A DDoS attack can bring down almost any website or online service. The premise is simple: use an infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its introduction, DDoS remains as effective as ever. It continues to grow in frequency, intensity, and sophistication. That makes DDoS defence a top cybersecurity priority for every organisation. The first step: understanding the threat you face.
Helping organisations take a proactive approach to DDoS defence, A10 Networks recently published a report on the current DDoS landscape. It reveals the weapons being used, the locations where attacks are launched from, the services being exploited, and the methods hackers are using to maximise the damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study provides timely, in-depth threat intelligence to inform your defence strategy.
Here are a few of our key findings.
Reflected Amplification Takes DDoS to the Next Level
The SNMP and SSDP protocols have long been top sources for DDoS attacks. This trend continued in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in an alarming development, WS-Discovery attacks have risen sharply, to almost 800,000, to become the third most common source of DDoS. The shift is due in part to the growing popularity of attacks using misconfigured IoT devices to amplify an attack.
This innovation is known as reflected amplification. Hackers are turning their attention to the exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications protocol used to automatically discover web-connected services. Critically, WS-Discovery does not perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address. It results in the victim being deluged with data from nearby IoT devices.
With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly effective—with observed amplification of up to 95x. Reflected amplification attacks have reached a record-setting scale, such as the 1.3 Tbps Memcached-based GitHub attack. It accounts for the majority of DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702 as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has been found in Vietnam, Brazil, United States, the Republic of Korea, and China.
DDoS is Going Mobile
Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch point. While these weapons are globally distributed, the greatest number of attacks originate in countries with the greatest density in internet connectivity, including China, the United States, and the Republic of Korea.
A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs), or collections of IP address ranges under the control of a single company or government. Except for the United States, the top ASNs hosting DDoS weapons track closely with the countries hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co Ltd, and Korea Telecom.
In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the end of 2019. The top reflected amplified source detected was Guangdong Mobile Communication Co Ltd, with Brazilian mobile company Claro SA the top source of malware-infected drones.
The Worst is Yet to Come
IoT devices are coming online at a rate of 127 per second and accelerating. Hackers are poised to enter a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever for any bad actor to launch a lethal, targeted attack.
The A10 Networks report makes clear the importance of a complete DDoS defence strategy. Businesses and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat detection, to defend against DDoS attacks no matter where they originate. Methods such as automated signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers can help organisations proactively defend themselves even before the attacks starts.
For additional insight, including the top IoT port searches and reflector searches performed by attackers, download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons” and see the accompanying infographic, “DDoS Weapons & Attack Vectors.”
A10 Networks (NYSE: ATEN) provides Reliable Security Always™, with a range of high-performance application networking solutions that help organisations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.
