'Criminals are upping the potency of distributed denial-of-service
attacks with a technique that abuses a widely used Internet protocol
that drastically increases the amount of junk traffic directed at
DDoSes are attacks that flood a website or server with more data than
it can handle. The result is a denial of service to people trying to
connect to the service. As DDoS-mitigation services develop
protections that allow targets to withstand ever-larger torrents of
traffic, the criminals respond with new ways to make the most of their
In so-called amplification attacks, DDoSers send requests of
relatively small data sizes to certain types of intermediary servers.
The intermediaries then send the targets responses that are tens,
hundreds, or thousands of times bigger. The redirection works because
the requests replace the IP address of the attacker with the address
of the server being targeted.
Other well-known amplification vectors include the memcached database
caching system with an amplification factor of an astounding 51,000,
the Network Time Protocol with a factor of 58, and misconfigured DNS
servers with a factor of 50.
DDoS mitigation provider Netscout said on Wednesday that it has
observed DDoS-for-hire services adopting a new amplification vector.
The vector is the Datagram Transport Layer Security, or D/TLS, which
(as its name suggests) is essentially the Transport Layer Security for
UDP data packets. Just as TLS prevents eavesdropping, tampering, or
forgery of TLS packets, D/TLS does the same for UDP data.
DDoSes that abuse D/TLS allow attackers to amplify their attacks by a
factor of 37. Previously, Netscout saw only advanced attackers using
dedicated DDoS infrastructure abusing the vector. Now, so-called
booter and stressor services—which use commodity equipment to provide
for-hire attacks—have adopted the technique. The company has
identified almost 4,300 publicly reachable D/LTS servers that are
susceptible to the abuse.'
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304