How to exploit TFTP protocol to launch powerful DDoS amplification attacks

Share this…

A group of security researchers from the Edinburgh Napier University elaborated a new DDoS amplification technique relying on the TFTP protocol.

A group of security experts from the Edinburgh Napier University (Boris Sieklik, Richard Macfarlane and Prof. William Buchanan) have discovered a new vector for DDoS amplification attacks. Recently the security community has discovered several ways to launch powerful amplification attacks by exploiting misconfigured services such as DNS or Network Time Protocol (NTP), now experts have found a way to exploit also the TFTP protocol (Trivial File Transfer Protocol).

The experts discovered that attackers could exploit TFTP to obtain a significant amplification factor for their attack, and unfortunately the port scanning research  conducted for the “Internet Census 2012 ” indicates the presence on the Internet of roughly 599,600 publicly open TFTP servers.

TFTP protocol to launch DDoS amplification attacks

The researchers contacted by El Reg confirmed that the techniques could allow obtaining an amplification factor equal to 60.

“The discovered vulnerability could allow hackers to use these publicly open servers to amplify their traffic, similarly to other DDoS amplification attacks like DNS amplification. If all specific conditions are met this traffic can be applied up to 60 times the original amount,” theresearcher Boris Sieklik told El Reg.

“I also studied effects of this attack on different TFTP software implementations and found that most implementations automatically retransmit the same message up to six times, which also contributes to the amplification.”

The TFTP protocol (Trivial File Transfer Protocol) is a simplified version of FTP (File Transfer Protocol) mainly used in local area networks. TFTP is very simple to implement for this reason it is quite common to find TFTP server within organizations.

It is possible to transfer any file by using the TFTP protocol, to obtain the DDoS amplification effect an attacker can a specifically crafted request to the server with a forged return address that represents the address of the target. The response sent by the server is much bigger in size than the original request, obtaining in this way the amplification factor.

The numerous misconfigured services present on the Internet could allow to target a specific website with junk traffic composed of responses to forged web requests.

The researchers announced that they will publish the results of their discovery in the March edition of publisher Elsevier’s Computers & Security journal, it will also include indications to mitigate potential TFTP DDoS amplification attacks.