توصيات بإغلاق منافذ على مستوى مزودي خدمة الإنترنت للوقاية من هجمات الحرمان من الخدمات DDOS

Security Advisory: AE-Advisory 15-013 Criticality: high
Issue Discovered On: 17-May-2015    
Advisory Released On: 17-May-2015    
Last Revised On: 17-May-2015    
Affected Platforms

All Platforms

Summary

aeCERT has noticed over the last few months, there has been a plethora of DDoS attacks, which all have similar malicious behaviour. Most of these attacks use vulnerable protocols that can be used to help amplify and accelerate a DDoS attack. We have noticed that most of these attacks were carried out using the UPnP set of network protocols (UDP port 1900). SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. Also, a variation of similar attacks exists which also use different types of vulnerable protocols. From what we have observed, many unused and vulnerable ports can be used to carry out a DDoS attack from an outside intruder. These kind of attacks can be prevented with the cooperation of the ISPs (Etisalat and Du) giving us all the assistance we need to block these unused ports and protocols within the network domain. In this report, we will attempt to explain the types of vulnerable protocols and ports used while conducting a DDOS attack and stress why it is of paramount importance to block them in order to lessen our chances of being hit with another DDOS attack in the near and distant future.

Solution

The aeCERT recommends that the UDP protocols, as listed in the above table, are blocked by the ISP with the permission of the entity as per its requirement and needs. aeCERT also recommends the cooperation of the ISP’s in the United Arab Emirates to apply with any requests the entity would like regarding the ISP level of source port blocking. We also recommend that any entity will use the DNS caching resolver servers and NTP servers of the ISP for the protocols NTP and DNS in order to prevent any DNS or NTP protocols DDoS amplification attacks.

Back To Advisory List