Although the term 'reflection DoS' is nothing new, I recall reading something about it three years ago when a high profile security researcher used it to describe how malicious SYN packets were being reflected off bystanding TCP servers and the SYN/ACK responses used to flood his bandwidth. More recently, Garrett Gross from security vendor AlienVault recently wrote about the relatively new method of amplification Denial of Service (DoS), also known as a reflection attack, using SQL servers. This was actually first reported at the back end of last year when servers belonging to the City of Columbia, Missouri were hit by a multiple DoS methodology attack including this technique. However, my sources tell me that reflection attacks have been on the up for some time and in the fourth quarter of 2014 Akamai's Prolexic Security Engineering & Research Team (PLXsert) researchers reckon that some 39 per cent of all DDoS attack traffic were employing these amplification techniques.
Now Akamai is reporting that the reflection attack method has been used in conjunction with Joomla servers running a vulnerable Google Maps plugin. Akamai warns that, after a whole bunch of vulnerability disclosure across 2014, the Joomla content management framework is still being actively targeted by those with malicious intent. In conjunction with the PhishLabs Research, Analysis, and Intelligence Division (R.A.I.D), PLXsert observed traffic signatures from Joomla distributions with a vulnerable Google Maps plugin being used as a launch platform for DDoS attacks. These traffic signatures were a match for known DDoS for hire outfits, and the attack itself appeared to be using specific tools (DAVOSET and UFONet) to manipulate XML and Open Redirect functions to produce the reflected/amplified response.
Dave Larson, CTO of Corero Network Security, told DaniWeb that in the case of DDoS attacks the reality is that any device, infrastructure, application that is connected to the Internet is at risk for attack, or even more disturbing, to be recruited as a bot in an army to be used in DDoS attacks against unsuspecting victims. "In reflection or amplification DDoS attack scenarios" Larson explained "the legitimate infrastructure of the Internet is tricked into attacking innocent victims. The Joomla servers with vulnerable Google Maps plugins are just another example of Internet services with populations of millions of publicly accessible (and susceptible) servers that can be easily co-opted as “bots-on-demand” without any security compromise needing to have taken place in advance of the attack." These innocent servers are just sitting out there, waiting to be called into action to attack at a moment’s notice. Furthermore, because these attacks are spoofed – completely hiding the original attacker’s IP address – it is virtually impossible to trace these attacks back to the perpetrator.
