A potentially malicious DDoS vulnerability has been discovered by Akamai's Security Intelligence Response team.
The DDoS amplification attack takes advantage of TFTP, a method of installing operating systems across a network in a specialised carrier, often called 'headless installations'.
These installations are not typically internet-based, but LAN-based. It is used to update devices with software updates and OS configurations when they are first set up on the network. However, a minority of LAN servers have access to internet and this has been the start of the cyber attacks.
The attack start time also coincided with the release of research about TFTP done by Edinburgh Napier University. As at April 20, 2016, Akamai had 'mitigated' ten attacks that had been used in the same way.
Akamai says the attacks were multi-vector attacks that included TFTP reflection, which may mean at least one site is using DDoS as a service.
Akamai says that TFTP alone has produced an attack of 1.2Gbps, but multi-vector attacks have produced attacks at 44Gbps. Akamai says that attacks are small and originating from Asia as well as Europe. The TFTP attacks are also limited because they can only deliver files to a small amount of hosts at any one time.
Attacks may include 'out of memory' signatures, which Akamai says alludes to "TFTP servers not being able to handle the rapid fire queries sent by the TFTP flood attack tool".
Akamai advises threat prevention and mitigation. TFTP server hosts should analyse whether UDP port 69 should have access to the internet. If it is necessary, use firewalls and allow only trusted access. Use SNORT or another IDS to detect network server abuse.
More details about the attack will be in Akamai's State of the Internet report, due to be released in early June.