The COVID-19 pandemic has created significant challenges and changes to the world as we know it. Enterprises quickly moved to remote working, implementing a new hybrid set-up. Meanwhile, adversaries seized the opportunity, and we have witnessed significant growth in the number of cyberattacks.
In particular, DDoS attacks have grown in size and frequency. Adversaries have also swivelled to focus on low-volume, persistent attacks that run for longer periods, frequently injecting attack traffic. These low-volume attacks enable adversaries to evade basic defensive measures. Yet they still have a significant impact on enterprise systems and operations.
Modern malware is hijacking IoT devices
As the name indicates, DDoS attacks are distributed in nature. A single attack may employ multiple DDoS weapons to overwhelm the victim’s network and defences. Our security research team has tracked DDoS weapons and their behaviours and reported on their frequency and impact over the last several years.
Our latest H1 2021 DDoS Attack Mitigation: Global State of DDoS Weapons Report provides detailed insights into the origins of DDoS activity. It highlights how easily and quickly modern malware can hijack IoT devices and convert them into malicious botnets. The report also provides some helpful guidance on what organisations can do to protect against such activities and act rather than sit and wait for the inevitable to happen.
With new attacks and new malware variants, we can see that we are witnessing new layers of sophistication in how IoT and smart devices are being weaponised. Cybercriminals are recruiting IoT devices into their botnet armies, aided by Mozi malware and spreading this around the world. Here I’ve summarised some of the key findings:
DDoS weapons are steadily growing
The total number of DDoS weapons increased by 2.5 million during H1 2021. It is the same level of growth as in previous quarters. It means that the number of DDoS weapons has been steadily growing, with 15 million weapons tracked.
SSDP (Simple Service Discovery Protocol) remains the largest reflected amplification weapon with 3.2 million potential weapons exposed to the internet. It is an increase of over 28 percent compared to the previous reporting period.
DDoS attackers have been increasingly focused on smaller attacks launched persistently over a longer period. However, these larger-scale attacks might not occur as frequently, but they cause a lot of damage and make significant headlines as a result.
The rest of the amplification weapons remained virtually the same. The top five include SNMP, Portmap, TFTP and DNS Resolvers. It is important to note that all these weapons experienced growth in numbers except for DNS Resolvers.
China leads the way
DDoS attacks are not limited to a specific geographic location. They can originate from and attack organisations anywhere in the world. However, what we found in this report is that China (for the second reporting period in a row) continues to lead the way in hosting the highest number of potential DDoS weapons. It includes both amplification weapons and botnet agents.
It is closely followed by the US, which remains the second-largest source of DDoS weaponry, particularly amplification weapons. In third place is South Korea.
This edition of the threat intelligence report takes a deeper look at how botnets work. Botnets or drones are compute nodes like computers, servers, routers, cameras and other IoT devices infected by malware. They are the tools controlled and used by DDoS attackers.
Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. Subsequently, these botnets are used to launch large-scale DDoS attacks. The increase or decrease of botnets can be attributed to factors such as the growth of IoT, new vulnerabilities, CVEs exploited by attackers, large-scale security updates to patch CVEs and botnet takedowns.
Botnet agents halve in H1 2021
In H1 2021, the total number of botnet agents almost halved with 449,509 tracked and China hosting 44% of the total number of drones available worldwide. It is likely due to the high-profile takedown of the Emotet botnet. It was one of the largest botnets in the world, dubbed “the internet’s most dangerous malware”.
In early 2021, international law enforcement took down Emotet’s command and control infrastructure in more than 90 countries. While this takedown contributed to the large-scale reduction in botnet agents, it is important to note that these changes may be temporary. Attackers can quickly build their infrastructures back up and exploit network systems and vulnerabilities.
One other particularly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet. It utilises a large set of Remote Code Executions (RCEs) to leverage Common Vulnerabilities and Exposures (CVEs) in IoT devices for infection. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands.
Our report found that in the first half of 2021, Mozi reached 360,000 systems from manufacturers including Huawei, Realtek, NETGEAR and many others. The Mozi botnet includes infected bots around the globe, with China, India, Russia and Brazil leading the list of countries and regions.
Strategies for protecting the network against DDoS attacks
So how do organisations protect their networks and resources against such attacks? Organisations should invest in Zero Trust models and create micro-perimeters within the network to limit access to resources. They should also look to invest in modern AI and machine learning solutions. These will defeat attacks and also protect against the unknown.
Likewise, organisations should investigate whether they are already infected. If network devices suddenly start generating abnormal amounts of traffic, this might be because they are infected. In this instance, organisations should immediately isolate suspicious devices and limit the traffic originating from these devices.
It is important to observe and block commonly exploited ports and potentially block payloads and any BitTorrent traffic coming into or going out of the network. Above all, organisations should ensure that their security infrastructure is regularly updated and IoT devices run the latest firmware with all the necessary security patches.
Finally, they should use modern DDoS techniques like baselining to see anomalous behaviour versus historical norms. Additionally, AI/ML techniques for detection and zero-day attack prevention can really help security teams.
As we prepare for 2022, it is commonly acknowledged that hybrid and remote working environments are here to stay. Security teams will need to look at how they secure a mix of on-premises, multi-cloud and edge-cloud environments. Sophisticated DDoS threat intelligence combined with real-time threat detection, AI and ML capabilities, and automated signature extraction allow organisations to defend against all kinds of DDoS attacks, no matter where they originate.