A10 Networks Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

A10 Networks

The growing DDoS landscape 

960 640 Guest Post

By Anthony Webb, EMEA Vice President at A10 Networks  

Last month, news reports highlighted one of the biggest DDoS attacks ever recorded. The attack, which targeted a large European bank, generated 809m packets per second (Mpps). This is a new industry record for a PPS-focused attack which is more than double the size of previous attacks. A10 Networks recently launched its Q2 2020: State of DDoS Weapons Report, based on approximately 10 million unique source addresses tracked by A10 Networks, and the report sheds more light on the loud, distributed nature of DDoS attacks and the key trends and observations that enterprises can learn from when adopting a successful defence. 

DDoS Botnet Agents  

We’ve previously written about how IoT devices and DDoS attacks are a perfect match. IoT devices such as smart watches, routers and cameras are now commonly infected by malware and under the control of malicious actors who use them to launch flexible DDoS attacks. Our researchers accumulated knowledge of repeatedly used hosts in these attacks, scanning for those that show malware-infected characteristics that deserve to be treated with caution whilst under a DDoS attack.  

The report highlighted the top three countries hosting DDoS botnet agents as follows: 

·        China 15% 

·        Vietnam 12% 

·        Taiwan 9% 

From the countries above, the top ASNs hosting DDoS botnet agents were: 

·        Chungwha Telecoms (Taiwan) 

·        China Telecom 

·        China Unicom CN 

·        VNPT Corp (Vietnam) 

Malware Proliferation 

With IoT devices vulnerable, largely due to devices lacking the necessary built-in security to counter threats, this allows threat actors an opportunity to target these devices, through a collection of remote code execution (RCE) exploits and an ever growing list of default user names and passwords from device vendors, to constantly increase the size and strength of DDoS attacks. Our weapons intelligence system detects hundreds of thousands of events per hour on the internet, providing insights into the top IoT exploits and the attack capabilities.  

One of the key report findings highlighted thousands of malware binaries being dropped into systems, in the wake of the different IoT-based attacks and exploits. Among the malware families that were most frequent in attack were the following: Gafgyt family, Dark Nexus and Mirai family. The related binary names from these malwares were arm7, Cloud.x86, mmmmh.x86 respectively. 

Digging deeper into the characteristics and behaviour of the binary we saw the most this quarter, “arm7”, we found that attack types came in varied forms including, but not limited to, TCP floods, HTTP floods and UDP floods. To mitigate these attacks a firm understanding of these DDoS weapons needs to be established by understanding and reverse engineering the attack toolkits. 

Amplified Attacks  

When it comes to large-scale DDoS attacks, amplified reflection is the most effective. An example of this is when the attacker sends volumes of small requests with the spoofed victim’s IP address to internet-exposed servers. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities. 

The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services. These attacks have resulted in record-breaking volumetric attacks, such as the recent CLDAP-based AWS attack in Q1 2020, which peaked at 2.3 Tbps and was 70% higher than the previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018. Although CLDAP does not make the top 5 list of our Amplification attack weapons in Q2, we did record 15,651 potential CLDAP weapons. This makes it a fraction of the top amplification attack weapon this quarter, i.e., portmap, where for every CLDAP weapon, we have 116 portmap weapons available to attackers. The AWS attack shows that even this fractional attack surface has the potential for generating very large-scale DDoS attacks and the only way to protect against these attacks is to proactively keep track of DDoS weapons and potential exploits. 

Battling the Landscape  

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. DDoS attacks are not going away, and it is time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G continue to gain further momentum.   

Image by Markus Spiske from Pixabay 

TLS/SSL Decryption – One of the main pillars of zero trust model

960 640 Guest Post

By Stephen Dallas AVP Emerging Europe / Africa Sales & EMEA Channels at A10 Networks

In a world where everything and everyone is connected to the internet, in one way or another, it’s hard to imagine a network that is truly secure. Data, large amounts of it, are at the centre of it all. With industries from healthcare to the education sector to the government using the internet to provide easy access to data, it is no wonder that cybersecurity teams are always working around the clock to try and come up with better ways of defending these networks and the data they store.

Insider Threats – Need for Security to Evolve from “Castle and Moat” Approach

Modern cyberattacks are not limited to just network intrusion from the outside. Internal threat actors can often be found at the centre of sophisticated attacks.

Initially, we had the concept of zones, perimeters and network segments – placing all the protected assets “inside” the secured network perimeter. However, attackers are always evolving the methods they use; always on the lookout for weak points in your network defences; and coming up with newer ways of infiltrating the perimeter. Keeping up with them is a challenging and ongoing struggle. We also need to realise that the “castle and moat” approach to our network defences was mostly effective against threats that resided outside the network. But what about the threats on the inside? What about modern attacks that work on multiple levels to try to bring your networks down? How do we protect our networks from people who have legitimate access to all its resources? How do we battle the ever-growing and ever-evolving modern cyberattacks? Add to these questions, regulations like GDPR, and the rising fines, and you will see that having your networks attacked and data breached is one of the worst things that can happen to your company. With these issues as the backdrop, we are forced to re-assess and re-think the way we defend our networks, users and data.

Zero Trust Model – a Modern Cybersecurity Approach

Zero Trust attempts to fix the problems, and patch the holes, in our cybersecurity strategies. At the core of it, the Zero Trust model is based on the principal of “trust nobody.” The Zero Trust model dictates that no one in your network should be trusted completely, that access should be restricted as much as possible, and that trust should be seen as yet another vulnerability that can put your network at risk.

Some of the precepts of the Zero Trust model are:

  • Networks need to be redesigned in a way that east-west traffic and access can be restricted.
  • Incident detection and response should be facilitated and improved using comprehensive analytics and automation solutions, as well as centralised management and visibility into the network, data, workloads, users and devices used.
  • Access should be restricted as much as possible, limiting excessive privileges for all users.
  • In multi-vendor networks, all solutions should integrate and work together seamlessly, enabling compliance and unified security. The solutions should also be easy to use so that additional complexity can be removed.

Danger of Security Blind Spots

In recent times, we have witnessed a phenomenal rise in the use of encryption across the internet. Google reports that over 90 percent of the traffic passing through its services is encrypted. The same is true for all the other vendors. This rise has been driven by many factors, including privacy concerns.

However, with encryption comes the creation of a “blind spot” in our network defences as most of the security devices we use are not designed to decrypt and inspect traffic. The Zero Trust model is not immune to this problem as visibility is considered as one of the key elements to its successful implementation. Without complete encrypted traffic visibility, the model will fail, introducing vulnerabilities that can be exploited by both insiders and hackers.

TLS/SSL Decryption – One of the Main Pillars of Zero Trust

A centralised and dedicated decryption solution must be placed at the centre of the Zero Trust model and should be included as one of the essential components your security strategy.

Many security vendors will make claims of the ability to decrypt their own traffic, working independently of a centralised decryption solution. However, this “distributed decryption” approach can introduce problems of its own, including inferior performance and network bottlenecks, and fixing these would require costly upgrades. In a multi-vendor, multidevice security infrastructure, the distributed decryption also forces you to deploy your private keys in multiple locations, creating an unnecessarily large threat surface in your network, which could be subject to exploitation.

Key features of a good TLS/ SSL Decryption Solution

It is important that a dedicated, centralised decryption solution provides full visibility to the enterprise security infrastructure for TLS/SSL traffic. Not only that, but the solution also needs to provide a multi-layered security approach, which then makes it the perfect candidate to be deployed at the centre of a Zero Trust network.

Below are some of the features to look out for when looking to implement a TLS/ SSL Decryption Solution:

  • Full Traffic Visibility – It needs to enable the entire security infrastructure to inspect all traffic in clear-text, at fast speeds, ensuring that no encrypted attacks or data breaches can slip through
  • Ease of Integration – It should be vendor agnostic and easily integrate with securitydevices already deployed within the network. This drives down additional costs and upgrades.
  • Multi-Layered Security Services – These are additional security services, including URL filtering, application visibility and control, threat intelligence and threat investigation, that help strengthen the security efficacy of the entire enterprise network
  • User Access Control – The product should be able to enforce authentication and authorisation policies to restrict unneeded access, log access information and provide the ability to apply different security policies based on user and group IDs.
  • Micro Segmentation – It should facilitate micro-segmentation through its ability to provide granular traffic control, user and group ID-based traffic control, and support for multi-tenancy
  • Securing Cloud Access – SaaS security is an important feature which can be provided by enforcing tenant access control and visibility into user activities.

In conclusion, without a centralised and dedicated TLS/SSL decryption solution, the Zero Trust model is unable to do what it was designed to do – protect our networks, users and data from threats residing inside and outside the network.

What you need to know about DDoS weapons today

960 640 Stuart O'Brien

By Adrian Taylor, Regional VP of Sales for A10 Networks

A DDoS attack can bring down almost any website or online service. The premise is simple: using an infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and sophistication. That makes DDoS defence a top cybersecurity priority for every organisation. The first step: understanding the threat you face.

To help organisations take a proactive approach to DDoS defence, A10 Networks recently published a report on the current DDoS landscape, including the weapons being used, the locations where attacks are being launched, the services being exploited, and the methods hackers are using to maximise the damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study provides timely, in-depth threat intelligence to inform your defence strategy.

Here are a few of our key findings.

Reflected Amplification Takes DDoS to the Next Level

The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the third most common source of DDoS. The shift is due in part to the growing popularity of attacks using misconfigured IoT devices to amplify an attack.

In this key innovation, known as reflected amplification, hackers are turning their attention to the exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications protocol used to automatically discover web-connected services. Critically, WS-Discovery does not perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at which point the victim will be deluged with data from nearby IoT devices.

With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly effective—with observed amplification of up to 95x. Reflected amplification attacks have reached record-setting scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702 as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has been found in Vietnam, Brazil, United States, the Republic of Korea, and China.

DDoS is Going Mobile

Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch point. While these weapons are globally distributed, the greatest number of attacks originate in countries with the greatest density in internet connectivity, including China, the United States, and the Republic of Korea.

A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs), or collections of IP address ranges under the control of a single company or government. With the exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and Korea Telecom.

In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones.

The Worst is Yet to Come

With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever for any bad actor to launch a lethal targeted attack.

The A10 Networks report makes clear the importance of a complete DDoS defence strategy. Businesses and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat detection, to defend against DDoS attacks no matter where they originate. Methods such as automated signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers can help organisations proactively defend themselves even before the attacks starts.

For additional insight, including the top IoT port searches and reflector searches performed by attackers, download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons” and see the accompanying infographic, “DDoS Weapons & Attack Vectors.”

GUEST BLOG: The Growing DDoS Landscape

960 640 Guest Post

By Anthony Webb, EMEA Vice President at A10 Networks

A new wave of DDoS attacks on South Africa’s internet service provider has highlighted that these attacks continue to grow in frequency, intensity and sophistication.

A10 Networks’ recent report on the Q2 2019: The State of DDoS Weapons has shed more light on the loud, distributed nature of DDoS attacks and the key trends that enterprises can learn from in adopting a successful defence.

IoT: A Hotbed for DDoS Botnets

A10 Networks has previously written that IoT devices and DDoS attacks are a perfect match. With the explosion of the Internet of Things (growing at a rate of 127 connected devices per second and accelerating), attackers target vulnerable connected devices and have even begun to develop a new strain of malware named Silex- a strain just for IoT devices. Silex affected 1650 devices in over an hour and wiped the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

The report has highlighted the top-three IoT binary dropped by malware families – two of the three belonged to Mirai – with the Netherlands, UK, USA, Germany and Russia being the top five hosting malware droppers.

The New IoT Threat

A new threat has emerged due to industry-wide adoption of technology with weak security: the UDP implementation of the Constrained Application Protocol (CoAP). This new threat does not have anything to do with Mirai or malware, but its impact has enabled millions of IoT devices to become weaponised as reflected amplification cannons. CoAP is a machine-to-machine (M2M) management protocol, deployed on IoT devices supporting applications such as smart energy and building automation. CoAP is a protocol implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request. A10 identified over 500,000 vulnerable IoT devices with an average response size of 749 bytes. The report also highlights that 98% of CoAP threats originate from China and Russia, with the capability to amplify by 35x.

On the Horizon: 5G

Ericsson recently predicted that the number of IoT devices with cellular connection will reach 4.1 billion by 2024. 5G, with its higher data speeds and lower latency, will be the primary driver behind this rapid expansion. Whilst this is great news in an open dynamic world, the downside is that we will also see an increase in the DDoS weaponry available to attackers.

We have seen mobile carriers hosting DDoS weapons skyrocket over the last six months. Companies such as T-Mobile, Guangdong Mobile and China Mobile have been guilty of amplifying attacks. With 5G, intelligent automation aided by machine learning and AI will become essential to detecting and mitigating threats. IoT devices by Linux are already the target of a new strain of malware which is predominantly dedicated to running DDoS attacks.

Amplified Attack

Amplified reflection attacks exploit the connectionless nature of the UDP protocol with spoofed requests to misconfigured open servers on the internet. Attackers send volumes of small requests with the spoofed victim’s IP address to exposed servers, which are targeted because they’re configured with services that can amplify the attack. These attacks have resulted in record-breaking volumetric attacks, such as the 1.3 Tbps Memcached-based GitHub attack in 2018, and account for many DDoS attacks.

Battling the landscape

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. With DDoS attacks not going away, it’s time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G gains momentum.