DDoS attacks continue to grow in size, frequency and sophistication. DDoS botnet weapons remain as popular as ever, while modern malware is gaining new ways to infect IoT systems and recruit them as drones. Reflected amplification attacks are helping hackers intensify the impact of their efforts. In challenging times like these, for enterprise security professionals, up-to-date threat intelligence is a critically important part of a DDoS protection strategy to protect vital systems.
“Q2 2020: The State of DDoS Weapons,” threat intelligence report by A10 Networks security researchers, provides a detailed look at the weapons, methods, and geographies defining the current threat landscape. During the second quarter of this year, threat researchers closely monitored attack agents under the control of DDoS botnet command and control (C2), discovered malware innovations through deploying honeypots, and scanned the internet for exposed reflected amplification attack sources.
The research team also evaluates systems that have the potential of being turned into attack bots, reflectors or amplifiers, evaluating the chances of these machines being compromised, based on their availability on the internet and potential weaknesses. Approximately 10 million unique source IP addresses are currently being tracked.
Portmap takes first place for weapons used in DDoS attacks
Portmap has leapt to the top position in the report with 1,818,848 DDoS weapons tracked in Q2 2020. SNMP and SSDP follow close behind with nearly 1.7 million tracked DDoS weapons each—though these are in fact the more dangerous threat given their amplification factor and difficulty of mitigation. The full report also includes data on the prevalence of DNS Resolver and TFTP DDoS weapons.
Look to U.S. for amplification attacks, China for DDoS botnets
While past threat intelligence reports have ranked nations such as China, Korea, Russia, and India as the leading sources of DDoS attacks, the addition of Portmap has put the United States at the top of the list with nearly 1.6 million DDoS weapons—over 200,000 more than China in second place.
These weapons can be used in Portmap-based DDoS attacks, where servers running the UDP-based Portmapper protocol are exploited for use in reflected amplification attacks that trigger a much larger number of server responses than the initial requests.
The full report provides additional detail on the top countries and regions hosting reflected amplification attack weapons as well as DDoS botnet agents, which are now being used to propagate the malware they are infected with to other computers, servers, and IoT devices, bringing them under an attacker’s control to initiate further attacks. Insight into the origins of these attacks can help companies focus their DDoS protection efforts more effectively.
DDoS weapons are frequently hosted by an ASN, a collection of IP address ranges under the control of a single company or government operator, a method that allows large numbers of weapons to remain connected to the network and attack other systems. Two of the top-five ASNs hosting DDoS weapons, China Telecom and China Unicom CN, are based in China, while a third, Chunghwa Telecom, operates in Taiwan. The lone U.S.-based ASN among the top five, Charter Communications, ranks second with 477,926 weapons hosted.
Malware propagation and drone recruitment rise
Exploits that surfaced in late 2019 are now being weaponized as IoT-based attacks drop thousands of malware binaries into vulnerable systems. In many cases, IoT devices have been left unprotected due to overlooked security updates and bug fixes—with devastating results.
Hundreds of thousands of times each hour, bad actors use a collection of remote code execution (RCE) exploits and an ever-growing list of default usernames and passwords to recruit IoT devices, turn them into drones and infect other systems in turn. Top malware families seen in Q2 2020 include Gafgyt, Dark Nexus, and Mirai. The full report goes into further detail on specific binaries, including the characteristics and behavior of arm7, the most-seen binary this quarter, to guide mitigation strategy.
Leveraging threat intelligence for DDoS protection
While the frequency, intensity, and sophistication of DDoS continues to rise, enterprises do have one factor on their side: the loud, distributed nature of DDoS attacks, which allows defenders to take a proactive approach to DDoS protection. By gaining insight into a weapon’s point of origin, security teams can create blacklists of IP addresses suspected of hosting DDoS botnets and potentially compromised servers. Combined with real-time threat detection and automated signature extraction, this strategy can help companies avoid even the most massive multi-vector DDoS attacks.