Reflection Amplification

Information

• Name: Reflection Amplification

• ID: T1498.002

• Tactics:

• Technique:

Introduction

Reflection Amplification (T1498.002) is a sub-technique within the MITRE ATT&CK framework categorized under Network Denial of Service (DoS) attacks. In reflection amplification attacks, adversaries exploit legitimate third-party servers by sending spoofed requests that trigger amplified responses directed toward the target victim. This technique significantly increases the volume of traffic directed at the victim, overwhelming network resources and causing denial of service conditions. Reflection amplification is particularly dangerous due to its scalability, efficiency, and difficulty in tracing the original attacker.

Deep Dive Into Technique

Reflection amplification attacks leverage two key techniques—reflection and amplification—combined to overwhelm targeted networks or systems:

• Reflection:

  • Attackers use IP address spoofing, inserting the victim's IP address as the source address in packets sent to vulnerable third-party servers (reflectors).

  • Reflectors, unaware of the spoofing, respond directly to the victim’s IP address, effectively reflecting traffic back toward the victim.

• Amplification:

  • Attackers select protocols that generate responses significantly larger than the initial request, thus amplifying the traffic volume.

  • Commonly exploited protocols include:

    • DNS (Domain Name System)

    • NTP (Network Time Protocol)

    • SSDP (Simple Service Discovery Protocol)

    • SNMP (Simple Network Management Protocol)

    • Memcached

    • CLDAP (Connectionless Lightweight Directory Access Protocol)

  • Amplification factors vary widely:

    • DNS can amplify requests by approximately 28 to 54 times.

    • NTP can amplify requests by up to 556 times.

    • Memcached attacks have shown amplification factors exceeding 10,000 times.

• Execution Steps:

  1. Attacker identifies publicly accessible services susceptible to reflection amplification.

  2. Attacker crafts spoofed packets with the victim's IP as the source.

  3. Reflectors respond to spoofed packets with amplified traffic directed at the victim.

  4. Victim is overwhelmed, leading to degraded or disrupted services.

When this Technique is Usually Used

Reflection amplification attacks are commonly employed in the following scenarios and attack stages:

• Extortion and Ransom Attacks:

  • Attackers threaten organizations with sustained denial of service unless payment is received.

• Competitive Sabotage:

  • Businesses or malicious entities attempting to disrupt competitors’ online services or operations.

• Hacktivism:

  • Politically or ideologically motivated groups aiming to disrupt targeted websites or services.

• Diversionary Tactics:

  • Attackers use reflection amplification to divert security teams' attention from other concurrent cyberattacks, such as data breaches or malware installation.

• State-sponsored Cyber Operations:

  • Nation-state actors employing reflection amplification to disrupt critical infrastructure or governmental services.

How this Technique is Usually Detected

Detection of reflection amplification attacks typically involves monitoring, logging, and analysis of network traffic patterns and anomalies:

• Network Traffic Analysis:

  • Sudden spikes in inbound traffic volume, especially UDP-based protocols.

  • High numbers of responses from specific protocols (DNS, NTP, SSDP, Memcached) without corresponding outbound requests.

• Protocol-Specific Detection:

  • DNS amplification: Unusually large DNS responses with no matching requests.

  • NTP amplification: High volume of NTP monlist command responses.

  • SSDP amplification: Excessive SSDP response packets (UDP port 1900).

  • Memcached amplification: Unsolicited UDP traffic from port 11211.

• Security Tools and Techniques:

  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) configured to detect known amplification attack signatures.

  • NetFlow and sFlow monitoring tools for detecting unusual traffic patterns.

  • SIEM solutions correlating network traffic anomalies with known IoCs.

• Indicators of Compromise (IoCs):

  • Large-scale inbound UDP traffic from multiple external IP addresses.

  • Traffic originating from known reflector servers or compromised infrastructure.

  • Sudden increase in traffic targeting specific UDP service ports (e.g., 53, 123, 1900, 11211).

Why it is Important to Detect This Technique

Early detection of reflection amplification attacks is critical due to their potential severe impacts:

• Service Disruption:

  • Massive traffic volumes can overwhelm network bandwidth, preventing legitimate user access and causing significant downtime.

• Operational Impact:

  • Extended downtime can disrupt critical business operations, resulting in financial loss, reputational damage, and loss of customer trust.

• Infrastructure Damage:

  • Prolonged attacks can strain network infrastructure, leading to hardware failures or degraded performance.

• Security Posture Weakening:

  • Attackers may exploit the chaos of denial-of-service conditions to carry out additional cyberattacks, including data breaches or malware deployment.

• Regulatory and Compliance Risks:

  • Organizations experiencing prolonged outages may face regulatory scrutiny, fines, or penalties for failing to maintain service availability and security standards.

Detecting reflection amplification attacks early allows organizations to mitigate the impact, maintain service availability, and reduce operational and financial risks.

Examples

Real-world examples of reflection amplification attacks include:

• GitHub Memcached Attack (2018):

  • Attackers leveraged Memcached servers to launch a 1.35 Tbps DDoS attack against GitHub.

  • Attackers spoofed GitHub's IP address, sending small requests to vulnerable Memcached servers, which responded with massive amplified traffic.

  • GitHub mitigated the attack using DDoS protection services, minimizing downtime.

• Dyn DNS Attack (2016):

  • Attackers exploited DNS reflection amplification along with Mirai botnet to launch large-scale DDoS attacks against DNS provider Dyn.

  • The attack disrupted access to major websites, including Twitter, Netflix, and Amazon, highlighting the widespread impact of reflection amplification attacks.

• Spamhaus NTP Reflection Attack (2013):

  • Spamhaus, a non-profit anti-spam organization, was targeted by attackers using NTP reflection amplification, reaching peak traffic of approximately 300 Gbps.

  • Attackers used a large number of vulnerable NTP servers to amplify traffic, significantly impacting Spamhaus' services.

• Cloudflare CLDAP Attack (2020):

  • Attackers targeted Cloudflare infrastructure using CLDAP reflection amplification, reaching peak traffic of approximately 754 million packets per second.

  • Cloudflare successfully mitigated the attack, demonstrating the importance of robust mitigation strategies.

These examples demonstrate the potency and scale of reflection amplification attacks, emphasizing the necessity for proactive detection, mitigation planning, and robust cybersecurity practices.