Report by A10 Networks says that Distributed Denial of Service (DDoS) attacks’ continuous growth became a significant cybersecurity threat and nuisance in 2020. The firms’ threat intelligence report says that DDoS attacks became more intense and sophisticated during the COVID-19 pandemic as organizations struggled to support the remote workforce during the work from home period.
The group says it observed over 200,000 compromised devices and analyzed their behavior and the exploits employed to hijack the gadgets.
The A10 research team observed attack agents controlled by botnet command and control (C2) through the deployments of honeypots and scanning DDoS attack amplification sources.
Year 2020 witnessed record-breaking DDoS attacks during the COVID-19 pandemic
The researchers noted that DDoS attacks increased during the COVID-19 crisis as threat actors exploited the pandemic to execute large and small-sized attacks on various victims, including healthcare, education, and government.
Consequently, the research group witnessed an expanding attack landscape in 2020 caused by the COVID-19 pandemic. The report states that DDoS attacks continue to be the biggest nuisance during the COVID-19 pandemic and in the foreseeable future. Most notably, A10 Networks witnessed an increase in DDoS weaponry by 12% within the second half of 2020.
Rich Groves, Director of Security Research at A10 Networks says that the increase in the number of DDoS weapons and connected devices, the 5G network rollout, and the use of new exploits and malware by attackers, “made it very easy for these IoT devices to be compromised.”
5G’s improved internet connection speeds led to increased internet traffic, ultimately leading to an increase in the number of attacks.
A10 report also correlated with Amazon and Google’s observations indicating that DDoS attacks peaked at 2.3 Gbps on amazon web services and 2.5 Gbps on Google’s cloud platform. Akamai also blocked 809 million packets targeting the Akamai platform on June 21, 2020.
The high volume of online shopping occasioned by COVID-19 pandemic also led to increased DDoS attacks during the holiday shopping season.
Top DDoS weapons by size include Simple Services Discovery Protocol and SNMP
The team discovered changes in the DDoS weapon choice used by threat actors during the DDoS attacks experienced during the COVID-19 pandemic. The previously-preferred DDoS weapon Portmap dropped in popularity to the third position during the second half of 2020.
Simple Services Discovery Protocol (SSDP) became the most preferred DDoS weapon used in 2,581,384 attacks, while SNMP (1,773,694) took the second position. ODNS Resolver (1,706,338) and TFPT (1,409,121) occupied the fourth and fifth positions respectively.
Exponential growth of botnets witnessed during the COVID-19 crisis
A10 researchers noted exponential growth in DDoS attacks from botnets located in India. Botnets are compute nodes including routers, IP cameras, servers and computers, IoT devices, etc., infected with malware and used to carry out DDoS attacks.
The report authors noted that botnets “provide the ultimate flexibility to DDoS attackers as they can be sourced from different locations across the globe, depending on the attacker’s requirements.”
A10 network researchers found 130,000 unique IP addresses exhibiting scanning behavior resembling that of the Mirai botnet in the first two weeks of Sept. 2020. The research tracked a total of 846,700 botnet agents during the period.
A leading Indian broadband provider was the single largest contributor of DDoS activity, according to the report. The broadband provider was associated with up to 200,000 unique sources of “Mirai-like” activity at the height of the campaign.
India and Egypt among the top countries hosting DDoS botnets
India hosted about a third (32%) of botnet agents, followed by Egypt hosting almost a quarter (24%) of hijacked devices. China (17%) emerged as the third source of DDoS botnets while Brazil (2%) and Taiwan (2%) tied at the fourth position. Top ASNs hosting botnet agents include Hathway India (26%), Telecom Egypt (24%), China Unicom (11%), China Telecom (4%), and MTNL India (3%).
Top sources of DDoS weaponry include China, USA, and South Korea
The research notes that although DDoS attacks were globally distributed, they frequently originate from certain countries. The report also found that those countries hosted the majority of DDoS weapons. In determining the top sources of DDoS weaponry, the researchers analyzed the autonomous system number (ASN), a group of IP addresses under a single administrative operator. They observed that “large numbers of weapons belonging to their users can remain connected to their network and play a role in attacking other systems.”
China displaced the United States as the leading DDoS weaponry source, pushing it to the second position. The country hosts 2,000,313 DDoS weapons compared to the United States’ 1,900,812. South Korea (1,140,497) maintained its third position while a new entrant, Brazil (756,540), occupied the fourth position, pushing Russia (679,976) one step down to the fifth position. The remaining 7,291,999 DDoS weapons resided in other countries across the world.
Top organizations hosting DDoS weapons include China Telecom (767,898), Korea Telecom (703,639), China Unicom CN (665,053), Taiwanese Chungwha Telecom (286,973), and CANTV Venezuela (286,019).
Amplification attacks and weapons
The amplification of DDoS attacks involves sending small requests to the victim’s IP address, causing the servers to reply with large amplified responses.
DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services are usually exploited during these types of attacks.
In the second half of 2020, A10 Network researchers observed more than 2.5 million unique systems exploiting SSDP services. In total, the researchers tracked more than 11.7 million amplification attacks.
For SSDP-based attacks, the top countries were South Korea with 436,165 unique sources, followed by China (320,828) and Venezuela (289,874).
The United States (557,280), China (291,717), and Russia (97,512) topped SNMP unique amplification sources.
The researchers advised organizations to carry out various security operations to rule out the possibility of compromise. A10 network researchers advised businesses to check their network traffic and drop connections they do not need.