An automated DDoS reflection attack tool used in the wild

A group of hackers dubbed DERP has created a super tool to coordinate multi protocol DDoS reflection attacks as explained by Melbourne-based Micron21 firm.

For the first time ever a hacking group coordinated a range of different DDoS reflection attacks against a data center of the firm Melbourne-based Micron21, the attack occurred on August 2nd.

The experts consider the attack singular and for this reason have used the term ‘Combination Distributed Reflective Denial of Service’ or CDRDoS to describe its dynamic.

The particularity of the DDoS reflection attack is that while attackers usually exploit UDP traffic, this time the threat actor abused configuration weaknesses in servers using the NTP, DNS, SSDP and CHARGEN protocols to increase the magnitude of  the ‘reflection’ attack.

The company Melbourne-based Micron21 observed that one of its customers was hit by a modest DDoS attack that that peaked at 40Gbps internationally, or 1.2Gbps domestically.

DDoS reflection attacks were considered very dangerous due to the level of amplification they allow attackers, in March 2013 Spamhaus company was hit by a major attack which abused DNS and recently CloudFlare was hit by an attack which abused of the NTP protocol peaking 400Gbps while VeriSign was hit by 300Gbps attack which exploited the Content Delivery Network.

The experts believe that attackers have created a super tool to coordinate the attack on Micron21, as explained in a blog post, the group called ‘DERP’ or ‘DerpTrolling’ is responsible for the attack.

 

“We believe this new super weapon or a variant of it was used to target one of our Soak and Scrub customers on the 2nd of August 2014 reaching speeds of 40+gbits internationally and over 1.2gbit domestically within Australia. Whilst this attack is very small compared to previous global attacks of 400gbit, we believe it represents the start of the age of what is to be expected in the future for denial of service attacks.” states the post.

DERP group has been active since 2011 and is known for attacks on the gaming industry, the post speculated that hackers have created a super-tool, the CDRDoS,  able to coordinate the multi protocol DDoS reflection attacks.

“DERP GLB™ attack technology which was publicly named on the 3rd of January 2014 for its involvement against an attack which targeted riot game servers hosted within Internap NY, which in turn affected Internap’s global network. The DERP GLB™ attack tool looks to be originally based on exploiting the NTP protocol targeting NTP servers that reply to mon_list command. The combination of a spoofed source address creates a distributed reflection denial of service attack (DR DoS) However, we suspect this tool was used much earlier evolving in late December 2013 and early January 2014as NTP DR DoS attacks started making waves across the internet targeting game service providers and bringing network protection services down to their knees, such as the below tweets whilst DERP developed a list of open NTP servers.” states the post.

The tool referred in the blog post is able to try the different protocols to exploit flaws in unpatched/miconfigured servers. Using the tool the DERP was able to identify flawed servers to point at the data centre.

In the past, experts noticed that DERP don’t only use NTP as an attack vector, they exploited the Character Generator Protocol (CHARGEN) used by Internet of Things devices.

Despite DDoS attacks are largely known by security firms they are still very effective against IT firms has demonstrated by recent attacks.

Pierluigi Paganini

(Security Affairs – DDoS reflection attack,  CDRDoS )