Posted on October 4, 2019 at 3:53 PM
There is a growing number of DDoS attacks as attackers seek to cripple or ransom specific systems or devices. These attacks are evolving, and many devices that have been previously unsusceptible to DDoS attacks have become vulnerable as the methods used in the attacks have become more advanced.
macOS systems vulnerable to attacks
Recent discoveries have shown that DDoS for hire services are attacking macOS systems to launch a variety of DDoS attacks. These services, also known as DDoS booters, are leveraging systems that run on macOS and have enabled the Apple Remote Desktop (ARD) feature. This feature makes the computer with the macOS accessible through the internet. This happens when the computer is not within a local network, and it’s not protected by any kind of firewall.
The hackers running the DDoS attacks are targeting the Apple Remote Management Service (ARMS), which is a part of the ARD feature. Once a macOS user enables the ARD feature on their device, the ARMS runs a service on port 3283. Running the service on the port allows the device to listen to any commands that are sent to it and are meant for the remote MacBook.
Amplification factor in the DDoS attacks
There are several types of DDoS attacks, and amplification attacks are one such method through which the attacks are carried out. Amplification attacks occur when an attacker bounces traffic off an intermediary point between themselves and the victim. The traffic is bounced off the intermediary point, it is then relayed towards a server on which the victim’s computer is connected. In the attacks that are affecting the macOS, the Remote Desktop serves as the intermediary point from which traffic is bounced.
For any protocol that can be subjected to a DDoS attack, there is a danger level, and it is this that researchers refer to as the amplification factor. The amplification factor refers to the ratio difference between a packet before it bounces off a target and after it does so. For most DDoS attacks, the amplification factor lies between a factor of 5 and 10, and the higher the amplification factor gets, the more powerful the attack will be.
For a comparison that will show how powerful the attacks being suffered by macOS systems are, researchers from Netscout have found out that the amplification factor in these attacks is 35.5. There have been attacks with similarly high amplification and some with even higher figures, but none have been as stable as the current ones. These attacks with high amplification are usually unstable for the attackers, and this makes them unreliable for the tasks that these attackers would want to achieve.
The high amplification in these macOS attacks makes them extremely dangerous. An attacker usually needs DNS and NTP for their attacks to become effective. They take advantage of the availability of a large number of servers and use these to amplify their attacks. The higher the number of servers that are available for an attacker to use, the higher the amplification factor could become. In the case of the macOS attacks, there already exists a high amplification factor protocol, and it is available on several hosts. This increases the range of attacks that can be exploited by attackers.
Tens of thousands of MacBooks are vulnerable
The primary source of the discovery that ARMS could be exploited for DDoS amplification is unknown, but it is known for a fact that these attacks have already become highly prevalent in the real world. Netscout picked up the first of these attacks during the second week of June, and the firm said that this attack reached its peak at 70 Gbps. This is one powerful attack, and if the rest of the ARMS attacks are anywhere close to it, there is little that can be done to defend against the attacks.
Statistics from BinaryEdge show that there are close to 40,000 MacBooks that have the Remote Desktop feature enabled and thus are vulnerable to the DDoS attacks. The macOS systems referred to above are the ones that are accessible via the internet. This means that all these macOS systems could be used by attackers as intermediary points to bounce their bad traffic off of when they execute DDoS attacks.