DDoS attacks are usually based on pure volume of traffic flooding the Internet connections, and thereby denying services of any kind.

Researchers from the Danish telecom operator TDC have identified and analysed a new kind of DDoS attack that only requires the attacker a limited bandwidth of 15-18 Mbit/sec to generate 40-50K packets/sec in order to bring down even the best professional firewalls (even on a 1 Gbit/sec network). Just to put this bandwidth figure in context it is only about 10% of the capacity of a decent laptop, or double the capability of a mobile phone, i.e. 2-3 mobile phones on a public WiFi is all that is needed.

 

ICMP Type 3 Code 3.

The TDC SOC team discovered by analysing 95+ incidents of customers being attacked during a two-year period that even though the traffic used during the attack was low it was possible to keep the customers’ operation down. The protocol used during these attacks was ICMP type 3 code 3.

The Internet Control Message Protocol (ICMP), uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.

 

Destination Unreachable Message

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Code      |          Checksum             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             unused                            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Internet Header + 64 bits of Original Data Datagram      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   IP Fields:

   Destination Address

      The source network and address from the original datagram's data.

   ICMP Fields:

   Type

      3

   Code

      3 = port unreachable;


Test how vulnerable your network is

By using hping3 from outside your network with following commands you will get a pretty good idea about how vulnerable your network is:

  • hping3 -1 -C 3 -K 3 -i u20 <target ip>
  • hping3 -1 -C 3 -K 3 –flood <target ip>

 

Mitigation

Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack.

 

Source: TDC SOC published a paper on the findings the 10. November 2016