Cybercriminals had a busy year in 2020, with rapidly increasing numbers of distributed denial of service (DDoS) weapons, widespread botnet activity, and some of the largest DDoS attacks ever recorded. As COVID-19 drove an urgent shift online for everything from education and healthcare, to consumer shopping, to office work, hackers had more targets available than ever—many of them under protected due to the difficulty of maintaining security best practices in an emergency scenario. At the same time, the ongoing rollout of 5G technologies has accelerated the proliferation of IoT and smart devices around the world, making unsuspecting new recruits available for botnet armies to launch crushing attacks on a massive scale.
In our ongoing tracking of DDoS attacks, DDoS attack methods, and malware activity, A10 Networks has observed a steady increase in the frequency, intensity, and sophistication of these threats, most recently in our State of DDoS Weapons Report for H2 2020, which covers the second half of the past year. During this period, we saw an increase of over 12% in the number of potential DDoS weapons available on the internet, with a total of approximately 12.5 million weapons detected. The good news is that proven methods of protection continue to be effective even as threat levels rise.
So how can organizations defend against this common and highly damaging type of attack?
Botnets drive DDoS attack levels to new heights
While organizations of all sizes fell victim to DDoS last year, two of the world’s largest companies made headlines for suffering unprecedented attacks. In June 2020, Amazon revealed a DDoS attack on its public cloud earlier that year that peaked at 2.3 Tbps, almost twice the size of the previous largest recorded attack. Soon afterwards, Google revealed details of an even larger DDoS attack that peaked at 2.5 Tbps. A10 Networks has also been privately notified of even larger attacks, underscoring the perennial threat and growing impact of this type of cybercrime.
Unlike other types of cyberattacks that depend on concealment, DDoS attacks aim to simply overwhelm an organization’s defenses with a massive flood of service requests delivered from a large number of sources. The distributed nature of the attack makes it especially difficult to repel, as the victim can’t simply block requests from a single illicit source.
In recent years, hackers have evolved their methods and broadened their base of attack by using malware to hijack vulnerable compute nodes such as computers, servers, routers, cameras, and other IoT devices and recruit them as bots. Assembled into botnet armies under the attacker’s control, these weapons make it possible for attacks to be sourced from different locations across the globe to suit the attacker’s needs. In the second half of 2020, the top locations where botnet agents were detected include India, Egypt, and China, which together accounted for approximately three-quarters of the total. Activity sourced from DDoS-enabled bots in India spiked in September 2020, with more than 130,000 unique IP addresses showing behavior associated with the Mirai malware strain. A10’s most recent State of DDoS Weapons Report explores our findings about the largest contributor to this botnet activity, a major cable broadband provider, which accounted for more than 200,000 unique sources of Mirai-like behavior.
Blocking botnet recruiters
The identification of IP addresses associated with DDoS attacks gives organizations a way to defend their systems against questionable activity and potential threats. To protect services, users and customers from impending DDoS attacks, companies should block traffic from possibly compromised IP addresses unless it is essential for the business, or to rate-limit it until the issue is resolved. Automated traffic baselining, artificial intelligence (AI), and machine learning (ML) techniques can help security teams recognize and deal with zero-day attacks more quickly by recognizing anomalous behavior compared with historical norms.
Another important step is to make sure that your organization’s own devices are not being recruited as bots. All IoT devices should be updated to the latest version to alleviate infection by malware. To detect any pre-existing infections, monitor for unrecognized outbound connections from these devices, and check whether BitTorrent has ever been seen sourced or destined to these devices, which can be a sign of infection. Outbound connections should be blocked as well. This will prevent the device from making the call required for the installation of malware such as mozi.m or mozi.a as part of the bot recruitment process.
Amplification attacks and how to prevent them
The scope of a DDoS attack can be vastly expanded through amplification, a technique that exploits the connectionless nature of the UDP protocol. The attacker spoofs the victim’s IP address and uses it to send numerous small requests to internet-exposed servers. Servers configured to answer unauthenticated requests, and running applications or protocols with amplification capabilities, will then generate a response many times larger than the size of each request, generating an overwhelming volume of traffic that can devastate the victim’s systems. Capable of leveraging millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services, amplification reflection attacks have resulted in record-breaking volumetric attacks and account for the majority of DDoS attacks.
The SSDP protocol, with more than 2.5 million unique systems, led the list of amplification attack weapons exposed to the internet in 2020. With an amplification factor of over 30x, SSDP is considered one of the most potent DDoS weapons. The most straightforward blanket protection against such attacks is to simply block port 1900 traffic sourced from the internet unless there is a specific use case for SSDP usage across the internet. Blocking SSDP traffic from specific geo-locations where a high-level botnet activity has been detected can also be effective for more surgical protection.
As recent trends make clear, the DDoS threat will only continue to grow as rising online activity across sectors, a rapidly expanding universe of IoT devices, and increasingly sophisticated methods offer new opportunities for cybercriminals. Organizations should take an active approach to defense by closing unnecessary ports, using AI and ML to monitor for signs of compromise or attack, and blocking traffic from IP addresses known to have exhibited illicit behavior.