Slashdot Mirror

← Back to Stories (view on slashdot.org)

600,000 TFTP Servers Can Be Abused For Reflection DDoS Attacks

Posted by timothy on from the doesn't-mean-they-should-be dept.

An anonymous reader writes: Researchers have discovered that improperly configured TFTP servers can be easily abused to carry out reflection DDoS attacks that can sometimes have an amplification factor of 60, one of the highest such values. There are currently around 600,000 TFTP servers exposed online, presenting a huge attack surface for DDoS malware developers. Other protocols recently discovered as susceptible to reflection DDoS attacks include DNSSEC, NetBIOS, and some of the BitTorrent protocols.

2 of 47 comments (clear)

  1. Re:Public TFTP server ? by gmack · · Score: 4, Interesting

    The answer to that question is not a good one. Many VOIP phones (older Cisco, Polycom) were designed to be used inside of an office and require a TFTP server on boot to load their user/pass from. Now we have a ton of VOIP providers who sold a ton of these phones to anyone who would buy them forcing the VOIP provider to keep their public TFTP servers for their customers. People assume this is secure since TFTP does not have a directory list function but the reality is that if you can guess the phone's MAC address you now have the phone's login info.

    Now for the fun part: MAC addressees are 48 bits (6 byte) and you lose the first 3 bytes for the vendor prefix leaving 6 bytes (24 bit) for the address. That's 16,777,215 possibilities per device type on a protocol with no authentication whatsoever.

  2. Re:Public TFTP server ? by Antique+Geekmeister · · Score: 3, Interesting

    > obviously, google is offering a public pxe boot over-the-internet service we havent been told about.

    I've done it when hurried. It's sometimes easier to run an internal DHCP relay pointed to a well configured externally accessible DHCP server and TFTP server to get fast PXE setups in a remote environment. It's especially useful if you have a DMZ or NAT'ed internal network and set up the TFTP server outside the local VLAN.

    I only open them to external traffic temporarily, but many home users and beginning sysadmins frankly insist on exposing their internal hosts, with public IP addresses. The practice of publicly exposed services, includiing TFTP, is so rampant on campuses and small businesses that a very real part of me hopes that IPv6 is never fully adapted, to ensure that the limited IPv4 address space _forces_ people to surrender unnecessary public IP addresses and take the elementary step of activating NAT simply to reduce the ease of abusive access to the Internet at large.