New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers
Akamai has observed three new reflection DDoS attacks in recent months: NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection.
In a reflection DDoS attack, also called a DrDoS attack, there are three types of participants: the attacker, victim servers that act as unwitting accomplices, and the attacker’s target. The attacker sends a simple query to a service on a victim host. The attacker falsifies (spoofs) the query, so it appears to originate from the target. The victim responds to the spoofed address, sending unwanted network traffic to the attacker’s target.
Attackers choose reflection DDoS attacks where the victim’s response is much larger than the attacker’s query, thus amplifying the attacker’s capabilities. The attacker sends hundreds or thousands of queries at high rates to a large list of victims by automated the process with an attack tool, thus causing them to unleash a flood of unwanted traffic and a denial of service outage at the target.
“Although reflection DDoS attacks are common, these three attack vectors abuse different services than we’ve seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering.”
The attack tools for each of the new reflection attacks are related – they are all modifications of the same C code. Each attack vector requires the same basic recipe – a script that sends a spoofed request to a list of victim reflectors. The command-line options are similar.
NetBIOS name server reflection DDoS attack
The NetBIOS reflection DDoS attack – specifically NetBIOS Name Service (NBNS) reflection – was observed by Akamai as occurring sporadically from March to July 2015. The primary purpose of NetBIOS is to allow applications on separate computers to communicate and establish sessions to access shared resources and to find each other over a local area network.
This attack generates 2.56 to 3.85 times more response traffic sent to the target than the initial queries sent by the attacker. Akamai observed four NetBIOS names server reflection attacks, with the largest recorded at 15.7 Gbps. Although legitimate and malicious NetBIOS name server queries are a common occurrence, a response flood was first detected in March 2015 during a DDoS attack mitigated for an Akamai customer.
RPC portmap reflection DDoS attack
The first RPC portmap reflection DDoS attack observed and mitigated by Akamai occurred in August 2015 in a multi-vector DDoS attack campaign. RPC portmap, also known as port mapper, tells a client how to call a particular version of an Open Network Computing Remote Procedure Call (ONC RPC) service.
The largest responses had an amplification factor of 50.53. A more common amplification factor was 9.65. Of the four RPC reflection attack campaigns mitigated by Akamai, one exceeded 100 Gbps, making it an extremely powerful attack. Active malicious reflection requests were observed by Akamai almost daily against various targets in September 2015.
Sentinel reflection DDoS attack
The first Sentinel reflection DDoS attack was observed in June 2015 at Stockholm University and identified as a vulnerability in the license server for SPSS, a statistical software package. Akamai mitigated two Sentinel reflection DDoS campaigns in September 2015. The attack sources included powerful servers with high bandwidth availability, such as university servers.
The amplification factor for this attack is 42.94, however only 745 unique sources of this attack traffic have been identified. Even with the extra bandwidth afforded by servers in well-connected networks, an attack of this type is limited by the number of reflectors available. One such attack peaked at 11.7 Gbps.
DDoS mitigation and system hardening
For all three attack vectors, upstream filtering can be used for DDoS mitigation where possible, otherwise a cloud-based DDoS mitigation service provider will be needed. The threat advisory provides a Snort mitigation rule to detect malicious queries generated by the RPC portmap attack tool. Similar rules can be made to detect the Sentinel service.
“For all three services, admins should ask if the service needs to be exposed to everyone on the Internet,” said Sholly. “For NetBIOS, the answer is probably no. For the other two the answer may be yes, and the issue then becomes how to protect them. RPC and Sentinel traffic can be monitored with an intrusion detection system.”