Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS


Akamai LogoAkamai SIRT is investigating a new DDoS reflection and amplification method that abuses TFTP. This is yet another UDP-based protocol that has been added to the list of DDoS amplification scripts available for malicious use.

A weaponized version of the TFTP attack script began circulating around the same time as publications regarding research on the possibility of this attack method were posted. The research was conducted by Edinburgh Napier University.

As of April 20, 2016, Akamai has mitigated 10 attacks using this method against our customer base. Most of the attack campaigns consisted of multi-vector attacks which included TFTP reflection. An indication that this method has possibly been integrated into at least one site offering DDoS as a service.

Details of these attacks follow along with a revealing lack of distribution based on IP sources observed during early attacks.

2.0 / HIGHLIGHTED CAMPAIGN ATTRIBUTES / Here are the basic details of what is involved in these attacks:

  • Peak bandwidth: 1.2 Gigabits per second
  • Peak packets per second: 176.4 Thousand Packets per second
  • Attack Vector: TFTP Reflection
  • Source port: 69(TFTP)
  • Destination port: Random
akamai-attack payload1

“Figure 1: Payload samples from all 4 attacks. Only the first block of DATA (block 1) is sent to the target.”

akamai-source asn

“Figure 2: Respresents source ASN information of reflectors used in DDoS attacks against our customers.”

Click HERE to read the full advisory.