Why Attackers are Focusing on Low-Volume Persistent DDoS Attacks
December 2021 by Anthony Webb, VP of International, A10 Networks
The COVID-19 pandemic has created significant challenges and changes to the world as we know it. As enterprises quickly moved to remote working also implementing a new hybrid set-up, adversaries have seized the opportunity and we have witnessed significant growth in the number of cyberattacks.
In particular, DDoS attacks have grown - not only in size and frequency - but adversaries have also swivelled to focus on low-volume, persistent attacks that run for longer periods of time, frequently injecting attack traffic. These low-volume attacks enable adversaries to evade basic defensive measures, yet they still have significant impact on enterprise systems and operations.
Modern malware is hijacking IoT devices
As the name indicates, DDoS attacks are distributed in nature. A single attack may employ multiple DDoS weapons to overwhelm the victim’s network and defences. Our security research team have been tracking DDoS weapons and their behaviours and reporting on their frequency and impact over the last several years. Our latest H1 2021 DDoS Attack Mitigation: Global State of DDoS Weapons Report provides detailed insights into the origins of DDoS activity, highlighting how easily and quickly modern malware can hijack IoT devices and convert them into malicious botnets. The report also provides some helpful guidance on what organisations can do to protect against such activities and act rather than sit and wait for the inevitable to happen.
What we can see is that with new attacks and new malware variants, we are witnessing new layers of sophistication in how IoT and smart devices are being weaponised. Cybercriminals are recruiting IoT devices into their botnet armies, aided by Mozi malware and spreading this around the world. Here I’ve summarised some of the key findings:
DDoS weapons are steadily growing
The total number of DDoS weapons increased by 2.5 million during H1 2021 this was the same as previous quarters, meaning the number of DDoS weapons has been steadily growing with a total number of 15 million weapons tracked.
SSDP (Simple Service Discovery Protocol) remains the largest reflected amplification weapon with 3.2 million potential weapons exposed to the internet. This is an increase of over 28 percent compared to the previous reporting period. And while DDoS attackers have been increasingly focused on smaller attacks launched persistently over a longer period, these larger scale attacks might not occur as frequently, but they cause a lot of damage and make significant headlines as a result.
The rest of the amplification weapons remained virtually the same with SNMP, Portmap, TFTP and DNS Resolvers as the top five. It is important to note that all these weapons experienced growth in numbers except for DNS Resolvers.
China leads the way
DDoS attacks are not limited to a specific geographic location and can originate from and attack organisations anywhere in the world. However, what we found in this report is that China (for the second reporting period in a row) continues to lead the way in hosting the highest number of potential DDoS weapons including both amplification weapons and botnet agents. This was closely followed by the U.S. which remains the second largest source of DDoS weaponry, particularly amplification weapons, followed by South Korea.
This edition of the threat intelligence report takes a deeper look at how botnets work. Botnets or drones are compute nodes like computers, servers, routers, cameras and other IoT devices infected by malware and are the tools controlled and used by DDoS attackers.
Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. Subsequently, these botnets are used to launch large-scale DDoS attacks. The increase or decrease of botnets can be attributed to factors such as the growth of IoT, new vulnerabilities, as well as CVEs exploited by attackers, large-scale security updates to patch CVEs and botnet takedowns.
Botnet agents halve in H1 2021
In H1 2021, the total number of botnet agents almost halved with 449,509 tracked and China hosting 44% of the total number of drones available worldwide. This is likely due to the high-profile take down of the Emotet botnet, one of the largest botnets in the world, dubbed “the internet’s most dangerous malware”. In early 2021 international law enforcement took down Emotet’s command and control infrastructure in more than 90 countries. While this take down was a contributing factor to the large-scale reduction in botnet agents, it is important to note that these changes may be temporary as attackers can quickly build their infrastructures back up and exploit network systems and vulnerabilities.
One other particularly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet that utilises a large set of Remote Code Executions (RCEs) to leverage Common Vulnerabilities and Exposures (CVEs) in IoT devices for infection. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Our report found that in the first half of 2021 Mozi reached 360,000 systems from manufacturers including Huawei, Realtek, NETGEAR and many others. The Mozi botnet includes infected bots around the globe with China, India, Russia, Brazil leading the list of countries and regions.
Strategies for protecting the network against DDoS attacks
So how do organisations protect their networks and resources against such attacks? Organisations should invest in Zero Trust models and create micro-perimeters within the network to limit access to resources. They should also look to invest in modern AI and machine learning solutions that will not only defeat attacks but also protect against the unknown.
Likewise, organisations should investigate whether they are already infected. If network devices suddenly start generating abnormal amounts of traffic this might be because they are infected and, in this instance, they should immediately isolate suspicious devices and limit the traffic originating from these devices.
It is important to observe and block commonly exploited ports, and potentially block, payloads and any BitTorrent traffic coming into or going out the network. Above all, organisations should make sure that their security infrastructure is regularly updated and that IoT devices are running the latest firmware with all the necessary security patches. And finally, they should use modern DDoS techniques like baselining to see anomalous behaviour versus historical norms. Additionally, AI/ML techniques for detection and zero-day attack prevention can really help security teams.
As we prepare for 2022, it is commonly acknowledged that hybrid and remote working environments are here to stay, and security teams will need to look at how they secure a mix of on-premises, multi-cloud and edge-cloud environments. Sophisticated DDoS threat intelligence combined with real-time threat detection, AI and ML capabilities as well as automated signature extraction allow organisations to defend against all kinds of DDoS attacks, no matter where they originate.