Three New DDoS Reflection Techniques Appear in the Wild

Written by

Three new reflection distributed denial of service (DDoS) attacks have burst on the scene in recent months: NetBIOS name server reflection, RPC portmap reflection and Sentinel reflection.

In a reflection DDoS attack, also called a DrDoS attack, there are three types of participants: the attacker, victim servers that act as unwitting accomplices and the attacker's target. The attacker sends a simple query to a service on a victim host. The attacker spoofs the query, so it appears to originate from the target. The victim responds to the spoofed address, sending unwanted network traffic to the attacker's target.

According to an Akamai Technologies threat advisory on the new techniques, attackers choose reflection DDoS attacks where the victim's response is much larger than the attacker's query, thus amplifying the attacker's capabilities. The attacker sends hundreds or thousands of queries at high rates to a large list of victims by automating the process with an attack tool, thus causing them to unleash a flood of unwanted traffic and a denial of service outage at the target.

"Although reflection DDoS attacks are common, these three attack vectors abuse different services than we've seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage," said Stuart Scholly, senior vice president and general manager for the Security Business Unit at Akamai. "It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering."

The attack tools for each of the new reflection attacks are related—they are all modifications of the same C-code. Each attack vector requires the same basic recipe—a script that sends a spoofed request to a list of victim reflectors. The command-line options are similar too, Akamai said.

The NetBIOS reflection DDoS attack—specifically NetBIOS Name Service (NBNS) reflection—was observed by Akamai as occurring sporadically from March to July 2015. The primary purpose of NetBIOS is to allow applications on separate computers to communicate and establish sessions to access shared resources and to find each other over a local area network.

This attack generates 2.56 to 3.85 times more response traffic sent to the target than the initial queries sent by the attacker. Akamai observed four NetBIOS names server reflection attacks, with the largest recorded at 15.7Gbps.

The first RPC portmap reflection DDoS attack observed and mitigated by Akamai occurred in August 2015 in a multi-vector DDoS attack campaign. RPC portmap, also known as port mapper, tells a client how to call a particular version of an Open Network Computing Remote Procedure Call (ONC RPC) service.

The largest responses had an amplification factor of 50.53. A more common amplification factor was 9.65. Of the four RPC reflection attack campaigns mitigated by Akamai, one exceeded 100Gbps, making it an extremely powerful attack. Active malicious reflection requests were observed by Akamai almost daily against various targets in September 2015.

And finally, the first Sentinel reflection DDoS attack was observed in June 2015 at Stockholm University and identified as a vulnerability in the license server for SPSS, a statistical software package. Akamai mitigated two Sentinel reflection DDoS campaigns in September 2015. The attack sources included powerful servers with high bandwidth availability, such as university servers.

The amplification factor for this attack is 42.94; however, only 745 unique sources of this attack traffic have been identified. Even with the extra bandwidth afforded by servers in well-connected networks, an attack of this type is limited by the number of reflectors available. One such attack peaked at 11.7Gbps.

"For all three services, admins should ask if the service needs to be exposed to everyone on the Internet," said Sholly. "For NetBIOS, the answer is probably no. For the other two the answer may be yes, and the issue then becomes how to protect them. RPC and Sentinel traffic can be monitored with an intrusion detection system.” 

What’s hot on Infosecurity Magazine?