In omen for DDoS-hit Australia, new reflection attacks leverage third-party services

A warning about three new types of distributed denial of service (DDoS) attacks could mean big problems for Australian companies as security researchers confirm that online cybercriminals are actively expanding their DDoS arsenals with new techniques that look beyond traditional TCP/IP protocols to exploit weaknesses in a range of third-party tools.

Writing in a threat advisory this week, security researchers from Akamai – which in recent years has leveraged its global content distribution network (CDN) infrastructure to offer insight into security-related issues such as DDoS traffic – warned that three new DDoS reflection attack vectors were leveraging amplification factors of up to 50.53.

That means a single call to a network service – in this case, a call to a particular version of an Open Network Computing Remote Procedure Call (RPC) service – will return up to 50.53 bytes for every byte of data fed to the call. In a DDoS reflection attack, attackers spoof their own IP address so the output of the server query is redirected to a target system.

The two other new attacks identified by Akamai – a NetBIOS name server reflection attack, and the Sentinel reflection attack – respectively target NetBIOS name servers and, indicative of a trend away from network services, the licensing server of IBM's SPSS statistical analytics package.

Leaving those services exposed to the Internet offers fodder for attackers to exploit a third-party company server in launching a DDoS reflection attack against any arbitrary target – and Akamai's analysis suggested that, in the case of the three new vectors, this had been done with attacks generating 15.7 Gbps (NetBIOS), 11.7 Gbps (Sentinel), and more than 100Gbps (RPC).

“Although reflection DDoS attacks are common, these three attack vectors abuse different services than we’ve seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage,” Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit said in a statement.

“It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering.”

In July, DDoS attacks were found to be exploiting the now obsolete RIPv1 routing protocol to launch DDoS attacks from home routers. Exploitation of Network Time Protocol (NTP) server vulnerabilities was an early DDoS nightmare at the hands of attackers, while mobile applications have also been credited with expanding DDoS perpetrators' arsenals.

The steady appearance of new vectors bodes particularly poorly for Australian businesses, which Akamai has previously warned are unprepared to deal with DDoS attacks. DDoS attacks have savaged Australia's business community this year, with Arbor Networks analyses suggesting Australia was copping a stronger pounding from DDoS perpetrators than other APAC countries, and that DDoS attacks on Australian targets were lasting half as long but hitting twice as hard as the regional average. In July, for example, a DDoS attack of up to 200Gbps targeted Australian and APAC users of the Telegram messaging app, knocking out services across the region.

In May, Akamai said Australia had risen to become the world's second most-attacked Web target, while Arbor warned in August that Australia had become a growing source of DDoS attacks as well as a target. This was corroborated by a later Akamai analysis that found Australia had surged into the global top 10 DDoS originators for the first time, driven largely by the increased availability of broadband services such as the National Broadband Network (NBN).

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksdistributed denial of service (DDoS) attacksStuart Schollyddosthird-party servicesTCP/IP protocolsnetwork serviceOpen Network Computing Remote Procedure Call (RPC)CSO AustraliaNetBIOS

More about APACArbor NetworksSPSS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts