Akamai Diversity

The Akamai Blog

DDoS Agents Target Joomla, Other SaaS Apps

A new attack threatens enterprises and Software-as-a-Service (SaaS) providers: chaotic actors using Joomla servers with a vulnerable Google Maps plugin installed as a platform to launch DDoS assaults.

The attack technique was discovered by researchers from Akamai's Prolexic Security Engineering & Research Team (PLXsert), working alongside PhishLabs' Research, Analysis, and Intelligence Division (R.A.I.D).

You can download the full advisory from Akamai's State of the Internet website for free.

The basics
Following a series of vulnerability disclosures throughout 2014, attackers began targeting the popular content management framework Joomla. Specifically:

  • Attack campaigns are designed to hijack large numbers of servers or Software-as-a-Service (SaaS) providers that are then used to distribute malware and phishing campaigns. Hijacked systems are used as zombies in DDoS botnets.
  • This situation is related to the topic of a PLXsert white paper on how vulnerable web frameworks are used for botnet building.
  • In a joint investigation with PhishLabs R.A.I.D, PLXsert observed traffic signatures from Joomla distributions with a vulnerable Google Maps plugin used in DDoS attacks.
  • DDoS campaigns contain traffic signatures matching sites known for providing DDoS-for-hire services.
  • DDoS traffic appears to match attacks staged using tools developed specifically to abuse XML and Open Redirect functions, which then produce a reflected response that can be directed to targeted victims and result in denial of service.
  • PLXsert identified three distinct attack signatures produced by the DAVOSET and UFONet tools.
  • DDoS tools are rapidly gaining popularity and are being adapted by the DDoS-for-hire market.
  • Observed DDoS attack traffic and data suggest this DDoS attack is being added to the menu of attacks on known DDoS-for-hire sites.
  • The new DDoS attack type uses compromised Joomla servers with a vulnerable Google Maps plugin as zombies or proxies to stage denial of service GET floods.

Defensive measures

Refection-based DDoS attacks of many types are popular at this time. In the fourth quarter of 2014, Akamai's PLXsert observed 39 percent of all DDoS attack traffic employed reflection techniques.

Reflection DDoS attacks each take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device, hiding their identities and amplifying the amount of attack traffic in the process.

Cloud-based DDoS attack mitigation can combat this problem to protect organizations from malicious traffic. Edge-based security and scrubbing centers stop DDoS attack traffic long before it affects a client's website or data center.

Specific actions to blunt this threat include:

  • Blocking HTTP GET /1.0 request traffic, if support for legacy clients is not needed.
  • Blocking HTTP requests with a PHP-based User-Agent string, if they are not needed.
  • Using the three Snort rules provided in the threat advisory. The signature can be adapted to other mitigation techniques in order to detect or block these DDoS attacks.