ASERT Threat Summary

Date/Time: 7July2021 1600UTC

Severity: Warning

Distribution: TLP: WHITE 

Categories: Availability

Contributors: Jon Belanger, Chris Conrad, John Kristoff, Hardik Modi, Marco Gioanola, Andrew Cockburn, Dennis Hohmann.

Executive Summary

DHCPDiscover, a UDP-based JSON protocol used to manage networked digital video recorders (DVRs), can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication for the service. Unfortunately, many of these DVR variants by default do not include such authentication. At this point, the DHCPDiscover reflection/amplification attack vector appears to have been added to the arsenals of booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.

Key Findings: 

• For organizations with vulnerable DVRs that are abused as reflectors/amplifiers, the collateral damage could be significant. Video recording applications could be partially or fully halted, which could impact applications such as security cameras.
• Network operators must be careful not to overblock legitimate internet traffic by wholesale filtering of all UDP/37810-sourced traffic. Doing so runs the risk of internet service disruptions for downstream customers. 
• Network operators should perform reconnaissance to identify and remediate abusable DHCPDiscover reflectors/amplifiers on their networks and/or the networks of their customers. 

Description

DHCPDiscover is a UDP-based JSON protocol used to manage multiple variants of networked digital video recorders (DVRs) that run firmware originally developed by a single OEM and marketed under various brands worldwide. Many of these DVR variants by default lack any form of authentication for the DHCPDiscover service and will reply to crafted packets destined for the relevant UDP port on relevant devices.

IMPORTANT: It should be noted that the somewhat confusingly named DHCPDiscover JSON management protocol referenced in this Threat Summary is wholly unrelated to DHCPDISCOVER messages that are a routine part of the Dynamic Host Configuration Protocol (DHCP) network address allocation mechanism described in RFC2131.
 The contents of this Threat Summary are in no way related to DHCP nor to IP address allocation practices in general.

When these devices are exposed to the public internet—typically via static NAT mapping—the DHCPDiscover service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of ~23.15:1–25.68:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/37810 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. The amplified attack packets range from 576 bytes to 912 bytes in length. To date, 133,853 abusable DHCPDiscover reflectors/amplifiers have been identified.

Observed attack bandwidth (bps) sizes range up to ~63.5 Gbps for single-vector DHCPDiscover reflection/amplification attacks, and up to an aggregate ~566.88 Gbps for multivector attacks that include DHCPDiscover as a component. The highest observed throughput for a single-vector DHCPDiscover reflection/amplification attack is ~15.14 Mpps, and up to an aggregate ~69.25 Mpps for multivector attacks that include DHCPDiscover as a component. 

As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, DHCPDiscover reflection/amplification appears to have been weaponized and added to the arsenals of booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.

Collateral Impact

The collateral impact of DHCPDiscover reflection/amplification attacks is potentially significant for organizations whose internet-exposed DVRs are abused as reflectors/amplifiers. This may include partial or full interruption of video recording applications, as well as additional service disruption due to transit capacity consumption; state-table exhaustion of NATs, stateful firewalls and load-balancers; etc.

Wholesale filtering of all UDP/37810-sourced traffic by network operators may potentially overblock legitimate internet traffic.  

Mitigating Factors

Collateral impact to abusable DHCPDiscover reflectors/amplifiers can alert network operators and/or end-customers to remove affected DVRs from DMZ networks or IDCs, or to disable relevant UDP port-forwarding rules which forward specific UDP ports from the public internet to these devices, thereby preventing them from being abused in DHCPdiscover reflection/amplification attacks. 
 
DHCPDiscover reflection/amplification DDoS attack traffic can be mitigated via the implementation of industry-standard best current practices (BCPs) such as situationally-appropriate network access control policies, network infrastructure-based reaction mechanisms such as flowspec, and intelligent DDoS mitigation systems such as NETSCOUT Arbor Sightline/TMS and AED/APS.

Recommended Actions

Network operators should perform reconnaissance to identify and remediate abusable DHCPDiscover reflectors/amplifiers on their networks and/or the networks of their customers. 

Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally specific network access policies which only permit internet traffic via required IP protocols and ports. Internet access network traffic to/from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or Arbor Technical Assistance Center (ATAC) may be consulted with regards to optimal countermeasure selection and employment.

Applicable NETSCOUT solutions: Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud

References

https://github.com/Phenomite/AMP-Research/tree/master/Port%2037810%20-%20Dahua%20DVR%20IP%20Camera%20(refined%20payload)

ASERT Threat Summary: DHCPDiscover Reflection/Amplification DDoS Attack Mitigation Recommendations - July 2021 - v1.0