Using agent in normal servers, DrDOS
targeting operational venerability on TCP protocol and routing table, it uses normal server as agent that makes detection very difficult.
- Increase PPS and BPS
- victimize DNS, NTP, SNMP and CHARGEN server
using venerability of TCP(3way-hand shaking) , BGP, reflection server (numbers of router and service).
- DNS: when DNS inquiry (ANY, TXT), it request huge information record.
- NTP: Request NTP server list(monlist).
- SNMP: Request SNMP Agent for huge MIB information.
- CHARGEN: Request big numbers of strings
Hacker perform spoofing / changing Source IP to Victim IP)
Response Plan
- Use Staged Egress Filter.
- Apply Port based ACL
- Detect unexpected increase of PPS and BPS.
- Pretend as Hacker, and plan.
- Protection of Server, client, reflection server.
- Control by IPS.
DrDOS effect huge loss of company reputation, planning is important before it impacts too big!
Dan K