The first half of 2021 brought both bad news and good news about distributed denial-of-service (DDoS) attacks. The DDoS threat continues to be a global problem, at a massive scale, with increasing complexity, but proactive actions have had a positive impact.

According to the latest threat intelligence findings by A10 Networks’ security researchers, cybercriminals are rapidly recruiting Internet of Things (IoT) devices into their botnet armies, aided by Mozi malware spreading around the world. To evade detection and defensive measures by targets, attackers increasingly focus on low-volume, high-frequency attacks that can still deliver a significant impact. 

At the same time, the Emotet botnet takedown conducted by global law enforcement and private sector partners earlier this year appeared to have a major impact as well, contributing to a large-scale reduction in botnet agents. Such efforts, complemented with protective actions by individual organizations, can make a real difference in mitigating the threat posed by DDoS and other attacks. 

Mozi Highlights DDoS Recruitment in IoT

The latest large-scale malware of choice for recruiting botnets to use in DDoS attacks, Mozi has a particular appetite for IoT devices. The exploit leverages Common Vulnerabilities and Exposures (CVEs) to infect DVRs, network gateways and other connected devices then use peer-to-peer connectivity to send and receive configuration updates and attack commands. In the first half of 2021 alone, A10 Networks found that Mozi reached 360,000 unique systems from manufacturers, including Huawei, Realtek, and NETGEAR, building a botnet spanning China, India, Russia, Brazil and Vietnam, among other countries. 

DDoS attacks are Smaller, Longer and More Likely to be Amplified

While large-scale, high-profile DDoS attacks remain a popular and reliable way for state-sponsored attackers and underground cyber activists to make a statement, A10 Networks has also seen a continuing trend toward smaller attacks launched persistently over a long period of time. Attackers also use amplified reflection to achieve a greater impact, sending spoofed requests to millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services to trigger a flood of responses to the victim’s server — a technique that sets records for both attack traffic and packets per second. As the threat intelligence report noted, the next large attack was overdue. And indeed, shortly after the report was issued, Microsoft reported mitigating a major UDP amplification attack from 70,000 global sources at 2.4 Tbps.

While SSDP is the most common potential weapon for amplification attacks, accounting for 3.2 million systems exposed to the internet, this doesn’t necessarily make it the greatest threat. In fact, a weapon’s bandwidth amplification factor is far more significant. With an amplification factor of a little over 30x, SSDP lags far behind the less prevalent protocols TFTP and DNS, whose amplification factors of 60 and 54, respectively, enable a correspondingly larger impact for attackers. 

Meanwhile, the total number of DDoS weapons increased by approximately 2.5 million to 15 million total weapons this reporting period, including reflected amplification weapons, as well as available botnet agents, showing steady growth over the past few years. The greatest number of DDoS weapons is hosted in China, followed closely by the United States, showing the truly global nature of the threat.

Organizations Take Action

While the DDoS attack landscape shifts and evolves from season to season, the underlying reality remains constant: as a relatively simple and widely available tactic, DDoS attacks will always be popular among hackers. It’s also a core truth that organizations don’t have to be sitting ducks. As the Emotet takedown shows, defenders can notch a few victories of their own, and as Microsoft demonstrated, being prepared can help thwart significant attacks and disruption.

The report also discusses the phenomenon of vigilante groups infiltrating systems that exhibit suspicious botnet-type behavior and taking action to mitigate problems. On an individual level, organizations can greatly reduce their exposure to risk through measures such as Zero Trust security, real-time threat detection, DDoS threat intelligence, artificial intelligence (AI)/machine learning (ML) capabilities, and automated signature extraction.