Distributed Denial of Service (DDoS) attacks are a rapidly growing threat in the modern Internet. As organizations have become more reliant on the Internet for daily business, the potential impacts of losing their web presence have grown. At the same time, the complexity and cost of performing a DDoS attack has decreased dramatically. As a result, hackers can afford to launch attacks against more targets and to sell their services to interested customers.
A new discovery by DDoS attackers has significantly increased the potential impacts of their attacks. A service included in macOS enables an attacker to dramatically increase the volume of the attack that they can create. As a result, organizations are more vulnerable to large-scale DDoS attacks, and the need to deploy anti DDoS protection solutions to protect crucial Internet-facing resources from attack has grown even more pressing.
DDoS Attacks and DDoS Amplification
The Distributed in DDoS refers to the fact that a DDoS attacker uses several different machines when performing an attack against their target. A DoS attack requires overwhelming the target machine in some way. Exceeding their network bandwidth or number of allowable connections on a machine are some of the simplest ways to do this. By using multiple attacking machines, the DDoS attacker ensures that they have the ability to create the volume of traffic necessary to overwhelm their target, which may have multiple load-balanced machines or other defenses in place.
Massive DDoS attacks have become easier to perform in recent years due to the changing landscape of the Internet. In the past, the Internet was primarily composed of personal workstations and servers, which could be co-opted into a botnet to be used in an attack but also often were protected with cybersecurity defenses.
The modern Internet is increasingly composed of Internet-connected devices like thermostats and light bulbs, which have the processing power and network connections necessary to participate in DDoS attacks but don’t enjoy the same level of cybersecurity protection and often contain significant and easily-exploitable vulnerabilities. The combination of easily exploitable Internet of Things (IoT) devices and cheap cloud computing makes large-scale DDoS attacks cheaper and easier to perform, with prices below $7 per hour.
To make things worse, DDoS attackers are finding services that can be used as a DDoS amplifier. A DDoS amplifier allows the attacker to spoof the source address of traffic to it, so that the attacker can send a message and have a response sent to the victim. An effective DDoS amplifier has responses that are significantly larger than requests, so that the attacker can ensure that the victim receives more traffic than the attacker sends.
An example of a commonly used DDoS amplifier is the DNS protocol, which translates domain names (like google.com) into IP addresses (like 127.0.0.1). Since a DNS response includes all of the data included in the request plus the actual answer, sending a DNS request while masquerading as someone else ensures that the victim receives and must process more data than the attacker sends.
macOS and DDoS
The search for effective DDoS amplifiers has led attackers to look in a variety of different places. One of these is the macOS operating system.
Most operating systems have a remote desktop service. On Apple machines it is called the Apple Remote Desktop (ARD). Machines running macOS and with ARD running are also running a service called the Apple Remote Management Service (ARMS). ARMS runs on port 3283 and listens for incoming commands that it should execute on the machine. ARMS is of interest to DDoS attackers since it is a potentially huge DDoS amplifier. Most services used for DDoS attacks have an amplification factor of 5-10, meaning that they can increase the volume of traffic up to 5-10x. ARMS’s amplification factor is 35.5, significantly larger than that of services commonly used in other attacks.
The massive potential of ARMS for DDoS has been noticed and exploited by attackers. In order to use ARMS in an attack, the ARMS service must be accessible to the Internet. Searches on Shodan, a search engine for finding machines with certain ports open, have shown that almost 40,000 macOS systems are exposing ARMS to the Internet. Early attacks exploiting this functionality have reached peak traffic levels of 70 Gbps.
Protecting Against DDoS Attacks
The amplification factor of the ARMS protocol and the number of machines that can be employed in attacks make it a significant threat to the functionality and accessibility of any organization’s web-facing systems. Exploitation of this protocol is only in its early stages and may become more common over time, increasing the number and size of DDoS attacks.
One step that owners of macOS systems can take to help protect against this threat is to ensure that their computers cannot be used in attacks. Any machine with a remote desktop service open should either be behind a firewall or should be using a VPN or IP whitelisting to limit access to authorized users.
However, organizations cannot rely on owners of the exploitable machines to fix the problem. While the threat of macOS-enabled DDoS ones is a significant one, it is not the only way that an attacker can increase the power of DDoS attacks. In the modern threat landscape, deploying an effective DDoS protection solution is a fundamental step in protecting an organization’s Internet presence.