new advisory authored by Jose Arteaga outlining the threat and suggested defenses can be downloaded here.
A weaponized version of the TFTP attack script began circulating around the same time as publications regarding research on the possibility of this attack method were posted. The research was conducted by Edinburgh Napier University.
As of April 20, 2016, Akamai has mitigated 10 attacks using this method against our customer base. Most of the attack campaigns consisted of multi-vector attacks which included TFTP reflection. An indication that this method has possibly been integrated into at least one site offering DDoS as a service.
Peak bandwidth: 1.2 Gigabits per second
Peak packets per second: 176.4 Thousand Packets per second
Attack Vector: TFTP Reflection
Source port: 69(TFTP)
Destination port: Random
The attack tool borrows much of the same code as other UDP based reflection tools. The command line is similar as well. The input required is a target IP (used as the source of the attack tool requests), the port (usually seen as the destination port at the target), the file listing TFTP server addresses, number of threads, packet per second rate limit and attack run time.
The attacks observed in most cases ignored the port parameter and resulted in random ports. Below is a sample of the requests going out as seen in tcpdump within a lab environment.
This method of attack will not generate a high packet rate but the volume generated may be enough to consume bandwidth at the target site. So far the peak traffic for a single vector TFTP attack has been measured at just over 1 Gbps.
TFTP is not recommended to be used over the internet. As such, here are some precautions that may mitigate further use of this reflection method:
For those hosting TFTP servers, assess the need to have UDP port 69 exposed to the internet. This should be firewalled and only allowed to trusted sources. Snort or a similar IDS can be used to detect for the abuse of TFTP servers in your network.
Customers who believe they are at risk and need additional direction can contact Akamai directly through CCare at 1- 877-4-AKATEC (US And Canada) or 617-444-4699 (International), they're Engagement Manager, or their account team.
Non-customers can submit inquiries through Akamai's hotline at 1.877.425.2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html, the chat function on our website at http://www.akamai.com/ or on twitter @akamai.
To access other white papers, threat advisory and research publications, please visit our Security Research and Intelligence section on Akamai Community.