Hackers summon 'CDRDos' attack against Australian data centre using supertool

Reflection attack smorgasbord

On 2 August, apparently for the first time ever, a hacking group coordinated a range of different reflection-style DDoS attacks against a single data centre, the firm involved has confirmed.

This attack was so distinctive, the victim, Melbourne-based Micron21, has even come up with a new piece of technical jargon to describe it, the 'Combination Distributed Reflective Denial of Service' or CDRDoS.

On the day in question, Micron21 noticed an attack on one of its customers that peaked at modest 40Gbps internationally, or 1.2Gbps domestically, but it's not the size of this attack that made it notable.

Rather it was the way the attack abused configuration weaknesses in servers using the NTP, DNS, SSDP and CHARGEN protocols to summon up a much larger 'reflection' attack than would normally be possible with UDP traffic.

There have been several infamous incidents in which these protocols were hijacked for 300Gbps+ reflection or amplification attacks in the past, for instance the March 2013 attack on Spamhaus, which abused DNS, or the more recent incident that harried CloudFlare using NTP, but this is a novel example of them being used together.

More recently - if less well publicised - came news from VeriSign of another 300Gbps biggie, this time against a Content Delivery Network abusing a Supermicro IPMI motherboard-level server flaw caused by owners not implementing an available software patch.

The threat that implied by the 2 August attack on Micron21 is that hackers have created a super-tool able to coordinate what are ultimately quite different types of DDoS attack against one target. Although the attack itself was not particularly large it might have been far smaller had it not been for the invention of CDRDoS. That, at least, is the argument.

In an unusually detailed blog on the attack, Micron21 blames a group called 'DERP' or 'DerpTrolling' for the attack, which seems to have specialised in hitting game servers.

In theory, reflection attacks should be decreasing as servers are patched to fix the various misconfigurations that allow such attacks to occur, which might be why the group has decided to try several reflection attacks at once. Interestingly, the group was still able to find plenty of local (i.e. Australian) servers to point at the data centre.

"Whilst this attack is very small compared to previous global attacks of 400Gbit, we believe it represents the start of the age of what is to be expected in the future for denial of service attacks," said Micron21.

Beyond the technical excitement what stands out about both the VeriSign and Micron21 incidents is that the firms have even mentioned them in the first place - not long ago mitigation firms would have kept their mouths shut the better to spare their customers from the publicity. That seems to have changed; as almost everyone has become a target, surviving a DDoS has almost become a badge of honour and selling point.

Join the CSO newsletter!

Error: Please check your email address.

Tags e-commerceSpamhaussecurityCloudCloudFlarecloud computinginternetNTP

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place