The U.S. FBI has warned of new CoAP, WS-DD, ARMS, and Jenkins DDoS attack methods; what are they?
The United States law enforcement agency, the Federal Bureau of Investigation(FBI) has issued an alert of new DDoS attack methods being used by cybercriminals and hackers to launch large-scale distributed denial of service (DDoS) attacks.
The FBI alert(PDF) lists fairly recent CoAP, WS-DD, ARMS, and Jenkins DDoS attack vectors. Out of these, three use vulnerabilities in network protocols, while the fourth one uses vulnerabilities in the web application protocol. All the four DDoS attack vectors are fairly new but cybercriminals have already exploited the CoAP, WS-DD, and ARMS vulnerabilities to launch massive DDoS attacks.
CoAP (Constrained Application Protocol) DDoS attack:
Constrained Application Protocol or CoAP is an Internet of Things of Things (IoT) related protocol. CoAP is a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce. From a DDoS perspective, CoAP is a protocol that is implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request.
Cybercriminals have begun launching CoAP reflection/amplification DDoS attacks by scanning for abusable addresses, then launch a flood of packets spoofed with the source address of their target. The average amplification factor for CoAP is 34, in the midrange for UDP protocols commonly abused for reflection/amplification. Since the CoAP devices are transient by nature, most vulnerable devices change their addresses within two weeks. As such, the CoAP DDoS attackers have to continually rescan to establish IP addresses to use in attacks.
WS-DD (Web Services Dynamic Discovery) DDoS Attack:
Web Services Dynamic Discovery (WS-Discovery) is a technical specification that defines a multicast discovery protocol to locate services on a local network. It is mostly used on local networks to “discover” other nearby devices that communicate via a particular protocol or interface. It operates over TCP and UDP port 3702 and uses IP multicast address 126.96.36.199. The devices communicate between nodes using web services standards, notably SOAP-over-UDP.
Since UDP is a stateless protocol, requests to the WSD service can be spoofed. This ultimately causes the impacted server, or service, to send responses to the intended victim, consuming large amounts of the target’s bandwidth. As per BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and can be exploited to launch DDoS attacks. Hackers had earlier used the WS-DD DDoS attack method in May and August 2019 for more than 130 DDoS attacks with some reaching sizes of more than 350 Gbps.
Apple Remote Management Service (ARMS) DDoS Attack:
As the name suggests, this DDoS vector targets Apple’s macOS computers and laptops to launch attacks. More specifically, the attackers’ leverage macOS run PC/laptops which have enabled the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature. ARD earlier allowed Apple macOS perform screen-sharing but over the years it has evolved into a more fully-featured system management application, allowing the remote installation of software updates, remote logging, etc.
When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac. Cyber-criminals scan open 3283 ports and abuse the ARMS service for conducting a “DDoS amplification attack.” The problem is that Mac computers to listen on UDP/3283, even if Apple’s Firewall service under System Preferences/Security & Privacy was enabled. NetScount estimates that there are approximate ~54,000 abusable ARMS-enabled Macs exposed to the public Internet giving hackers ample bandwidth to conduct DDoS attacks which are as high as 70 Gbps.
JENKINS DDoS Attack:
Cybercriminals exploit Jenkins servers by abusing the CVE-2020-2100. On January 29, 2020, the Jenkins project published a security advisory containing a vulnerability with UDP amplification reflection attack potential. Security alert 1641, also known as CVE-2020-2100, reports the vulnerability discovered by Adam Thorn from the University of Cambridge and how it impacts Jenkins versions 2.218 and earlier as well as LTS 2.204.1 and earlier. There are at present 12,000 exposed Jenkins’ servers can easily be abused hackers to launch distributed reflective denial-of-service (DDoS) attacks with an average amplification factor of 3.00.
Jenkins/Hudson servers respond to any traffic on UDP port 33848. An attacker can either send a UDP broadcast packet locally to 255.255.255.255:33848 or they could send a UDP multicast packet to JENKINS_REFLECTOR:33848. When a packet is received, regardless of the payload, Jenkins/Hudson will send an XML response of Jenkins metadata in a datagram to the requesting client, giving attackers the ability to abuse its UDP multicast/broadcast service to carry out DDoS attacks.
Carefully crafted UDP packets can also make two Jenkins servers go into an infinite loop of replies, causing a denial of service against both servers. Researchers estimated cyber actors could use vulnerable Jenkins servers to amplify DDoS attack traffic 100 times against the online infrastructure of targeted victims across sectors.
These are the four new DDoS attack vectors the FBI has warned about. Most of these vectors exist because the device makers (IoT, smartphones, Jenkins, and Apple) are unlikely to disable the protocols. “In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” the FBI alert says.