Home>Security>Cyber Crime>Actionable Weapons Intelligence: Proactive Approaches to Defending DDoS Attacks
Home>Security>IT Security >Actionable Weapons Intelligence: Proactive Approaches to Defending DDoS Attacks
Home>Security Matters>Security Matters>Actionable Weapons Intelligence: Proactive Approaches to Defending DDoS Attacks

Actionable Weapons Intelligence: Proactive Approaches to Defending DDoS Attacks

11 September 2020

A10 NETWORKS recently launched its State of DDoS Weapons Report (Q2 2020), the contents of which is based on approximately ten million unique source addresses tracked by the company. As Ehab Halablab observes, the document sheds more light on the nature of DDoS attacks and the key trends and observations that enterprises can learn from when adopting a successful defence.

Back in June, news reports highlighted one of the biggest DDoS attacks ever recorded. The attack, which targeted a large European bank, generated 809 million packets per second (PPS). This is a new industry record for a PPS-focused attack which is more than double the size of previous attacks.

We’ve previously written about how Internet of Things (IoT) devices and DDoS attacks are a perfect match. IoT devices such as smart watches, routers and cameras are now commonly infected by malware and under the control of malicious actors who use them to launch flexible DDoS attacks.

Our researchers have accumulated knowledge of repeatedly used hosts in these attacks, scanning for those that show malware-infected characteristics that deserve to be treated with caution while under a DDoS attack.

The report highlights the Top Three countries hosting DDoS botnet agents as being China (15%), Vietnam (12%) and Taiwan (9%). From these nations, the top ASNs hosting DDoS botnet agents were Chungwha Telecoms (Taiwan), China Telecom, China Unicom CN and the VNPT Corp (Vietnam)

Malware proliferation

With IoT devices vulnerable, largely due to devices lacking the necessary built-in security to counter threats, this allows threat actors an opportunity to target these devices through a collection of remote code execution exploits and an ever-growing list of default user names and passwords from device vendors to constantly increase the size and strength of DDoS attacks. Weapons intelligence systems detect hundreds of thousands of events per hour on the Internet, providing insights into the top IoT exploits and the attack capabilities.

One of the key report findings is that thousands of malware binaries have been dropped into systems in the wake of the different IoT-based attacks and exploits. Among the malware families that were most frequent in attack were the Gafgyt family and the Dark Nexus and Mirai family. The related binary names from these malwares are arm7, Cloud.x86 and mmmmh.x86 respectively.

Digging deeper into the characteristics and behaviour of the binary we saw the most this quarter, namely arm7, we found that attack types came in varied forms including, but not limited to, TCP floods, HTTP floods and UDP floods. To mitigate these attacks, a firm understanding of these DDoS weapons needs to be established by understanding and reverse engineering the attack toolkits.

Amplified attacks 

When it comes to large-scale DDoS attacks, amplified reflection is the most effective. An example of this is when the attacker sends volumes of small requests with the spoofed victim’s IP address to Internet-exposed servers. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities.

The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP and CLDAP UDP-based services. These attacks have resulted in record-breaking volumetric attacks, such as the recent CLDAP-based AWS attack in Q1 this year, which peaked at 2.3 Tbps and was 70% higher than the previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018.

Although CLDAP doesn’t make the Top 5 list of our amplification attack weapons in Q2, we did record 15,651 potential CLDAP weapons. This makes it a fraction of the top amplification attack weapon this quarter (ie portmap, where for every CLDAP weapon we have 116 portmap weapons available to attackers).

The AWS attack shows that even this fractional attack surface has the potential for generating very large-scale DDoS attacks. The only way in which to protect against these attacks is to proactively keep track of DDoS weapons and potential exploits.

Battling the landscape 

Every quarter, the findings of our DDoS attack research point towards one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate.

Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks.

Ultimately, DDoS attacks are not going away. It’s time for organisations to match their attackers’ sophistication with a stronger defence, especially so as new technologies like the IoT and 5G continue to gain further momentum.

Ehab Halablab is Regional Sales Director for the Middle East at A10 Networks