MIT Network Under Frequent DDoS Assault: Report

MIT Hit By More Than 35 DDoS Attacks So Far This Year

Since the beginning of the year, the MIT (Massachusetts Institute of Technology) network has been assaulted at least 35 times by distributed denial of service (DDoS) attacks, Akamai reveals.

According to a new report from the Akamai SIRT (Security Intelligence Response Team), these DDoS campaigns have been aimed at different targets within MIT, and roughly 43% of the attacks leveraged DDoS reflection and amplification methods. Attackers targeted multiple destination IPs within the MIT network during these incidents and used a combination or devices to launch the attacks, Akamai said.

Authored by Wilber Mejia, Akamai SIRT, the case study (PDF) reveals that 14 unique floods were used in these DDoS campaigns, namely ACK, CHARGEN, DNS, GET, ICMP, NTP, NETBIOS, RESERVE protocol, SNMP, SSDP, SYN, TCP anomaly, UDP, and UDP FRAGMENT floods. The devices used to launch these attacks were vulnerable to reflection abuse and spoofed IP sources.

The largest of the attacks peaked at 295 Gbps (Gigabits per second) and consisted of only a UDP flood signature that researchers believe to be a variant of the STD/Kaiten malware. The attack topped 58.6 Million Packets per second and used a combination of UDP Flood, UDP Fragment, DNS Flood attack vectors. Another large incident peaked at 89.35 Gbps using the same combination of attack vectors.

“These attack types have commonly been included in sites offering so called booter or stressor services,” Mejia notes in the case study. UDP and DNS reflections attack vectors were used to generate the most attack traffic from the investigated campaigns, the researcher reveals.

The report also mentions that the reflectors used in these attacks are not necessarily owned or acquired by the malicious actors, but that they are rather abused in these incidents. The reflectors used in the attacks against MIT were mainly located in China, but researchers observed a total of 18,825 unique sources of reflectors around the world during the MIT attacks.

The case study also reveals that Xor DDoS botnet attacks were persistent across these campaigns, but they did not produce the largest amount of malicious traffic against MIT. This type of attacks are more accessible to a much larger population of malicious actors, it seems.

“The fact is almost anyone with motivation and enough knowledge to determine the IP of their target can launch these attacks at low cost. A recent look at a pricing of popular sites offering DDoS ‘stresser’ services show this can be performed for as little as 19.99/month,” Mejia explains.

During the first quarter of this year, Akamai observed a record number of DDoS attacks (19) larger than 100 Gbps, and revealed in the beginning of June that attackers also started to leverage TFTP (Trivial File Transfer Protocol) protocol for reflection and amplification. In June, Imperva researchers observed a 470 Gbps incident that leveraged no less than nine different payload (packet) types.

Related: Botnet Uses IoT Devices to Power Massive DDoS Attacks

Related: Thousands of CCTV Devices Abused for DDoS Attacks