There has been a recent rise in TCP flood attacks against services under the Streamline Servers DDoS umbrella. In particular, these attacks have been focused on using deprecated TCP Flag “URG”. Similar to most attacks the URG packet is designed to disrupt network activity by saturating bandwidth and resources of its target.
The URG flag is used to inform the receiving system that the data contained in a certain segment of the payload is urgent and should be prioritised over other packets (hence the name URG).
Jeremy Stretch has a great overview of the TCP URG flag here.
He goes on to mention that “the URG flag isn't employed much by modern protocols”, moreover that it has been deprecated in the last decade. Some legacy systems still use the flag, however, it is not common to see it in network analysis. Due to this, it raised some red flags the moment it entered our global network.
Technical Analysis
The attack itself is fairly basic in the grand scheme of attacks we see, and nothing compared to some SRCDS vectors. As it doesn’t contain anything “interesting” in the payload, except of course the TCP flag URG. Looking over the attack it is a typical TCP flood coming from >500,000 IPs and random source ports. The attack was fairly sizeable, at its peak reaching ~10m PPS at 21gbit/s. In a typical mitigation environment, this can be difficult to scrub against, as the packets at first glance appear legitimate.
Source Ports:
Corero Green Graphs:
Smart Rule Graph:
Using our Corero mitigation infrastructure we were able to inspect every packet in real time determine key features of a TCP flood and begin mitigation within 5 seconds of the attack starting. The main factors we were able to pick up on were the high time to live (TTL) >224 and a consistent packet length. TTL is the number of hops that a packet is permitted to travel before being discarded by a router. The attacker will often set this to a high number to ensure the DDoS reaches its target without being dropped by a router along the way.
High TTL:
Packet Length:
Flags Decoded
If you have any questions about our DDoS protection or other services, don’t hesitate to get in contact with us.
Thursday, January 10, 2019