In June 2020, news reports highlighted one of the biggest DDoS attacks ever recorded. The attack, which targeted a large European bank, generated 809m packets per second (Mpps). This is a new industry record for a PPS-focused attack which is more than double the size of previous attacks. A10 Networks (News - Alert) recently launched its Q2 2020: State of DDoS Weapons Report, based on approximately 10 million unique source addresses tracked by A10 Networks, and the report sheds more light on the loud, distributed nature of DDoS attacks and the key trends and observations that enterprises can learn from when adopting a successful defence.
DDoS Botnet Agents
We’ve previously written about how IoT devices and DDoS attacks are a perfect match. IoT devices such as smart watches, routers and cameras are now commonly infected by malware and under the control of malicious actors who use them to launch flexible DDoS attacks. Our researchers accumulated knowledge of repeatedly used hosts in these attacks, scanning for those that show malware-infected characteristics that deserve to be treated with caution whilst under a DDoS attack.
The report highlighted the top three countries hosting DDoS botnet agents as follows:
From the countries above, the top ASNs hosting DDoS botnet agents were:
With IoT devices vulnerable, largely due to devices lacking the necessary built-in security to counter threats, this allows threat actors an opportunity to target these devices, through a collection of remote code execution (RCE) exploits and an ever growing list of default user names and passwords from device vendors, to constantly increase the size and strength of DDoS attacks. Our weapons intelligence system detects hundreds of thousands of events per hour on the internet, providing insights into the top IoT exploits and the attack capabilities.
One of the key report findings highlighted thousands of malware binaries being dropped into systems, in the wake of the different IoT-based attacks and exploits. Among the malware families that were most frequent in attack were the following: Gafgyt family, Dark Nexus and Mirai family. The related binary names from these malwares were arm7, Cloud.x86, mmmmh.x86 respectively.
Digging deeper into the characteristics and behaviour of the binary we saw the most this quarter, “arm7”, we found that attack types came in varied forms including, but not limited to, TCP floods, HTTP floods and UDP (News - Alert) floods. To mitigate these attacks a firm understanding of these DDoS weapons needs to be established by understanding and reverse engineering the attack toolkits.
When it comes to large-scale DDoS attacks, amplified reflection is the most effective. An example of this is when the attacker sends volumes of small requests with the spoofed victim’s IP address to internet-exposed servers. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities.
The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services. These attacks have resulted in record-breaking volumetric attacks, such as the recent CLDAP-based AWS attack in Q1 2020, which peaked at 2.3 Tbps and was 70% higher than the previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018. Although CLDAP does not make the top 5 list of our Amplification attack weapons in Q2, we did record 15,651 potential CLDAP weapons. This makes it a fraction of the top amplification attack weapon this quarter, i.e., portmap, where for every CLDAP weapon, we have 116 portmap weapons available to attackers. The AWS attack shows that even this fractional attack surface has the potential for generating very large-scale DDoS attacks and the only way to protect against these attacks is to proactively keep track of DDoS weapons and potential exploits.
Battling the Landscape
Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. DDoS attacks are not going away, and it is time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G continue to gain further momentum.