Akamai Diversity

The Akamai Blog

NetBIOS, RPC Portmap and Sentinel Reflection DDoS Attacks

By Bill Brenner, Akamai SIRT Senior Tech Writer

Akamai's Security Intelligence Response Team (SIRT) released a new advisory today about three new attack vectors digital miscreants have used to target Akamai customers. The main researchers for this advisory were Jose Arteaga and Wilber Mejia.

In the third quarter of 2015, Akamai mitigated and analyzed the following vectors:

  • NetBIOS name server reflection DDoS

  • RPC portmap reflection DDoS

  • Sentinel reflection DDoS, which reflects off of licensing servers.

Reflection Attacks

For malicious actors looking to bring a website or web service offline, distributed reflection denial of service (DrDoS) attacks have been a popular weapon for years. Reflection DDoS attacks work because some Internet protocol services provide amplification - the response sent back is larger than the query sent by the malicious actor.

In a reflection DDoS attack, a malicious actor begins by sending a query to a victim IP address. The victim is an unwitting accomplice in the attack. The victim could be any device on the Internet that exposes a reflectable UDP service. The attacker's query is spoofed to appear to originate from the attacker's target. The attacker uses an automated attack tool to send malicious queries at high rates to a large list of victims, who will in turn respond to the target. Figure 1 shows the malicious queries generated in a lab environment by each of three attack tools designed to generate one of these new reflection attacks.

It looks like no UDP service is safe from use by DDoS attackers, though some UDP services have disadvantages such as only a limited number of hosts running the service. The three new reflection DDoS attacks and the payloads observed by Akamai are analyzed in the new threat advisory, including the risk they each pose.

Ten Attack Campaigns, Three Vectors

Akamai has mitigated each of the three new reflection attack methods multiple times while protecting our customers. An attack timeline from March to September 2015 shows the 10 attack campaigns that use these three DDoS attack vectors.

One of the 10 reflection attack campaigns was especially large. The RPC reflection attack vector was used in a mega attack that generated more than 100 Gbps (gigabits per second).

The NetBIOS reflection DDoS attack - specifically NetBIOS Name Service (NBNS) reflection - was observed by Akamai as occurring sporadically from March to July 2015. Although legitimate and malicious NBNS queries to UDP port 137 are a common occurrence, a response flood was first detected in March 2015 during a DDoS attack mitigated for an Akamai customer.

The full advisory is available at www.stateoftheinternet.com/3-ddos-reflection.