FBI Warns of Network Protocols Abused in Large Scale DDoS Attacks

The Federal Bureau of Investigation added three network protocols and one web application to its list of newly discovered DDoS attack vectors.

In a private industry notification, the Bureau reported that:

  • In February 2020, UK security researchers identified a vulnerability in the built-in network discovery protocols of Jenkins servers—free, open source, automation servers used to support the software development process that cyber actors could exploit to conduct DDoS amplification attacks — according to open source reporting. Researchers estimated cyber actors could use vulnerable Jenkins servers to amplify DDoS attack traffic 100 times against the online infrastructure of targeted victims across sectors.
  • In October 2019, cyber actors exploited the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to conduct DDoS amplification attacks, according to open source reporting. With ARD enabled, the ARMS service started listening on port 3283 for incoming commands to remote Apple devices, which attackers used to launch DDoS amplification attacks with a 35.5:1 amplification factor. ARD is used primarily to manage large fleets of Apple Macs by universities and enterprises.
  • In May and August 2019, cyber actors exploited the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits per second (Gbps), in two separate waves of attack, according to open source reporting. Later the same year, several security researchers reported an increase in cyber actors’ use of non-standard protocols and misconfigured IoT devices to amplify DDoS attacks, according to separate open source reporting. IoT devices are attractive targets because they use the WS-DD protocol to automatically detect new Internet-connected devices nearby. In addition, WS-DD operates using UDP, which allows actors to spoof a victim’s IP address and results in the victim’s being flooded with data from nearby IoT devices. As of August 2019, there were 630,000 Internetaccessible IoT devices with the WS-DD protocol enabled.
  • In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, according to open source reporting. As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks.