Attackers using DCCP protocol for DDoS attacks

Attackers using DCCP protocol

Akamai has noticed that attackers are using the little-known DCCP network protocol (Datagram Congestion Control Protocol) for DDoS attacks.

This internet standard was approved in 2007 and helps monitoring network congestion for UDP-based communications. DCCP is especially effective for applications where data arriving at the wrong time becomes useless. For example, streaming, online gaming, and Internet telephony.

Although the protocol includes many features, Akamai reports that hackers abuse the three-way handshake that occurs at the start of a DCCP + UDP connection. Thus, attackers can send a stream of DCCP-Request packets to port 33 of the server (where the DCCP protocol works), thereby forcing the server to spend important resources on initiating multi-way three-way handshakes that will not complete, and will eventually disable the server (due to lack of available resources).

Attackers using DCCP protocol

This attack is similar to the TCP SYN flood, a well-known type of DDoS attack that has been used in a similar way for over a decade.

These packets are essentially a SYN flood in the DCCP version.explains Chad Seaman, Team Leader, Akamai SIRT.

The specialist emphasizes that even if the DCCP three-way handshake is completed, and the server “survived” the flood of packets, attackers can still abuse UDP packet spoofing and simply use the open ports of the DCCP server to repel and amplify attacks on third-party services.

Fortunately, even though the protocol has been around for almost 14 years, very few OS and application developers have bothered to support it. For example, some Linux distributions ship with DCCP support, but not all Linux distributions ship with DCCP sockets enabled out of the box. Windows systems do not seem to support this protocol at all, which explains the reluctance of some application makers to add it to their software.

While trying to identify cases of use in the real world, we couldn’t find a single application that actually uses this protocol.says Siman.

That is, Akamai believes that such attacks cannot present significant harm. However, this may change if the protocol becomes more popular in the future as real-time streaming becomes more common.

As a result, Siman recommends blocking all port 33 traffic just in case, especially in an infrastructure where DCCP is not used but is supported.

Let me remind you that I recently reported that DTLS can amplify DDoS by 37 times.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *