• Stefan Prandl

DDoS attack against Asian Azure customer hits 3.47 Terabits per second

Looks like in November last year Microsoft managed to defend a company in the Asian Azure segment against a 3.47 terabit per second attack. To give you an idea on scale, that’s roughly equivalent to 87,000 8k movies being streamed at the same time. This attack was done over UDP, but against a web service which does not use UDP. This means the attack wasn’t designed to harm the service itself, but the routing infrastructure around it. If you’ve not been able to browse the net cause other members of your family are watching Netflix in two different rooms, you’ve got the idea of what they were trying to achieve… but at a massive global scale.


What’s interesting is that these mega-attacks are being driven by reflection based attacks. What this means is that the attackers are using innocent bystander’s web facing services to conduct the attack. To give you an idea on what’s going on, we can use the classic pizza prank as an analogue. The meme is that you create a problem for someone by ordering 20 pizzas and having them sent to their house. Nowadays if Dominos gets an order for 20 pizzas, they’re going to call you to make sure that you actually did order the pizza. This is similar to what would happen to a server if someone was to try and use one bystander to perform the attack… in order to make it big enough, the bystander would be asked to do so much it would be a DDoS attack on them too!


However you can be sneaky. Instead of calling the one pizza shop, what if you called every pizza shop in the suburb and got them to deliver 3 pizzas each? Much less chance of anyone noticing something is up until it’s too late, and the potential to have way more pizzas arrive at the house. This is how the 3.47 terabit attack was generated, many many bystanders were made to do a little work, and so nobody noticed (apart from Microsoft, who was hit by the equivalent of 87 thousand 8k movies worth of data at once).


These readily accessible protocols used in the attack were not web protocols, instead they were things like SSDP, CLDAP, DNS, and NTP, all protocols that companies hosting them would want to know if they were being abused (beyond being implicated in an attack on Azure!). SSDP and CLDAP are protocols used in authentication and service detection, and abuse of these protocols can indicate early stage intrusion by attackers. The fact that they are in such a position that someone can use them as an attack platform indicates that the organisation hosting them isn’t aware that they have a problem.


These kinds of misconfigurations and holes in defence can be detected by Firebug. In this case Firebug can identify the very different pre-DDoS behaviour being used to spawn the attack, which can alert defenders to the fact that their network is insecure, and acting as an attack platform for bad guys! The more of these exposed weaknesses in internet facing systems are discovered and secured, the harder it gets for the bad guys to launch these kinds of attacks. The question you have to ask your IT ops teams is, are we a patsy?

22 views0 comments

Recent Posts

See All