What is DDoS reflection?
In a reflection DDoS attack, also called a DrDoS attack, there are three types of participants: the attacker, victim servers that act as unwitting accomplices, and the attacker’s target. The attacker sends a simple query to a service on a victim host. The attacker falsifies (spoofs) the query, so it appears to originate from the target. The victim responds to the spoofed address, sending unwanted network traffic to the attacker’s target. Attackers choose reflection DDoS attacks where the victim’s response is much larger than the attacker’s query, thus amplifying the attacker’s capabilities. The attacker sends hundreds or thousands of queries at high rates to a large list of victims by automated the process with an attack tool, thus causing them to unleash a flood of unwanted traffic and a denial of service outage at the target.
“Although reflection DDoS attacks are common, these three attack vectors abuse different services than we’ve seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering.”
The attack tools for each of the new reflection attacks are related – they are all modifications of the same C code. Each attack vector requires the same basic recipe – a script that sends a spoofed request to a list of victim reflectors. The command-line options are similar.
NetBIOS name server reflection DDoS attack
The NetBIOS reflection DDoS attack – specifically NetBIOS Name Service (NBNS) reflection – was observed by Akamai as occurring sporadically from March to July 2015. The primary purpose of NetBIOS is to allow applications on separate computers to communicate and establish sessions to access shared resources and to find each other over a local area network.
This attack generates 2.56 to 3.85 times more response traffic sent to the target than the initial queries sent by the attacker. Akamai observed four NetBIOS names server reflection attacks, with the largest recorded at 15.7 Gbps. Although legitimate and malicious NetBIOS name server queries are a common occurrence, a response flood was first detected in March 2015 during a DDoS attack mitigated for an Akamai customer.
RPC portmap reflection DDoS attack
The first RPC portmap reflection DDoS attack observed and mitigated by Akamai occurred in August 2015 in a multi-vector DDoS attack campaign. RPC portmap, also known as port mapper, tells a client how to call a particular version of an Open Network Computing Remote Procedure Call (ONC RPC) service.
The largest responses had an amplification factor of 50.53. A more common amplification factor was 9.65. Of the four RPC reflection attack campaigns mitigated by Akamai, one exceeded 100 Gbps, making it an extremely powerful attack. Active malicious reflection requests were observed by Akamai almost daily against various targets in September 2015.
netizens left a footprint.