Security News > 2021 > March > DDoS booters now abuse DTLS servers to amplify attacks
DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security servers to amplify Distributed Denial of Service attacks.
According to reports that surfaced in December, a DDOS attack used DTLS to amplify traffic from vulnerable Citrix ADC devices that used DTLS configurations without a 'HelloClientVerify' anti-spoofing mechanism designed to block such abuse.
DDoS attacks using DTLS can reach an amplification factor of 35 according to German DDoS protection vendor Link11 or an amplification ratio of 37.34:1 based on info from DDoS mitigation firm Netscout.
Two months later, Netscout said that more than 4,200 DTLS servers are still reachable over the Internet and ripe for abuse in reflection/amplification DDoS attacks.
Netscout has observed single-vector DTLS amplification DDoS attacks up to roughly 44.6 Gbps and multi-vector attacks of up to ~206.9 Gbps. Adopted by DDoS booter services.
To mitigate such attacks, admins can either disable unnecessary DTLS services on Internet-exposed servers or to patch/configure them to use the HelloVerifyRequest anti-spoofing mechanism to remove the DTLS amplification vector.
News URL
Related news
- CUPS vulnerabilities could be abused for DDoS attacks (source)
- Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps (source)
- Recently patched CUPS flaw can be used to amplify DDoS attacks (source)
- Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors (source)
- Largest Recorded DDoS Attack is 3.8 Tbps (source)
- New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- U.S. Charges Two Sudanese Brothers for Record 35,000 DDoS Attacks (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)