DrDoS cyberattacks based on the UBNT protocol

After the preliminary study denial of service (DoS) cyberattacks alongside any of their variants set out in the article “DrDoS, characteristics and operation,“ this new article is going to address how the UBNT protocol is used as a tool to develop a DrDoS variant of a DoS cyberattack.

UBNT

The manufacturer Ubiquiti Networks, which specialises in network devices for wireless telecommunications, developed the proprietary protocol UBNT Discover to make it easier to interconnect their devices, so that they could easily discover each other. One feature of this protocol is that it operates on port 10001 by UDP, and another is that it is associated with the device network card, such as the access points, in a pre-determined manner.

Its simple operation is based on a direct or indirect broadcast, in which a request is sent with the bytes “0x01 0x00” every 60 seconds (per the Device Discovery Background Scan configuration) or every 30 seconds (according to the CDP v1 protocol), from a Ubiquiti device to another that has the UBNT Discover service activated, after which the receiver responds with the data required for both devices to associate.

Use of Ubiquiti wireless devices is widespread to bring the Internet connection to places where it would otherwise be more difficult or expensive, and it is so used normally with the factory settings unchanged, which entails a major risk. We can find proof of this by doing a search, for example on Shodan, where you can find that there are currently hundreds of thousands of these devices worldwide with the bad configuration involving a UBNT Discover active on port 10001, which is accessible by UDP and is exposed on the Internet.

Attack vector

The UBNT Discover protocol being enabled on the public network interface of the Ubiquiti devices would allow cybercriminals to use them to undertake a DrDoS attack against a target system.

The nature of the attack is very similar to the rest of this type. On the one hand, the attacker orders a botnet under its control to make requests on a large scale for information from Ubiquiti devices. Thus, these devices would then become involuntary participants in the attack.

On the other hand, the requests sent are manipulated, replacing the real source IP with that of the victim (spoofing), which obtains a response to a legitimate request. Thus, the attack is reflected, and the responses are redirected to the same machine, the victim machine, which is incapable of dealing with the high number of packets reaching it.

Ilustración 1. Outline of the attack on UBNT

Finally, to ensure the denial of service of the attacked machine, the cybercriminal also modifies the size of the response packets, amplifying them 30 or 35 times compared to the request packet, which is usually just a few bytes. Amplified packets usually include information about the Ubiquiti device, such as its IP and MAC addresses, the machine’s name, and other identifying information.

Moreover, the operating characteristics of the UBNT Discover services make it possible for the attackers to be able to redirect the inundation of traffic to any active UDP service in the victim machine, modifying in the requests the data on the port at source.

During this type of attack, Ubiquiti devices, which participate to reflect and amplify the UBNT Discover queries, can also be affected, and deny their service given the excessive volume of queries from the botnet; this causes other associated secondary devices wireless problems.

It should also be borne in mind that the legitimate owners of the Ubiquiti servers, who are participating involuntarily, may face legal problems, since they are the source of the attack for the victim due to the aforementioned IP spoofing.

Prevention

The first thing you need to know is whether a UBNT Discover server is vulnerable; to do this, you need to find out how it is exposed on the Internet. A search in the firewall on port 10001 on UDP can tell us whether this type of connections are enabled and whether it lacks filtering to allow only certain IP addresses, which would result in its being a vulnerable server. On the contrary, if connections are allowed but the source IP filter is activated, it would not be vulnerable.

Good practices to prevent UBNT Discover devices from participating involuntarily in a DrDoS attack include:

• Limit or deactivate the UBNT Discover protocol. It is a protocol that can be fully disabled or, at least, whose activation may be limited to interfaces that are not present on the Internet and which are not publicly accessible. For more information, see the device manufacturer’s documentation.
• Set out an action protocol in the event of DrDoS UBNT attacks. Knowing how to act when dealing with these types of attacks that affect devices with their own UBNT Discovers is key to responding quickly and effectively to minimise their impact. This procedure must set out how to identify these attacks and adapt to the characteristics of the company.
• Ask the Internet Service Provider (ISP) for anti-spoofing filters: to reject UBNT Discover traffic with spoofed addresses, which are not accessible through the packet’s actual path, thereby avoiding responding to suspicious queries.
• Deploying UBNT devices behind firewalls: set an anti-spoofing configuration on a firewall using rules and filters is important for it to analyse the requests sent by UDP to port 10001 of the devices.
• Limit the visibility of UBNT Discover-enabled devices on the Internet. IP address filtering rules on a firewall make it possible to limit access to these devices so that are not exposed “publicly”.

Detection and evidence

Evidence that an own device is participating in a DrDoS attack through UBNT Discover must be sought in its activity. Intensive and unusual activity related to the UDP traffic in port 10001 must set off all the alerts related to this. After analysing the traffic, the fact of whether the source address of the queries that are received is the same, or there are clear signs of having been spoofed, confirms the participation in the reflected attack.

On the other hand, if the attack was not detected when it took place, but there are suspicions that it did occur, traces of the event may be found in the logs of the devices in question. The logs associated with the Ubiquiti device are accessible from the devices themselves, though it is always recommendable to send the data to a SIEM, the better to analyse and visualise them.

Response and recommendations

Whether you are being targeted in a DrDoS attack or are participating in the attack involuntarily, it is recommended that you carry out the following actions, which should be set out in the action and incident management protocol for this type of attacks:

• Deactivate the UBNT Discover protocol on the network interface receiving the requests or directly deactivate that network interface.
• Review the provenance of source and destination IP addresses, destination ports, and URL addresses of the UBNT traffic. This information will be useful to the ISP so that it can block it. This information can be obtained using the firewall.
• Establish contact with the Internet or hosting provider: to report the event and pass on the information necessary so that it can apply the traffic-filtering measures necessary to stop the attack.
• Obtain technical assistance: contact the contracted IT technical services suppliers or the leading public CERTs, such as INCIBE-CERT.

Once the attack has ceased and the device’s service has been restored to normal, an analysis must be undertaken into its causes, the vulnerabilities that made it possible, and the prevention measures implemented to prevent it from happening again. Moreover, regardless of the scope and impact of the attack, it must be reported to the authorities so that it can be investigated and prosecuted.