Difference between revisions of "Amplification attack"
From Hackepedia
Jump to navigationJump to search (amplification attacks) |
|||
| Line 14: | Line 14: | ||
== Solutions to prevent Amplification attacks == | == Solutions to prevent Amplification attacks == | ||
| − | * UDP and ICMP are stateless protocols so they don't require a handshake to create a state between two hosts. A handshake uses large sequence numbers that are randomized to prevent an attacker from guessing the replies to a spoofed target. | + | * [[UDP]] and [[ICMP]] are stateless protocols so they don't require a [[handshake]] to create a state between two hosts. A handshake uses large sequence numbers that are randomized to prevent an attacker from guessing the replies to a spoofed target. |
* spoofing should be filtered at routers on egress. | * spoofing should be filtered at routers on egress. | ||
Revision as of 09:49, 28 March 2013
An amplification attack usually uses spoofing of a target to an amplifier. This amplifier somehow increases the return packet by a certain factor.
DNS Amplifiers
DNS servers are often used for amplified attacks. Especially when they are recursing for everyone a lot of data can be amplified out of their cache.
IPv4 Broadcast Amplifiers
Smurf used IPv4 ICMP (for UDP see fraggle) directed at broadcast addresses to amplify an attack. Due to the nature of IPv4 broadcasting a lot of hosts would respond to one single ICMP echo request.
Solutions to prevent Amplification attacks
- UDP and ICMP are stateless protocols so they don't require a handshake to create a state between two hosts. A handshake uses large sequence numbers that are randomized to prevent an attacker from guessing the replies to a spoofed target.
- spoofing should be filtered at routers on egress.
- Perhaps turn UDP off on DNS? Other good ideas exist, like using tokens/cryptography.
- design protocols so that they don't reply large amount of data upon a single query via stateless protocls such as UDP.
