Mainframe in data center showing DDoS attacks

Defense Against DDoS Attacks Needs Awareness and Modern Defenses

Disruption, economic uncertainty, and geopolitical tension are often linked with escalations in cybercriminal activity. Consequently, the rapid rise in cyber-attacks witnessed in the past two years is an expected impact of the pandemic and Russia’s war on Ukraine. As malicious actors seek to exploit confusion, there is an alarming rise in the volume of weapons being used to launch attacks and an increase in the sophistication of tactics used.

To this end, A10’s security research team regularly tracks distributed denial of service (DDoS) weapons and their nature and origins on an ongoing basis. Our most recent threat report highlights why DDoS attacks continue to find their way into headlines, how the use of DDoS weapons is evolving and intensifying, and the ways organizations can improve their security posture and protect resources against devastating DDoS attacks.

More weapons, greater sophistication, easier access

A DDoS weapon can be defined as any set of computers, servers, and/or IoT devices that can potentially be repurposed to be used in DDoS attacks. These weapons can range from IoT devices that can be leveraged to create botnets for on-demand attacks to legitimate services open on the internet, like DNS resolvers and NTP servers that are used to amplify and reflect attack traffic.

We’re now tracking 15.4 million weapons, up 23 percent year-over-year. There was also evidence of the emergence of more obscure attack protocols being used as the weapon of choice, like Apple Remote Desktop (ARD) and Connectionless Lightweight Directory Access Protocol (CLDAP).

Notably, ARD was used in the cyberattacks on Ukraine in the initial stages of Russia’s invasion. Moreover, we observed significant and sustained attacks on Ukrainian government networks and commercial internet assets, with a spike on the first day of the attack coinciding with the physical confrontation. This overt cyber warfare, where likely state-sponsored DDoS attacks are timed to complement military action, is set to be a common feature of future conflicts. This points to the role governments and organizations have in tackling threats from their (legitimate) infrastructure and large botnets that can be marshalled as weapons of war.

One of the most common potential weapons, Simple Service Discovery Protocol (SSDP), remained at the top with a 13 percent increase year-over-year. Outside the usual suspects, there was a more than 100 percent increase in other types of weapons, and organizations need broad visibility of potential weapons to implement surgical security and DDoS attack mitigation.

Botnet activity also continued at a high level, with 423,096 botnet agents most recently tracked. Despite the high number, we did see a fall (-8%), likely due to remedial actions to secure compromised devices and botnet take-downs.

The Log4j exploit

At the end of 2021, a new vector for weapon creation was discovered and the Apache Log4J vulnerability became widely known. The open-source logging framework used in billions of devices across a variety of use cases was easily hijackable, enabling threat actors to execute malicious code remotely. By December 20, 2021, our research honeypots began detecting binaries, a clear sign that Log4j was being used for viral spread. These binaries contained standard sets of default usernames and passwords used to infect devices, and a functional toolkit of attacks. While these attacks were not new, they have the potential to create vast botnets capable of carrying out large-scale DDoS attacks.

Turning intelligence into action: Driving urgency around zero trust

It is vital that organizations act fast to mitigate risks and implementing a Zero Trust strategy is an effective way to approach cyber-security challenges. By adopting the principle of ‘never trust, always verify’ for every device in the network ecosystem, risk is reduced. Organizations can create micro-perimeters within networks to limit lateral movement when possible, and ensure that robust identity and access management, based on least-privilege principles, is in place. Visibility is as critical as ever. Security teams need oversight of every component of the network, from the technical endpoints and network nodes to the human users, activities, and workflows.

Conversely, applying the Zero Trust planning principles to ensure attack mitigation, and internal stakeholder buy-in, can help promote the most effective policies to mitigate DDoS attacks as early, and as efficiently, as possible.

Awareness, planning, and technology are all required to achieve these goals. Awareness of the threat vectors can come from a variety of sources, such as the aforementioned A10 Threat Report, security news, CVE monitoring, and others, that when coupled with your internal perspectives and priorities help with the planning. In turn, you can gain crucial context to inform your Zero Trust policies. Planning applies the awareness component with Zero Trust concepts to define your requirements and ensure stakeholder buy-in to define your required DDoS defense solution.

Finally, practical defenses need a modern approach, so as well as standard (proven) policies and baselining, a modern set of technologies can be applied. For effective DDoS defense, threat intelligence to block known bad actors, artificial intelligence (AI) and machine learning (ML) to identify and stop zero-day threats, and automation at multiple levels to find and mitigate large, small, and stealthy DDoS attacks are all required.

Additional solutions can also help complete the defense puzzle, such as deploying a TLS/SSL inspection of encrypted traffic, enabling all security devices to discover and block malware, ransomware, and other threats. While an application delivery security solution can enforce pre-authentication before any access, thwarting whole classes of attacks – DDoS, scanning and other techniques will not reach a cloaked server due to the policy. While a modern DDoS solution is the most important piece for DDoS defense, there are many routes to enforce Zero Trust policies to stop attacks and stop systems being recruited to botnets.

A proactive approach to DDoS defense is critical relative to ensuring that key services and infrastructure are protected. Moreover, it is urgent that organizations address their security posture and stand up effective defense against DDoS attacks and weaponization—not just for their own protection but also in a bid to limit the field for botnet recruitment and prevent service provider and corporate devices from being used in international cyber warfare. This has a societal, as well as commercial benefit and should ultimately be seen as part of the organization’s corporate social responsibility stance.