Amplification attack
From Hackepedia
Revision as of 09:49, 28 March 2013 by Pbug (talk | contribs) (→Solutions to prevent Amplification attacks)
An amplification attack usually uses spoofing of a target to an amplifier. This amplifier somehow increases the return packet by a certain factor.
DNS Amplifiers
DNS servers are often used for amplified attacks. Especially when they are recursing for everyone a lot of data can be amplified out of their cache.
IPv4 Broadcast Amplifiers
Smurf used IPv4 ICMP (for UDP see fraggle) directed at broadcast addresses to amplify an attack. Due to the nature of IPv4 broadcasting a lot of hosts would respond to one single ICMP echo request.
Solutions to prevent Amplification attacks
- UDP and ICMP are stateless protocols so they don't require a handshake to create a state between two hosts. A handshake uses large sequence numbers that are randomized to prevent an attacker from guessing the replies to a spoofed target.
- spoofing should be filtered at routers on egress.
- Perhaps turn UDP off on DNS? Other good ideas exist, like using tokens/cryptography.
- design protocols so that they don't reply large amount of data upon a single query via stateless protocls such as UDP.
