A10 Networks Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit Security IT Summit Security IT Summit Security IT Summit Security IT Summit

Posts Tagged :

A10 Networks

The five most famous DDoS attacks

960 640 Stuart O'Brien

By Adrian Taylor, Regional VP of Sales, A10 Networks  

Distributed Denial of Service (DDoS) attacks are now everyday occurrences. Whether you’re a small non-profit or a huge multinational conglomerate, your online services—email, websites, anything that faces the internet—can be slowed or completely stopped by a DDoS attack. Moreover, DDoS attacks are sometimes used to distract your cybersecurity operations while other criminal activity, such as data theft or network infiltration, is underway. 

DDoS attacks are getting bigger and more frequent 

The first known Distributed Denial of Service attack occurred in 1996 when Panix, now one of the oldest internet service providers, was knocked offline for several days by a SYN flood, a technique that has become a classic DDoS attack. Over the next few years DDoS attacks became common and  Cisco predicts that the total number of DDoS attacks will double  from the 7.9 million seen in 2018 to something over 15 million by 2023. 

But it’s not just the number of DDoS attacks that are increasing; as the bad guys are creating ever bigger botnets – the term for the armies of hacked devices that are used to generate DDoS traffic. As the botnets get bigger, the scale of DDoS attacks is also increasing. A Distributed Denial of Service attack of one gigabit per second is enough to knock most organisations off the internet but we’re now seeing peak attack sizes in excess of one terabit per second generated by hundreds of thousands, or even millions, of suborned devices.  Given that  IT services downtime costs companies  anywhere from $300,000 to over $1,000,000 per hour, you can see that the financial hit from even a short DDoS attack could seriously damage your bottom line.  

So we’re going to take a look at some of the most notable DDoS attacks to date. Our choices include some DDoS attacks that are famous for their sheer scale while others are because of their impact and consequences. 

  1. The AWS DDoS Attack in 2020

Amazon Web Services, the 800-pound gorilla of everything cloud computing, was hit by a gigantic DDoS attack in February 2020. This was the most extreme recent DDoS attack ever and it targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted for three days and peaked at an astounding 2.3 terabytes per second. While the  disruption caused by the AWS DDoS Attack  was far less severe than it could have been, the sheer scale of the attack and the implications for AWS hosting customers potentially losing revenue and suffering brand damage are significant. 

2. The MiraiKrebs and OVH DDoS Attacks in 2016

On September 20, 2016, the blog of cybersecurity expert Brian Krebs was assaulted by a DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was almost three times bigger than anything his site or, for that matter, the internet had seen before.  

The source of the attack was the Mirai botnet, which, at its peak later that year, consisted of more than 600,000 compromised Internet of Things (IoT) devices such as IP cameras, home routers, and video players. Mirai had been discovered in August that same year but the attack on Krebs’ blog was its first big outing. 

The next Mirai attack on September 19 targeted one of the largest European hosting providers, OVH, which hosts roughly 18 million applications for over one million clients. This attack was on a single undisclosed OVH customer and driven by an estimated  145,000 bots, generating a traffic load  of up to  1.1 terabits per second, and lasted about seven days.  The Mirai botnet was a significant step up in how powerful a DDoS attack could be. The size and sophistication of the Mirai network was unprecedented, as was the scale of the attacks and their focus. 

3. The MiraiDyn DDoS Attack in 2016

Before we discuss the third notable Mirai DDoS attack of 2016, there’s one related event that should be mentioned: On September 30, someone claiming to be the author of the Mirai software released the source code on various hacker forums and the Mirai DDoS platform has been replicated and mutated scores of times since. 

On October 21, 2016, Dyn, a major Domain Name Service (DNS) provider, was assaulted by a one terabit per second traffic flood that then became the new record for a DDoS attack. There’s some evidence that  the DDoS attack may have actually achieved a rate of 1.5 terabits per second. The traffic tsunami knocked Dyn’s services offline rendering a number of high-profile websites including GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb, inaccessible. Kyle York, Dyn’s chief strategy officer, reported, “We observed  10s of millions of discrete IP addresses associated with the Mirai botnet  that were part of the attack.” 

Mirai supports complex, multi-vector attacks that make mitigation difficult. Even though Mirai was responsible for the biggest assaults up to that time, the most notable thing about the 2016 Mirai attacks was the release of the Mirai source code enabling anyone with modest information technology skills to create a botnet and mount a Distributed Denial of Service attack without much effort.

4. The Six Banks DDoS Attack in 2012

On March 12, 2012,  six U.S. banks were targeted by a wave of DDoS attacks—Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack generating over 60 gigabits of DDoS attack traffic per second. 

At the time, these attacks were unique in their persistence: Rather than trying to execute one attack and then backing down, the perpetrators barraged their targets with a multitude of attack methods in order to find one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types of attack. 

The most remarkable aspect of the bank attacks in 2012 was that the attacks were, allegedly, carried out by the Izz ad-Din al-Qassam Brigades, the military wing of the Palestinian Hamas organisation. Moreover, the attacks had a huge impact on the affected banks in terms of revenue, mitigation expenses, customer service issues, and the banks’ branding and image. 

5. The GitHub Attack in 2018

On Feb. 28, 2018, GitHub—a platform for software developers—was hit with a  DDoS attack that clocked in at 1.35 terabits per second  and lasted for roughly 20 minutes.  According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.” 

Even though GitHub was well prepared for a DDoS attack their defences were overwhelmed—they simply had no way of knowing that an attack of this scale would be launched.  

The GitHub DDoS attack was notable for its scale and the fact that the attack was staged by exploiting a standard command of Memcached, a database caching system for speeding up websites and networks. The Memcached DDoS attack technique is particularly effective as it provides an amplification factor – the ratio of the attacker’s request size to the amount of  DDoS attack traffic generated – of up to a staggering 51,200 times.

And that concludes our top five line up – it is a sobering insight into just how powerful, persistent and disruptive DDoS attacks have become.   

If you are looking for additional insights around this topic, why not download our latest report,  The State of DDoS Weapons

The growing DDoS landscape 

960 640 Guest Post

By Anthony Webb, EMEA Vice President at A10 Networks  

Last month, news reports highlighted one of the biggest DDoS attacks ever recorded. The attack, which targeted a large European bank, generated 809m packets per second (Mpps). This is a new industry record for a PPS-focused attack which is more than double the size of previous attacks. A10 Networks recently launched its Q2 2020: State of DDoS Weapons Report, based on approximately 10 million unique source addresses tracked by A10 Networks, and the report sheds more light on the loud, distributed nature of DDoS attacks and the key trends and observations that enterprises can learn from when adopting a successful defence. 

DDoS Botnet Agents  

We’ve previously written about how IoT devices and DDoS attacks are a perfect match. IoT devices such as smart watches, routers and cameras are now commonly infected by malware and under the control of malicious actors who use them to launch flexible DDoS attacks. Our researchers accumulated knowledge of repeatedly used hosts in these attacks, scanning for those that show malware-infected characteristics that deserve to be treated with caution whilst under a DDoS attack.  

The report highlighted the top three countries hosting DDoS botnet agents as follows: 

·        China 15% 

·        Vietnam 12% 

·        Taiwan 9% 

From the countries above, the top ASNs hosting DDoS botnet agents were: 

·        Chungwha Telecoms (Taiwan) 

·        China Telecom 

·        China Unicom CN 

·        VNPT Corp (Vietnam) 

Malware Proliferation 

With IoT devices vulnerable, largely due to devices lacking the necessary built-in security to counter threats, this allows threat actors an opportunity to target these devices, through a collection of remote code execution (RCE) exploits and an ever growing list of default user names and passwords from device vendors, to constantly increase the size and strength of DDoS attacks. Our weapons intelligence system detects hundreds of thousands of events per hour on the internet, providing insights into the top IoT exploits and the attack capabilities.  

One of the key report findings highlighted thousands of malware binaries being dropped into systems, in the wake of the different IoT-based attacks and exploits. Among the malware families that were most frequent in attack were the following: Gafgyt family, Dark Nexus and Mirai family. The related binary names from these malwares were arm7, Cloud.x86, mmmmh.x86 respectively. 

Digging deeper into the characteristics and behaviour of the binary we saw the most this quarter, “arm7”, we found that attack types came in varied forms including, but not limited to, TCP floods, HTTP floods and UDP floods. To mitigate these attacks a firm understanding of these DDoS weapons needs to be established by understanding and reverse engineering the attack toolkits. 

Amplified Attacks  

When it comes to large-scale DDoS attacks, amplified reflection is the most effective. An example of this is when the attacker sends volumes of small requests with the spoofed victim’s IP address to internet-exposed servers. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities. 

The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services. These attacks have resulted in record-breaking volumetric attacks, such as the recent CLDAP-based AWS attack in Q1 2020, which peaked at 2.3 Tbps and was 70% higher than the previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018. Although CLDAP does not make the top 5 list of our Amplification attack weapons in Q2, we did record 15,651 potential CLDAP weapons. This makes it a fraction of the top amplification attack weapon this quarter, i.e., portmap, where for every CLDAP weapon, we have 116 portmap weapons available to attackers. The AWS attack shows that even this fractional attack surface has the potential for generating very large-scale DDoS attacks and the only way to protect against these attacks is to proactively keep track of DDoS weapons and potential exploits. 

Battling the Landscape  

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. DDoS attacks are not going away, and it is time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G continue to gain further momentum.   

Image by Markus Spiske from Pixabay 

TLS/SSL Decryption – One of the main pillars of zero trust model

960 640 Guest Post

By Stephen Dallas AVP Emerging Europe / Africa Sales & EMEA Channels at A10 Networks

In a world where everything and everyone is connected to the internet, in one way or another, it’s hard to imagine a network that is truly secure. Data, large amounts of it, are at the centre of it all. With industries from healthcare to the education sector to the government using the internet to provide easy access to data, it is no wonder that cybersecurity teams are always working around the clock to try and come up with better ways of defending these networks and the data they store.

Insider Threats – Need for Security to Evolve from “Castle and Moat” Approach

Modern cyberattacks are not limited to just network intrusion from the outside. Internal threat actors can often be found at the centre of sophisticated attacks.

Initially, we had the concept of zones, perimeters and network segments – placing all the protected assets “inside” the secured network perimeter. However, attackers are always evolving the methods they use; always on the lookout for weak points in your network defences; and coming up with newer ways of infiltrating the perimeter. Keeping up with them is a challenging and ongoing struggle. We also need to realise that the “castle and moat” approach to our network defences was mostly effective against threats that resided outside the network. But what about the threats on the inside? What about modern attacks that work on multiple levels to try to bring your networks down? How do we protect our networks from people who have legitimate access to all its resources? How do we battle the ever-growing and ever-evolving modern cyberattacks? Add to these questions, regulations like GDPR, and the rising fines, and you will see that having your networks attacked and data breached is one of the worst things that can happen to your company. With these issues as the backdrop, we are forced to re-assess and re-think the way we defend our networks, users and data.

Zero Trust Model – a Modern Cybersecurity Approach

Zero Trust attempts to fix the problems, and patch the holes, in our cybersecurity strategies. At the core of it, the Zero Trust model is based on the principal of “trust nobody.” The Zero Trust model dictates that no one in your network should be trusted completely, that access should be restricted as much as possible, and that trust should be seen as yet another vulnerability that can put your network at risk.

Some of the precepts of the Zero Trust model are:

  • Networks need to be redesigned in a way that east-west traffic and access can be restricted.
  • Incident detection and response should be facilitated and improved using comprehensive analytics and automation solutions, as well as centralised management and visibility into the network, data, workloads, users and devices used.
  • Access should be restricted as much as possible, limiting excessive privileges for all users.
  • In multi-vendor networks, all solutions should integrate and work together seamlessly, enabling compliance and unified security. The solutions should also be easy to use so that additional complexity can be removed.

Danger of Security Blind Spots

In recent times, we have witnessed a phenomenal rise in the use of encryption across the internet. Google reports that over 90 percent of the traffic passing through its services is encrypted. The same is true for all the other vendors. This rise has been driven by many factors, including privacy concerns.

However, with encryption comes the creation of a “blind spot” in our network defences as most of the security devices we use are not designed to decrypt and inspect traffic. The Zero Trust model is not immune to this problem as visibility is considered as one of the key elements to its successful implementation. Without complete encrypted traffic visibility, the model will fail, introducing vulnerabilities that can be exploited by both insiders and hackers.

TLS/SSL Decryption – One of the Main Pillars of Zero Trust

A centralised and dedicated decryption solution must be placed at the centre of the Zero Trust model and should be included as one of the essential components your security strategy.

Many security vendors will make claims of the ability to decrypt their own traffic, working independently of a centralised decryption solution. However, this “distributed decryption” approach can introduce problems of its own, including inferior performance and network bottlenecks, and fixing these would require costly upgrades. In a multi-vendor, multidevice security infrastructure, the distributed decryption also forces you to deploy your private keys in multiple locations, creating an unnecessarily large threat surface in your network, which could be subject to exploitation.

Key features of a good TLS/ SSL Decryption Solution

It is important that a dedicated, centralised decryption solution provides full visibility to the enterprise security infrastructure for TLS/SSL traffic. Not only that, but the solution also needs to provide a multi-layered security approach, which then makes it the perfect candidate to be deployed at the centre of a Zero Trust network.

Below are some of the features to look out for when looking to implement a TLS/ SSL Decryption Solution:

  • Full Traffic Visibility – It needs to enable the entire security infrastructure to inspect all traffic in clear-text, at fast speeds, ensuring that no encrypted attacks or data breaches can slip through
  • Ease of Integration – It should be vendor agnostic and easily integrate with securitydevices already deployed within the network. This drives down additional costs and upgrades.
  • Multi-Layered Security Services – These are additional security services, including URL filtering, application visibility and control, threat intelligence and threat investigation, that help strengthen the security efficacy of the entire enterprise network
  • User Access Control – The product should be able to enforce authentication and authorisation policies to restrict unneeded access, log access information and provide the ability to apply different security policies based on user and group IDs.
  • Micro Segmentation – It should facilitate micro-segmentation through its ability to provide granular traffic control, user and group ID-based traffic control, and support for multi-tenancy
  • Securing Cloud Access – SaaS security is an important feature which can be provided by enforcing tenant access control and visibility into user activities.

In conclusion, without a centralised and dedicated TLS/SSL decryption solution, the Zero Trust model is unable to do what it was designed to do – protect our networks, users and data from threats residing inside and outside the network.

What you need to know about DDoS weapons today

960 640 Stuart O'Brien

By Adrian Taylor, Regional VP of Sales for A10 Networks

A DDoS attack can bring down almost any website or online service. The premise is simple: using an infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and sophistication. That makes DDoS defence a top cybersecurity priority for every organisation. The first step: understanding the threat you face.

To help organisations take a proactive approach to DDoS defence, A10 Networks recently published a report on the current DDoS landscape, including the weapons being used, the locations where attacks are being launched, the services being exploited, and the methods hackers are using to maximise the damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study provides timely, in-depth threat intelligence to inform your defence strategy.

Here are a few of our key findings.

Reflected Amplification Takes DDoS to the Next Level

The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the third most common source of DDoS. The shift is due in part to the growing popularity of attacks using misconfigured IoT devices to amplify an attack.

In this key innovation, known as reflected amplification, hackers are turning their attention to the exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications protocol used to automatically discover web-connected services. Critically, WS-Discovery does not perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at which point the victim will be deluged with data from nearby IoT devices.

With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly effective—with observed amplification of up to 95x. Reflected amplification attacks have reached record-setting scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702 as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has been found in Vietnam, Brazil, United States, the Republic of Korea, and China.

DDoS is Going Mobile

Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch point. While these weapons are globally distributed, the greatest number of attacks originate in countries with the greatest density in internet connectivity, including China, the United States, and the Republic of Korea.

A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs), or collections of IP address ranges under the control of a single company or government. With the exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and Korea Telecom.

In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones.

The Worst is Yet to Come

With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever for any bad actor to launch a lethal targeted attack.

The A10 Networks report makes clear the importance of a complete DDoS defence strategy. Businesses and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat detection, to defend against DDoS attacks no matter where they originate. Methods such as automated signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers can help organisations proactively defend themselves even before the attacks starts.

For additional insight, including the top IoT port searches and reflector searches performed by attackers, download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons” and see the accompanying infographic, “DDoS Weapons & Attack Vectors.”

GUEST BLOG: The Growing DDoS Landscape

960 640 Guest Post

By Anthony Webb, EMEA Vice President at A10 Networks

A new wave of DDoS attacks on South Africa’s internet service provider has highlighted that these attacks continue to grow in frequency, intensity and sophistication.

A10 Networks’ recent report on the Q2 2019: The State of DDoS Weapons has shed more light on the loud, distributed nature of DDoS attacks and the key trends that enterprises can learn from in adopting a successful defence.

IoT: A Hotbed for DDoS Botnets

A10 Networks has previously written that IoT devices and DDoS attacks are a perfect match. With the explosion of the Internet of Things (growing at a rate of 127 connected devices per second and accelerating), attackers target vulnerable connected devices and have even begun to develop a new strain of malware named Silex- a strain just for IoT devices. Silex affected 1650 devices in over an hour and wiped the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

The report has highlighted the top-three IoT binary dropped by malware families – two of the three belonged to Mirai – with the Netherlands, UK, USA, Germany and Russia being the top five hosting malware droppers.

The New IoT Threat

A new threat has emerged due to industry-wide adoption of technology with weak security: the UDP implementation of the Constrained Application Protocol (CoAP). This new threat does not have anything to do with Mirai or malware, but its impact has enabled millions of IoT devices to become weaponised as reflected amplification cannons. CoAP is a machine-to-machine (M2M) management protocol, deployed on IoT devices supporting applications such as smart energy and building automation. CoAP is a protocol implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request. A10 identified over 500,000 vulnerable IoT devices with an average response size of 749 bytes. The report also highlights that 98% of CoAP threats originate from China and Russia, with the capability to amplify by 35x.

On the Horizon: 5G

Ericsson recently predicted that the number of IoT devices with cellular connection will reach 4.1 billion by 2024. 5G, with its higher data speeds and lower latency, will be the primary driver behind this rapid expansion. Whilst this is great news in an open dynamic world, the downside is that we will also see an increase in the DDoS weaponry available to attackers.

We have seen mobile carriers hosting DDoS weapons skyrocket over the last six months. Companies such as T-Mobile, Guangdong Mobile and China Mobile have been guilty of amplifying attacks. With 5G, intelligent automation aided by machine learning and AI will become essential to detecting and mitigating threats. IoT devices by Linux are already the target of a new strain of malware which is predominantly dedicated to running DDoS attacks.

Amplified Attack

Amplified reflection attacks exploit the connectionless nature of the UDP protocol with spoofed requests to misconfigured open servers on the internet. Attackers send volumes of small requests with the spoofed victim’s IP address to exposed servers, which are targeted because they’re configured with services that can amplify the attack. These attacks have resulted in record-breaking volumetric attacks, such as the 1.3 Tbps Memcached-based GitHub attack in 2018, and account for many DDoS attacks.

Battling the landscape

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. With DDoS attacks not going away, it’s time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G gains momentum.