On 2 August, apparently for the first time ever, a hacking group coordinated a range of different reflection-style DDoS attacks against a single data centre, the firm involved has confirmed.
This attack was so distinctive, the victim, Melbourne-based Micron21, has even come up with a new piece of technical jargon to describe it, the 'Combination Distributed Reflective Denial of Service' or CDRDoS.
On the day in question, Micron21 noticed an attack on one of its customers that peaked at modest 40Gbps internationally, or 1.2Gbps domestically, but it’s not the size of this attack that made it notable.
Rather it was the way the attack abused configuration weaknesses in servers using the NTP, DNS, SSDP and CHARGEN protocols to summon up a much larger ‘reflection’ attack than would normally be possible with UDP traffic.
There have been several infamous incidents in which these protocols were hijacked for 300Gbps+ reflection or amplification attacks in the past, for instance the March 2013 attack on Spamhaus, which abused DNS, or the more recent incident that harried CloudFlare using NTP, but this is a novel example of them being used together.
More recently – if less well publicised - came news from VeriSign of another 300Gbps biggie, this time against a Content Delivery Network abusing a Supermicro IPMI motherboard-level server flaw caused by owners not implementing an available software patch.
The threat that implied by the 2 August attack on Micron21 is that hackers have created a super-tool able to coordinate what are ultimately quite different types of DDoS attack against one target. Although the attack itself was not particularly large it might have been far smaller had it not been for the invention of CDRDoS. That, at least, is the argument.
In an unusually detailed blog on the attack, Micron21 blames a group called ‘DERP’ or ‘DerpTrolling’ for the attack, which seems to have specialised in hitting game servers.
In theory, reflection attacks should be decreasing as servers are patched to fix the various misconfigurations that allow such attacks to occur, which might be why the group has decided to try several reflection attacks at once. Interestingly, the group was still able to find plenty of local (i.e. Australian) servers to point at the data centre.
“Whilst this attack is very small compared to previous global attacks of 400Gbit, we believe it represents the start of the age of what is to be expected in the future for denial of service attacks,” said Micron21.
Beyond the technical excitement what stands out about both the VeriSign and Micron21 incidents is that the firms have even mentioned them in the first place - not long ago mitigation firms would have kept their mouths shut the better to spare their customers from the publicity. That seems to have changed; as almost everyone has become a target, surviving a DDoS has almost become a badge of honour and selling point.