ddos amplifier

A History Lesson: Apple’s Patented Method for Amplifying DDoS

In late-1999, Apple was granted US Patent No 5,931,961 for Discovery of acceptable packet size using ICMP echo.  A form of this mechanism was implemented in Mac OS 9 and was soon misused as a means of amplifying DDoS attacks .  This patent is widely-cited by inventors at other Internet giants, but the mistake in its method is often forgotten by protocol designers and software developers today.

To put it simply, a Mac using this Path MTU Detection system would respond to an arriving packet with a large, often 1500-octet, ICMP ECHO or ping request.  It expected the peer to reply to that ping, and if it didn’t, an assumption could be made that the path from the Mac to that peer was not able to carry 1500-octet packets.

This was exploited by attackers who identified vulnerable Macs and constructed an amplification list for their misuse.  They then send numerous, small, spoofed-source packets to those Macs; the source IP they use for the small packets is actually the target of the attack.

ddos amplifier

Because the Attacker could send spoofed packets to the Mac, and the Mac has no way to know they aren’t from the Victim server, the Mac’s 1500-byte MTU discovery ping ends up going to the victim.  Unfortunately, the attacker only had to send a 64 byte packet to make this happen.  The Mac amplified bandwidth-consumption of the attack by a factor of 23!

Let it of course be said that this particular vulnerability was corrected long ago, but the same conceptual problem with DDoS keeps reoccurring in a variety of application protocols used on the Internet: NTP, SNMP, DNS, and even online game servers (Rossow, 2014).  This highlights a problem in how we build systems and test them, and it is proven over and over that if there’s something that can be exploited, then someone with the patience and the intent to find it is going to be successful. Protocol designers must endeavor to avoid repeating this mistake, lest we continue ignoring one of Internet history’s lessons. With the speed at which  new methods are implemented and spread across the web in this day and age, the threshold for disaster is much greater.

Leave a Reply

Your email address will not be published. Required fields are marked *