A new wave of DDoS attacks on South Africa’s internet service provider has highlighted the continued growth in frequency, intensity and sophistication of these attacks. A10 Networks’ recent report on the Q2 2019: The State of DDoS Weapons has shed more light on the loud, distributed nature of DDoS attacks. It also lists the key trends that enterprises can learn from in adopting a successful defence.
IoT: A Hotbed for DDoS Botnets
A10 Networks has previously written that IoT devices and DDoS attacks are a perfect match. The explosion of the Internet of Things (growing at a rate of 127 connected devices per second and accelerating), is seeing attackers target vulnerable connected devices. They have even begun to develop a new strain of malware named Silex- a strain just for IoT devices. In July 2019 Silex affected 1,650 devices in over an hour. It also wiped the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.
The report highlights the top-three IoT binary attacks dropped by malware families. Two of the three belonged to Mirai. The Netherlands, UK, USA, Germany and Russia are the top countries hosting malware droppers.
The New IoT Threat
A new threat has emerged due to industry-wide adoption of technology with weak security: the UDP implementation of the Constrained Application Protocol (CoAP). This new threat does not have anything to do with Mirai or malware. However, its impact has enabled millions of IoT devices to become weaponised as reflected amplification cannons.
CoAP is a machine-to-machine (M2M) management protocol, deployed on IoT devices supporting applications such as smart energy and building automation. It is a protocol implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request. A10 identified over 500,000 vulnerable IoT devices with an average response size of 749 bytes. The report also highlights that 98% of CoAP threats originate from China and Russia, with the capability to amplify attacks by 35x.
On the Horizon: 5G
Ericsson recently predicted that the number of IoT devices with cellular connection will reach 4.1 billion by 2024. 5G, with its higher data speeds and lower latency, will be the primary driver behind this rapid expansion. Whilst this is great news in an open dynamic world, the downside is that we will also see an increase in the DDoS weaponry available to attackers.
We have seen mobile carriers hosting DDoS weapons skyrocket over the last six months. Companies such as T-Mobile, Guangdong Mobile and China Mobile have been guilty of amplifying attacks. With 5G, intelligent automation aided by machine learning and AI will become essential to detecting and mitigating threats. IoT devices running Linux are already the target of a new strain of malware which is predominantly dedicated to running DDoS attacks.
Amplified Attack
Amplified reflection attacks exploit the connectionless nature of the UDP protocol with spoofed requests to misconfigured open servers on the internet. Attackers send volumes of small requests with the spoofed victim’s IP address to exposed servers. The servers are targeted because they’re configured with services that can amplify the attack. These attacks have resulted in record-breaking volumetric attacks, such as the 1.3 Tbps Memcached-based GitHub attack in 2018, and account for many other DDoS attacks.
Battling the landscape
Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, allows organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate.
Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. With DDoS attacks not going away, it’s time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G gains momentum.
A10 Networks (NYSE: ATEN) provides Reliable Security Always™, with a range of high-performance application networking solutions that help organisations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.