Search This Blog

Akamai observes new types of reflection DDoS attack

Akamai observes new types of reflection DDoS attack

Akamai Security Intelligence Response Team (ASIRT) has observed three new types of Distributed Reflective Denial of Service also known as reflection DDoS attacks that were being used in the wild from March to September 2015.

The ASIRT has published an advisory which warns for network admins that leave external ports open, especially if those ports are handled by UDP-based protocols, known as regular mediums for carrying out reflection DDoS attacks.

In the advisory, it has said that RPC, NetBIOS and Sentinel services abused in a series of new reflection DDoS attacks. There are a collection of network protocols vulnerable to these types of attacks, but the most dangerous ones are those that can accidentally add an amplification factor to the whole process.

The attackers can send one corrupted packet to a reflection point, but the victim receives ten. In this case, the reflection DDoS attack comes with an amplification factor of 10.

The Akamai has described in the advisory that during the past seven months, attackers have turned to new mediums for carrying out reflection DDoS attacks.

During these past months ten reflection DDoS attacks have been observed using RPC, NetBIOS and Sentinel technologies, one of which managed to go over 100 Gbps (Gigabits per second).

In NetBIOS, a protocol used in computer software to allow applications to talk to each other via LAN networks, based reflection DDoS attacks, it was observed that the peak bandwidth never went above 15.7 Gbps, the amplification factor was between 2.56 and 3.85, and its main victims were targets in the gaming and Web hosting sector.

Similarly, RPC attack, which uses RPC portmaps, a service that maps RPC service numbers to network port numbers, peaked around 105.96 Gbps, had an amplification factor of 9.65, and the first that was observed dates back to August against a financial firm.

And, the Sentinel attacks, which were also abused for reflective DDoS attacks, are generally used in closed environments to manage user licenses for multi-user network setups. It was observed that reflection DDoS attacks using Sentinel servers coming out of the University of Stockholm, at a peak of 11.7 Gbps, with an amplification factor of 42.94.
Share it:

Information Security