Attackers spoof the source of the requests, causing the results to be sent from the proxy to someone else. The true source of the attack remains unknown, because the attack traffic appears to come from the Joomla servers.
With cooperation from PhishLabs’ R.A.I.D, PLXsert matched DDoS signature traffic originating from multiple Joomla websites, which indicates vulnerable installations are being used for reflected GET floods, a type of DDoS attack. Observed attack traffic and data suggest the attack is being offered on known DDoS-for-hire websites.
PLXsert was able to identify more than 150,000 potential Joomla reflectors on the internet. Although many of the servers appear to have been patched, reconfigured, locked or have had the plugin uninstalled, others remain vulnerable to use in this DDoS attack.
In Q4 2014, Akamai’s PLXsert observed 39% of all DDoS attack traffic employed reflection techniques. Reflection DDoS attacks each take advantage of an internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now