Although the term 'reflection DoS' is nothing new, I recall reading something about it three years ago when a high profile security researcher used it to describe how malicious SYN packets were being reflected off bystanding TCP servers and the SYN/ACK responses used to flood his bandwidth. More recently, Garrett Gross from security vendor AlienVault recently wrote about the relatively new method of amplification Denial of Service (DoS), also known as a reflection attack, using SQL servers. This was actually first reported at the back end of last year when servers belonging to the City of Columbia, Missouri were hit by a multiple DoS methodology attack including this technique. However, my sources tell me that reflection attacks have been on the up for some time and in the fourth quarter of 2014 Akamai's Prolexic Security Engineering & Research Team (PLXsert) researchers reckon that some 39 per cent of all DDoS attack traffic were employing these amplification techniques.

Now Akamai is reporting that the reflection attack method has been used in conjunction with Joomla servers running a vulnerable Google Maps plugin. Akamai warns that, after a whole bunch of vulnerability disclosure across 2014, the Joomla content management framework is still being actively targeted by those with malicious intent. In conjunction with the PhishLabs Research, Analysis, and Intelligence Division (R.A.I.D), PLXsert observed traffic signatures from Joomla distributions with a vulnerable Google Maps plugin being used as a launch platform for DDoS attacks. These traffic signatures were a match for known DDoS for hire outfits, and the attack itself appeared to be using specific tools (DAVOSET and UFONet) to manipulate XML and Open Redirect functions to produce the reflected/amplified response.

Dave Larson, CTO of Corero Network Security, told DaniWeb that in the case of DDoS attacks the reality is that any device, infrastructure, application that is connected to the Internet is at risk for attack, or even more disturbing, to be recruited as a bot in an army to be used in DDoS attacks against unsuspecting victims. "In reflection or amplification DDoS attack scenarios" Larson explained "the legitimate infrastructure of the Internet is tricked into attacking innocent victims. The Joomla servers with vulnerable Google Maps plugins are just another example of Internet services with populations of millions of publicly accessible (and susceptible) servers that can be easily co-opted as “bots-on-demand” without any security compromise needing to have taken place in advance of the attack." These innocent servers are just sitting out there, waiting to be called into action to attack at a moment’s notice. Furthermore, because these attacks are spoofed – completely hiding the original attacker’s IP address – it is virtually impossible to trace these attacks back to the perpetrator.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Increasingly it would seem that the mode of choice for serious DDoS'ers is to attack on multiple fronts using multiple techniques. This is just another example of such a technique being thrown into the mix. Not better, not worse, just adding to the pain in the ass list.

Edited 1 Year Ago by happygeek