informa
4 min read
article

Revamped Community-Based DDoS Defense Tool Improves Filtering

Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses.

The Unwanted Traffic Removal Service (UTRS), a free peer-to-peer defense against distributed denial-of-service, has been updated with more granular controls that allow organizations to block traffic that uses specific protocols or targets specific ports.

This service gives smaller network providers, as well as companies that manage their own online servers and resources, the ability to block traffic to certain Internet addresses that they control. The initial version of UTRS, which has run for more than seven years, allowed organizations to turn off a specific Internet address under their control. The latest version adds more granular controls, allowing specific protocols or destination ports to be shut down instead.

The idea for this service is not to just stop traffic from reaching a targeted server or application but to push the blockade to the edge of the network, says James Shank, chief architect of community services and senior security evangelist at Team Cymru, the threat intelligence firm that manages the project.

"The hope is that this puts network operators back together as a community of like-minded people who do what network operators do: send packets, receive packets, and, in many cases, mitigate attacks," he says. "Our hope is that it brings back a bit of an equity between the big fish and the small fish in the network operations community."

Distributed denial-of-service (DDoS) attacks have changed over time. Now, they are smaller and hit companies in short bursts. The video-gaming industry tends to be the biggest DDoS target, with 340% more attacks in 2020 than the previous year — a trend driven by cheaters, griefers, and, increasingly, cybercriminals. However, a variety of other industries consistently suffer as well.

The UTRS 2.0 platform allows smaller organizations to block attacks by telling companies to block any traffic sent to a specific Internet address. This tactic not only prevents smaller companies and networks from being inundated with traffic, causing collateral damage to other services, but also pushes filtering to the edge of the network, preventing the attack from affecting other providers.

"If the traffic is originating from the 100,000s bots ... all of that traffic is going through all of these providers and affecting their bandwidth," says Shank. "UTRS provides protection to the Internet itself."

UTRS is one of Team Cymru's community services, which the company provides at no cost to help improve the capabilities of security teams. Currently, the platform has 1,300 participating businesses and allows an organization — once verified by Team Cymru — to issue block commands for Internet addresses under its control. Verification is the only manual process. Once a company is verified, it can issue block requests that are then distributed to upstream providers, which filter the traffic.

Each participating network has the ability to block up to 25 addresses, and the service distributes a list of the most recent 200 targets and blocks traffic to those IP addresses. While 200 does not seem like a lot, there are typically not many attacks hitting hundreds of IP addresses at the same time, Shank says.

"In our experience, the thing that is happening right now is more important and more valid than the thing that was happening four hours ago," he says.

Changes From First Version  

The original UTRS built on a previous service, Remotely Triggered Black Hole (RTBH), which could drop traffic that comes from a specific IP address or drop traffic to a specific IP address. The second version of UTRS allows blocking traffic using certain protocols and targeting specific ports. A participating company can only change the status of the addresses in its own IP address space, Shank says.

"If you are the victim, the attack is going to be originating from someone else's address space, so that is why we allow you to filter traffic from your address space," he says. "One of the long-standing mantras in the community is that all policies are local — you set policies for your network, but you do not have control over other people's networks."

One of the most promising features of UTRS 2.0 is the ability to drop traffic using FlowSpec rules for the Border Gateway Protocol (BGP), part of the Internet infrastructure that communicates authoritative routes that traffic should take on the network. The BGP FlowSpec protocol allows black-hole requests to be much more detailed, specifying a protocol, the source port, and the destination port.

The goal of the community service is to give smaller network providers and companies managing their own infrastructure the ability to respond to attacks and to block those attacks at the edge, Shank says.

"These smaller networks, they can't afford top-dollar services to help protect their network," he says. "The great thing about UTRS is that it is bringing back the parity between big players and small players."