By Ahmad Nassiri
A DDoS attack can bring down almost any website or online service. The premise is simple: using an infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and sophistication. That makes DDoS defense a top cybersecurity priority for every organization. The first step: understanding the threat you face.
To help organizations take a proactive approach to DDoS defense, A10 Networks recently published a report on the current DDoS landscape, including the weapons being used, the locations where attacks are being launched, the services being exploited, and the methods hackers are using to maximize the damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study provides timely, in-depth threat intelligence to inform your defense strategy.
Here are a few of our key findings.
Reflected Amplification Takes DDoS to the Next Level
The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the third most common source of DDoS. The shift is due in part to the growing popularity of attacks using misconfigured IoT devices to amplify an attack.
In this key innovation, known as reflected amplification, hackers are turning their attention to the exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications protocol used to automatically discover web-connected services. Critically, WS-Discovery does not perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at which point the victim will be deluged with data from nearby IoT devices.
With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly effective—with observed amplification of up to 95x. Reflected amplification attacks have reached record-setting scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702 as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has been found in Vietnam, Brazil, United States, the Republic of Korea, and China.
DDoS is Going Mobile
Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch point. While these weapons are globally distributed, the greatest number of attacks originate in countries with the greatest density in internet connectivity, including China, the United States, and the Republic of Korea.
A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs), or collections of IP address ranges under the control of a single company or government. With the exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and Korea Telecom.
In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones.
The Worst is Yet to Come
With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever for any bad actor to launch a lethal targeted attack.
The A10 Networks report makes clear the importance of a complete DDoS defense strategy. Businesses and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat detection, to defend against DDoS attacks no matter where they originate. Methods such as automated signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers can help organizations proactively defend themselves even before the attacks starts.
(The author is the Security Solutions Architect, A10 Networks)