A View of How DDOS Weapons Evolved in 2019
February 2020 by Anthony Webb, EMEA Vice President at A10 Networks
Throughout 2019, DDoS attacks continued to grow in frequency, intensity, and sophistication. However, the delivery method of using infected botnets and vulnerable servers to perform crushing attacks on a massive scale has not changed during that time. Unlike traditional security methods, where attackers leverage obfuscation to prevent detection, the loud distributed nature of DDoS attacks creates opportunities for defenders to take a more proactive approach by focusing on the weapon’s location.
Winding back to the first DDoS attack which occurred in 1997 during a DEF CON event in Las Vegas. The culprit was notorious hacker Khan Smith, who successfully shut down Internet access on the Vegas Strip for over an hour. The release of some of this code soon led to online attacks against Sprint, EarthLink, E-Trade, and many more organisations.
Fast forward to 2019 and AWS, Telegram, and Wikipedia were among the top victims of DDoS this year. In fact, in September Wikipedia suffered what appears to be the most disruptive attack in recent memory. The DDoS attack carried on for three days rendering the site unavailable in Europe, Africa and the Middle East. The size of the attack was not made public, but it is clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic. Given the protection that sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the Internet.
Similarly, the largest DDoS attack in Q1 2019 was 587 GB/s in volume, compared to 387 GB/s in volume for the largest Q1 2018 attack. Also noteworthy is the fact that attacks above 100 GB/s increased 967 percent in 2019 versus 2018, and attacks between 50 GB/s and 100 GB/s increased 567 percent. Indeed, Cisco estimates that the number of DDoS attacks exceeding 1 gigabit of traffic per second will soar to 3.1 million by 2021.
Here at A10 Networks, we have been tracking the state of the DDoS attack landscape and DDoS weaponry and what we have found over the year is that IoT is a hotbed for DDoS botnets. Likewise, with 5G on the horizon, with its higher data speeds and lower latency, this will dramatically expand attack networks as it presents an opportunity to increase the DDoS weaponry available to attackers.
In our latest Q4 report we found that the largest DDoS attacks have one thing in common – amplification. Reflected amplification weapons attackers leverage vulnerabilities in the UDP protocol to spoof the target’s IP address and exploit vulnerabilities in servers that initiate a reflected response. This strategy amplifies the attack by producing server responses that are much larger than the initial requests.
Other notable weapons include DDoS botnet weapons attackers that leverage malware-infected computers, servers, and IoT devices that are under the control of a bot herder. The resulting botnet is used to initiate stateful and stateless volumetric, network, and application-layer attacks.
To gather these insights, our researchers obtain weapons intelligence by closely monitoring attack agents under the control of botnet command and control, discovering malware innovations by deploying honeypots and scanning the internet for exposed reflected amplification sources.
What we observed is that attackers have discovered a new IoT DDoS amplification weapon by exploiting hundreds of thousands of internet-exposed IoT devices running Web Services Dynamic Discovery protocol (or WS-Discovery) to amplify their attacks. In fact, nearly 800,000 WS-Discovery reflected amplifiers available for exploitation were discovered in Q4 2019. Less than half of the WS-Discovery hosts respond from port 3702 and the rest from high ports.
Interestingly, China is the top drone hosting country, but Brazil hosts the most active attacking drones. SNMP topped our tracked weapons category with 1,390,505. The report also identifies the top sources of DDoS weaponry and although the nature of DDoS attacks is distributed, we have found valuable insights from where they originate. For example, we found higher concentrations where internet-connected populations are most dense, i.e. China – 739223, and USA - 448,169. The report highlights who the top Autonomous Systems Numbers (ASNs) are who are hosting DDoS weapons (Chinanet held the number one position with 289,601) and we also found that mobile carriers hosting DDoS weapons skyrocketed during this reporting period.
As indicated, DDoS attacks will only grow, and our quarterly findings certainly point to this being the case. Organisations need to prepare themselves now before the next large-scale DDoS attack hits them. Sophisticated DDoS threat intelligence, combined with real-time threat detection and automated signature extraction will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable services commonly used for such attacks. Take heed and ensure you match your attackers’ sophistication with even better and stronger defences, otherwise you might find that you are one of the ‘top’ DDoS casualties in 2020.