New DDoS attack vector discovered in DCCP protocol

Internet infrastructure company Akamai said today it observed threat actors abusing a relatively unknown networking protocol to crash internet servers.

The distributed denial of service (DDoS) attacks, which hit some of the company's customers, abused the Datagram Congestion Control Protocol (DCCP), an internet standard approved in 2007.

The protocol was designed as an improvement for the more widely used UDP, complete with a data congestion mechanisms that allows applications to verify that packets are received correctly in time-sensitive communications, such as real-time applications, games, and streaming operations.

While the protocol includes many features, Akamai said in a security alert today that threat actors are abusing the three-way handshake that occurs at the start of a DCCP connection.

Akamai says that threat actors can send a flood of DCCP-Request packets to vulnerable servers and force them to spend crucial resources initiating long-winded three-way handshakes that will never be completed and eventually crash the server due to a lack of available resources.

The attack is eerily similar to so-called "TCP SYN floods," a well-known type of DDoS attack that has been abused in the wild for more than a decade in a similar manner and which targets the TCP SYN packets at the start of every TCP connection.

"These packets are essentially SYN floods of the DCCP protocol variety," said Chad Seaman, team lead for the Akamai SIRT team.

Danger averted: DCCP protocol rarely used (for now)

Furthermore, even if a DCCP three-way handshake is completed and the server survives a packet flood, Seaman says the attackers could abuse open DCCP server ports to bounce and amplify attacks against third-party services (the victims of a "reflected" DDoS attack).

While Seaman says these attacks could pack a punch, in reality, things are a little bit different.

"The primary reason that we're unlikely to see these types of attacks in the wild in a reflection/amplification capacity today is due to the lack of hosts on the internet utilizing this protocol," Seaman said.

According to Akamai, while the protocol has been around for almost 14 years, very few operating systems and software application developers have bothered to support it.

Even if some Linux distros come with DCCP support, not all Linux distributions ship with DCCP sockets enabled out of the box. Further, Windows systems don't appear to support the protocol at all, which would explain some app makers' reluctance to add it to their software.

"While attempting to identify real world use cases, we were unable to find a single application that actually utilizes the protocol. This includes source code searches against Github for SOCK_DCCP declarations, a programmatic constant used when setting up a Socket in source code of multiple supported languages," Seaman said.

However, this doesn't mean the protocol won't become popular in the future as real-time streaming becomes more widespread in day-to-day applications. As such, Seaman recommends blocking all DCCP traffic in case companies or network administrators see suspicious connections hitting DCCP ports on infrastructure where DCCP is not in use, but supported.

A flurry of new DDoS attack vectors

Today's discovery from the Akamai SIRT team is the ninth new DDoS attack vector discovered and documented over the past three years.

Previous discoveries include the likes of:

• the Constrained Application Protocol (CoAP)
• the Web Services Dynamic Discovery (WS-DD) protocol
• the Apple Remote Management Service (ARMS)
• Jenkins servers
• Citrix ADC gateways
• Windows RDP servers
• Plex media servers
• Powerhouse VPN servers

Unlike the DCCP protocol, which has been sparingly used, the protocols listed above are widely deployed across the IT world and have already been integrated and abused as part of DDoS-for-hire (DDoS booter) services.