DCCP Protocol Exploited in DDoS Attacks
Security experts at Akamai have observed that cybercriminals are abusing the little-known DCCP (Datagram Congestion Control Protocol) for DDoS attacks. This internet standard, approved in 2007, is designed to monitor network congestion for UDP-based communications. DCCP is especially effective for applications where delayed data becomes useless, such as streaming, online gaming, and internet telephony.
Although the protocol includes many features, Akamai reports that hackers are exploiting the three-way handshake that occurs at the start of a DCCP+UDP connection. Attackers can send a stream of DCCP-Request packets to port 33 on a server (where DCCP operates), forcing the server to waste critical resources on initiating multiple three-way handshakes that are never completed. This can eventually exhaust the server’s available resources and cause it to crash.
This type of attack is similar to the well-known TCP SYN flood, a DDoS technique that has been used in a similar way for over a decade. “Essentially, these packets are a SYN flood, but for the DCCP protocol,” explains Chad Seaman, leader of the Akamai SIRT team.
Seaman emphasizes that even if the DCCP three-way handshake is completed and the server survives the packet flood, attackers can still abuse UDP packet spoofing and use open DCCP server ports to reflect and amplify attacks against third-party services.
Fortunately, despite the protocol being around for nearly 14 years, very few OS and application developers have implemented support for it. Some Linux distributions include DCCP support, but not all have DCCP sockets enabled by default. Windows systems appear not to support the protocol at all, which explains why some software vendors are reluctant to add it to their products.
“When trying to find real-world use cases, we couldn’t identify a single application that actually uses this protocol,” says Seaman.
In other words, Akamai believes that for now, these attacks are unlikely to cause significant harm. However, the situation could change if the protocol becomes more popular in the future, especially as real-time streaming continues to grow. As a precaution, Seaman recommends blocking all traffic on port 33, especially in infrastructures where DCCP is supported but not used.