CAMBRIDGE, Mass., Oct. 28, 2015 /PRNewswire/ --
- Threat advisory details 3 new reflection DDoS attacks
observed by Akamai's DDoS mitigation experts
- Attackers unrelenting in innovative abuse of UDP services
exposed to the Internet
- New DDoS attacks misuse NetBIOS name server, RPC portmap,
and Sentinel licensing servers to cause denial of service
outages
Akamai Technologies, Inc. (NASDAQ: AKAM), the global leader in
content delivery network (CDN) services, published today a new
cybersecurity threat advisory. Akamai has observed three new
reflection distributed denial of service (DDoS) attacks in recent
months. The advisory details the DDoS threat posed by NetBIOS name
server reflection, RPC portmap reflection, and Sentinel reflection
in full, including payload analysis, a Snort rule, and system
hardening best practices. It is available for download at
www.stateoftheinternet.com/3-ddos-reflection
What is DDoS reflection?
In a reflection DDoS attack, also called a DrDoS attack, there
are three types of participants: the attacker, victim servers that
act as unwitting accomplices, and the attacker's target. The
attacker sends a simple query to a service on a victim host. The
attacker falsifies (spoofs) the query, so it appears to originate
from the target. The victim responds to the spoofed address,
sending unwanted network traffic to the attacker's target.
Attackers choose reflection DDoS attacks where the victim's
response is much larger than the attacker's query, thus amplifying
the attacker's capabilities. The attacker sends hundreds or
thousands of queries at high rates to a large list of victims by
automated the process with an attack tool, thus causing them to
unleash a flood of unwanted traffic and a denial of service outage
at the target.
"Although reflection DDoS attacks are common, these three attack
vectors abuse different services than we've seen before, and as
such they demonstrate that attackers are probing the Internet
relentlessly to discover new resources to leverage," said
Stuart Scholly, senior vice
president and general manager, Security Business Unit, Akamai. "It
looks like no UDP service is safe from abuse by DDoS attackers, so
server admins need to shut down unnecessary services or protect
them from malicious reflection. The sheer volume of UDP services
open to the Internet for reflection DDoS attacks is
staggering."
The attack tools for each of the new reflection attacks are
related – they are all modifications of the same C code. Each
attack vector requires the same basic recipe – a script that sends
a spoofed request to a list of victim reflectors. The command-line
options are similar.
NetBIOS name server reflection DDoS attack
The NetBIOS reflection DDoS attack – specifically NetBIOS Name
Service (NBNS) reflection – was observed by Akamai as occurring
sporadically from March to July 2015.
The primary purpose of NetBIOS is to allow applications on separate
computers to communicate and establish sessions to access shared
resources and to find each other over a local area network.
This attack generates 2.56 to 3.85 times more response traffic
sent to the target than the initial queries sent by the attacker.
Akamai observed four NetBIOS names server reflection attacks, with
the largest recorded at 15.7 Gbps. Although legitimate and
malicious NetBIOS name server queries are a common occurrence, a
response flood was first detected in March
2015 during a DDoS attack mitigated for an Akamai
customer.
RPC portmap reflection DDoS attack
The first RPC portmap reflection DDoS attack observed and
mitigated by Akamai occurred in August
2015 in a multi-vector DDoS attack campaign. RPC portmap,
also known as port mapper, tells a client how to call a particular
version of an Open Network Computing Remote Procedure Call (ONC
RPC) service.
The largest responses had an amplification factor of 50.53. A
more common amplification factor was 9.65. Of the four RPC
reflection attack campaigns mitigated by Akamai, one exceeded 100
Gbps, making it an extremely powerful attack. Active malicious
reflection requests were observed by Akamai almost daily against
various targets in September 2015.
Sentinel reflection DDoS attack
The first Sentinel reflection DDoS attack was observed in
June 2015 at Stockholm University and identified as a
vulnerability in the license server for SPSS, a statistical
software package. Akamai mitigated two Sentinel reflection DDoS
campaigns in September 2015. The
attack sources included powerful servers with high bandwidth
availability, such as university servers.
The amplification factor for this attack is 42.94, however only
745 unique sources of this attack traffic have been identified.
Even with the extra bandwidth afforded by servers in well-connected
networks, an attack of this type is limited by the number of
reflectors available. One such attack peaked at 11.7 Gbps.
DDoS mitigation and system hardening
For all three attack vectors, upstream filtering can be used for
DDoS mitigation where possible, otherwise a cloud-based DDoS
mitigation service provider will be needed. The threat advisory
provides a Snort mitigation rule to detect malicious queries
generated by the RPC portmap attack tool. Similar rules can be made
to detect the Sentinel service.
"For all three services, admins should ask if the service needs
to be exposed to everyone on the Internet," said Sholly. "For
NetBIOS, the answer is probably no. For the other two the answer
may be yes, and the issue then becomes how to protect them. RPC and
Sentinel traffic can be monitored with an intrusion detection
system."
To learn more about these reflection DDoS threats and DDoS
mitigation techniques, please download a complimentary copy of the
threat advisory at www.stateoftheinternet.com/3-ddos-reflection
About Akamai
As the global leader in Content Delivery
Network (CDN) services, Akamai makes the Internet fast, reliable
and secure for its customers. The company's advanced web
performance, mobile performance, cloud security and media delivery
solutions are revolutionizing how businesses optimize consumer,
enterprise and entertainment experiences for any device, anywhere.
To learn how Akamai solutions and its team of Internet experts are
helping businesses move faster forward, please visit www.akamai.com
or blogs.akamai.com, and follow @Akamai on Twitter.
Note: All product and company names are trademarks of their
respective organizations.
Contacts:
|
|
|
|
|
|
Rob Morton
|
--or--
|
Tom Barth
|
Media
Relations
|
|
Investor
Relations
|
617-444-3641
|
|
617-274-7130
|
rmorton@akamai.com
|
|
tbarth@akamai.com
|
Logo - http://photos.prnewswire.com/prnh/20100225/AKAMAILOGO
To view the original version on PR Newswire,
visit:http://www.prnewswire.com/news-releases/akamai-warns-of-3-new-reflection-ddos-attack-vectors-300167290.html
SOURCE Akamai Technologies, Inc.