Almost three months after researchers from the Edinburgh Napier University published a study on how to carry out reflection DDoS attacks by abusing TFTP servers, Akamai is now warning of real-life attacks.
Akamai SIRT, the company’s security team, says its engineers detected at least ten DDoS attacks since April 20, 2016, during which crooks abused Internet-exposed TFTP servers to reflect traffic and send it tenfolds towards their targets, in a tactic that’s called a “reflection” (or “amplification”) DDoS attack.
The crooks sent a small number of packets to TFTP servers, which contained various flaws in the protocol implementation, and then sent it back multiplied to their targets. The multiplication factor for TFTP DDoS attacks is 60, well above the regular average for reflection DDoS attacks, which is between 2 and 10.
First instances of TFTP reflection DDoS attacks fail to impress
Akamai says the attacks they detected employing TFTP servers were part of multi-vector DDoS attacks, during which crooks mixed different DDoS-vulnerable protocols together, in order to confuse their target’s IT department and make it harder to mitigate.
Because the attack wasn’t pure, it never reached huge statistical measurements. Akamai reports the peak bandwidth was 1.2 Gbps and the peak packet volume was 176,400 packets per second. These are considered low values for DDoS attacks, but enough to consume the target’s bandwidth.
Akamai SIRT says they’ve seen a weaponized version of the TFTP attack script circulating online as soon as the Napier University study was released.
The crooks seem to have misconfigured the attack script
The attack script is simple and takes user input values such as the victim’s IP, the attacked port, a list of IP addresses from vulnerable, Internet-available TFTP servers, the packet per second rate limit, the number of threads, and the time the script should run.
In the attacks it detected, Akamai says the crooks ignored to set the attacked port value, and their script send out traffic to random ports on the target’s server.
Back in March, Napier University researchers said they’ve found over 599,600 publicly open servers that had port 69 (TFTP) open.
Akamai warns organizations to secure their TFTP servers by placing these servers behind a firewall. Since the 25-year-old TFTP protocol doesn’t support modern authentication methods, there is no good reason to have these types of servers exposed to the Internet.