Computerworld UK has an interesting story that digs into a massive, 300 Gbps DDoS attack that used a flaw in the IPMI protocol to compromise 100,000 unpatched servers, which were then used to send junk traffic to the victim site.
The attack was documented by the security firm VeriSign in its quarterly threat report. The flaw, in the Intelligent Platform Management Interface (IPMI) is a well-documented security hole that affects a wide range of devices.
The attack in question took place in June and targeted what Verisign described as a content delivery network (CDN) in the media and entertainment sector.
The attack combined a variety of techniques, including SYN, TCP and UDP protocols to flood a target data center. The attacks reached a peak traffic volume 300 Gbps and lasted more than a day, prompting Verisign to balance the load across its global network.
Verisign attributed the massive volume of the attack to a botnet made up of as many as 100,000 servers. Those servers were vulnerable to the ‘Supermicro IPMI flaw, made public by researcher Zachary Wikholm in June.
As Security Ledger reported at the time, servers equipped with Supermicro Baseboard Management Controllers (BMCs) store a password file, PSBlock, in plain text and leave it open to the world on port 49152.
Baseboard Management Controllers (BMCs) are small, embedded systems attached to a system’s motherboard that manage IPMI communications.
Supermicro has fixed the problem in the latest version of its IPMI firmware. However, companies are often reluctant to flash (or replace) the firmware that manages BMCs.
A scan of the Internet in June for public-facing devices that are listening on that port and appear to be running vulnerable Supermicro software revealed close to 32,000 systems.
The individuals behind the DDoS attacks appear to have taken the clue: automating the harvesting of passwords from a distributed web of vulnerable servers around the world and adding them to the botnet.