IoT devices are being increasingly used and targeted in synchronized attacks globally, an A10 Networks report into the state of Distributed Denial of Service (DDoS) attack weapons and targets shows.
The report describes the significant potential for attackers to use an IoT-related protocol, the Constrained Application Protocol (CoAP), deployed on IoT devices to marshal attacks.
"The growth of IoT devices using protocols such as CoAP represent a new, fast-emerging attack surface that we expect will play a major role in DDoS attacks going forward. Like other favorite weapon types, CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the amplification of a DDoS attack,” said Rich Groves, director of research and development, A10 Networks.
CoAP is a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce. The latest A10 Networks report found that over 400,000 of the weapons are being used in attacks.
Types of attacks
While the most prevalent types of weapons leverage other more established technologies and internet protocols, such as the Network Time Protocol (NTP), Domain Name System (DNS) resolvers, and the Simple Services Discovery Protocol (SSDP), CoAP-based devices represent a fast-emerging new weapon type in botnet arsenals, according to the report.
The most common type of attack utilizing many of these weapons is a reflective amplification attack through which attackers spoof a target’s IP address and send out requests for information to vulnerable servers that then send amplified responses back to the victim’s IP address overwhelming the capacity of the target’s servers.
“DDoS attacks are increasing in frequency, intensity, and sophistication,” Rich Groves said. “Malware-Infected systems and vulnerable servers continue to create attacks of crushing scale against unprepared targets."
Combating DDoS attack weapons
The A10 Networks report tracked some 22.9 million DDoS weapons in the first quarter of 2019.
- The top five types of weapons tracked were: 1) DNS resolvers, 2) NTP based weapons, 3) SSDP-based weapons, 4) SNMP (Simple Network Management Protocol) devices and 5) TFTP (Trivial File Transfer Protocol) devices.
- China is the number one host country for weapons, followed by the United States, with 6,179,850 and 2,646,616 weapons, respectively, tracked. Other leading host countries, in order of magnitude, are Spain, Russia, The Republic of Korea, Italy, and India.
“Having an up-to-date inventory of the millions of DDoS weapons is an important part of any DDoS defense strategy,” Groves said, explaining the importance of tracking DDoS weapons around the world. “By creating comprehensive blacklists of suspected IP addresses, policies can be created to block those weapons in an attack. To that end, A10 Networks and our partner DDoS threat researchers analyze forensic data, tap networks, track bot-herder activities, and scan the internet for weapon signatures.”
In addition to comprehensive threat intelligence monitoring, A10 Networks is driving innovation in DDoS detection and mitigation solutions.
Today, the company released a new capacity enhancement to its Thunder 14045 threat protection system, which delivers industry-leading attack traffic mitigation capabilities. This capacity gain provides the highest performance available in the market with 500 Gbps of defense in one appliance. The smaller form factor reduces the number of devices required while building scalable DDoS defenses that meet the challenge of emerging attacks.
“Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organizations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defenses by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks,” said Mohammed Al-Moneer, Regional Director of the Middle East & North Africa, A10 Networks.