New Types of DDoS Attacks

Tuesday, November 3, 2015 @ 05:11 PM gHale

There are three new types of reflection distributed denial-of-service (DDoS) attacks researchers eyed over the past few months.

There are more than 12 UDP protocols attackers can leverage for the reflection and amplification of DDoS attacks, including BitTorrent, RIPv1, DNS, NTP, SSDP, mDNS, CharGEN, QOTD, Portmap, and NetBIOS, said researchers at Akamai’s Security Intelligence Response Team.

More NTP Holes Fixed
Malware Growing by the Minute
Malware Masquerades as Chrome
Exploit Kit Evades Detection ‘On Fly’

Attackers just started attacks using the RPC portmap service, NetBIOS name servers, and Sentinel licensing servers, said researchers at Akamai.

Akamai researchers found attacks leveraging NetBIOS, a service used by applications on separate computers to communicate over a LAN, sporadically between March and July 2015. In the attacks, the attackers obtained amplification rates ranging between 2.56 and 3.85, researchers said. Of the four attacks seen by Akamai, the largest peaked at 15.7 Gbps.

Another uncommon type of reflection attack spotted over the past period by Akamai abused RPC Portmap (Portmapper), an Open Network Computing Remote Procedure Call (ONC RPC) service designed to map RPC service numbers to network port numbers.

These types of attacks are much more powerful than the ones leveraging NetBIOS, with the largest attack exceeding 100 Gbps. While the most common amplification factor observed by Akamai was approximately 10, researchers found one instance where the traffic sent to the targeted server multiplied more than 50 times.

Akamai said it observed such attacks almost every day in September. In August, when the company noticed the first RPC Portmap reflection attacks, telecoms firm Level 3 Communications also warned organizations about the threats.

Another type of attack abuses Sentinel license servers, used to enforce and manage licensing in multi-user environments. Akamai researchers saw the first such attack in June and it used a vulnerable Sentinel server used by Stockholm University in Sweden. In September, Akamai mitigated a couple of Sentinel reflection DDoS attacks aimed at a gaming company and a financial firm, with a peak bandwidth of 11.7 Gbps detected for one of these attacks. DDoS protection company Nexusguard also warned about those types of attacks last month.

Click here for more information on the report.