Akamai Technologies, Inc. is a global content delivery network, cybersecurity, and cloud service company, providing web and Internet security services.
Recent attacks against Akamai customers have leveraged a networking protocol known as protocol 33, or Datagram Congestion Control Protocol (DCCP). These attacks prompted the Akamai SIRT team to look into the protocol further and offer insights and mitigation strategies for network defenders.
The DCCP is a more reliable “unreliable” network protocol. It was designed to minimize data and processing overhead of time-sensitive (real-time/streaming) data delivery (typically associated with UDP) while providing improved congestion control and data exchange that typically aren’t associated with UDP (User Datagram Protocol) flows.
It serves as a sweet spot between the UDP and the Transmission Control Protocol (TCP), aiming to provide the speed and ease of UDP, with the added benefit of congestion and flow control typically associated with TCP.
It is engineered to work well on networks with high levels of bandwidth fluctuation where congestion problems could arise, such as mobile networks.
DCCP, like TCP, requires a three-way handshake before it can begin data transmission. The connection is established using a DCCP-Request packet, which expects a DCCP-Response packet, triggering a DCCP-Ack packet from the initiator. Once this handshake is completed, data transmission begins with a series of other purpose-built protocol control packets.
The Attacks So Far
In the attacks against Akamai customers, 100% of the traffic consisted of DCCP-Request packets. These packets are essentially SYN floods of the DCCP protocol variety.
“TCP SYN floods,” a well-known type of DDoS attack that has been abused in the wild for more than a decade in a similar manner and which targets the TCP SYN packets at the start of every TCP connection.
These attacks appear to be volumetric and likely geared towards bypassing defenses that focus on TCP and UDP workflows.
“These packets are essentially SYN floods of the DCCP protocol variety,” said Chad Seaman, team lead for the Akamai SIRT team.
As long as attackers properly configure IP headers in the packet, they’ll successfully route attack traffic to intended victims and fly under the radar of TCP/UDP-centric defense strategies and technologies.
Even if a DCCP three-way handshake is completed and the server survives a packet flood, Seaman says the attackers could abuse the spoofability of UDP packets and just use open DCCP server ports to reflect and amplify attacks against third-party services (the victims of a “reflected” DDoS attack).
“The primary reason that we’re unlikely to see these types of attacks in the wild in a reflection/amplification capacity today is due to the lack of hosts on the internet utilizing this protocol,” Seaman said.
Organizations may choose to do baseline flow analysis for DCCP traffic across their edge. Given the lack of widespread adoption of DCCP (protocol 33), a blanket ACL DROP seems reasonable as a mitigation and possibly even a pre-mitigation strategy for organizations under active or anticipated attack.
DCCP is now the latest trial run from an attacker trying to maximize damage in new and creative ways. There are over 140 standardized protocols numbers encompassed by the Internet Protocol (IP) as of today, and there will likely be more added as technology continues to evolve.
Though DCCP appears to be the latest protocol probed for abuse capabilities, its lack of adoption prevents it from being a major concern, outside of volumetric attacks or myopic defense strategies that fail to account for abuse of and mitigation capabilities for less common network protocols.