In omen for DDoS-hit Australia, new reflection attacks leverage third-party services

A warning about three new types of distributed denial of service (DDoS) attacks could mean big problems for Australian companies as security researchers confirm that online cybercriminals are actively expanding their DDoS arsenals with new techniques that look beyond traditional TCP/IP protocols to exploit weaknesses in a range of third-party tools.

Writing in a threat advisory this week, security researchers from Akamai – which in recent years has leveraged its global content distribution network (CDN) infrastructure to offer insight into security-related issues such as DDoS traffic – warned that three new DDoS reflection attack vectors were leveraging amplification factors of up to 50.53.

That means a single call to a network service – in this case, a call to a particular version of an Open Network Computing Remote Procedure Call (RPC) service – will return up to 50.53 bytes for every byte of data fed to the call. In a DDoS reflection attack, attackers spoof their own IP address so the output of the server query is redirected to a target system.

The two other new attacks identified by Akamai – a NetBIOS name server reflection attack, and the Sentinel reflection attack – respectively target NetBIOS name servers and, indicative of a trend away from network services, the licensing server of IBM's SPSS statistical analytics package.

Leaving those services exposed to the Internet offers fodder for attackers to exploit a third-party company server in launching a DDoS reflection attack against any arbitrary target – and Akamai's analysis suggested that, in the case of the three new vectors, this had been done with attacks generating 15.7 Gbps (NetBIOS), 11.7 Gbps (Sentinel), and more than 100Gbps (RPC).

“Although reflection DDoS attacks are common, these three attack vectors abuse different services than we’ve seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage,” Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit said in a statement.

“It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering.”

In July, DDoS attacks were found to be exploiting the now obsolete RIPv1 routing protocol to launch DDoS attacks from home routers. Exploitation of Network Time Protocol (NTP) server vulnerabilities was an early DDoS nightmare at the hands of attackers, while mobile applications have also been credited with expanding DDoS perpetrators' arsenals.

The steady appearance of new vectors bodes particularly poorly for Australian businesses, which Akamai has previously warned are unprepared to deal with DDoS attacks. DDoS attacks have savaged Australia's business community this year, with Arbor Networks analyses suggesting Australia was copping a stronger pounding from DDoS perpetrators than other APAC countries, and that DDoS attacks on Australian targets were lasting half as long but hitting twice as hard as the regional average. In July, for example, a DDoS attack of up to 200Gbps targeted Australian and APAC users of the Telegram messaging app, knocking out services across the region.

In May, Akamai said Australia had risen to become the world's second most-attacked Web target, while Arbor warned in August that Australia had become a growing source of DDoS attacks as well as a target. This was corroborated by a later Akamai analysis that found Australia had surged into the global top 10 DDoS originators for the first time, driven largely by the increased availability of broadband services such as the National Broadband Network (NBN).