Anthony Webb Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Anthony Webb

The growing DDoS landscape 

 960 640 Guest Post
By:
0
0

By Anthony Webb, EMEA Vice President at A10 Networks  

Last month, news reports highlighted one of the biggest DDoS attacks ever recorded. The attack, which targeted a large European bank, generated 809m packets per second (Mpps). This is a new industry record for a PPS-focused attack which is more than double the size of previous attacks. A10 Networks recently launched its Q2 2020: State of DDoS Weapons Report, based on approximately 10 million unique source addresses tracked by A10 Networks, and the report sheds more light on the loud, distributed nature of DDoS attacks and the key trends and observations that enterprises can learn from when adopting a successful defence. 

DDoS Botnet Agents  

We’ve previously written about how IoT devices and DDoS attacks are a perfect match. IoT devices such as smart watches, routers and cameras are now commonly infected by malware and under the control of malicious actors who use them to launch flexible DDoS attacks. Our researchers accumulated knowledge of repeatedly used hosts in these attacks, scanning for those that show malware-infected characteristics that deserve to be treated with caution whilst under a DDoS attack.  

The report highlighted the top three countries hosting DDoS botnet agents as follows: 

·        China 15% 

·        Vietnam 12% 

·        Taiwan 9% 

From the countries above, the top ASNs hosting DDoS botnet agents were: 

·        Chungwha Telecoms (Taiwan) 

·        China Telecom 

·        China Unicom CN 

·        VNPT Corp (Vietnam) 

Malware Proliferation 

With IoT devices vulnerable, largely due to devices lacking the necessary built-in security to counter threats, this allows threat actors an opportunity to target these devices, through a collection of remote code execution (RCE) exploits and an ever growing list of default user names and passwords from device vendors, to constantly increase the size and strength of DDoS attacks. Our weapons intelligence system detects hundreds of thousands of events per hour on the internet, providing insights into the top IoT exploits and the attack capabilities.  

One of the key report findings highlighted thousands of malware binaries being dropped into systems, in the wake of the different IoT-based attacks and exploits. Among the malware families that were most frequent in attack were the following: Gafgyt family, Dark Nexus and Mirai family. The related binary names from these malwares were arm7, Cloud.x86, mmmmh.x86 respectively. 

Digging deeper into the characteristics and behaviour of the binary we saw the most this quarter, “arm7”, we found that attack types came in varied forms including, but not limited to, TCP floods, HTTP floods and UDP floods. To mitigate these attacks a firm understanding of these DDoS weapons needs to be established by understanding and reverse engineering the attack toolkits. 

Amplified Attacks  

When it comes to large-scale DDoS attacks, amplified reflection is the most effective. An example of this is when the attacker sends volumes of small requests with the spoofed victim’s IP address to internet-exposed servers. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities. 

The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services. These attacks have resulted in record-breaking volumetric attacks, such as the recent CLDAP-based AWS attack in Q1 2020, which peaked at 2.3 Tbps and was 70% higher than the previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018. Although CLDAP does not make the top 5 list of our Amplification attack weapons in Q2, we did record 15,651 potential CLDAP weapons. This makes it a fraction of the top amplification attack weapon this quarter, i.e., portmap, where for every CLDAP weapon, we have 116 portmap weapons available to attackers. The AWS attack shows that even this fractional attack surface has the potential for generating very large-scale DDoS attacks and the only way to protect against these attacks is to proactively keep track of DDoS weapons and potential exploits. 

Battling the Landscape  

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. DDoS attacks are not going away, and it is time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G continue to gain further momentum.   

Image by Markus Spiske from Pixabay 

GUEST BLOG: The Growing DDoS Landscape

 960 640 Guest Post
By:
0
0

By Anthony Webb, EMEA Vice President at A10 Networks

A new wave of DDoS attacks on South Africa’s internet service provider has highlighted that these attacks continue to grow in frequency, intensity and sophistication.

A10 Networks’ recent report on the Q2 2019: The State of DDoS Weapons has shed more light on the loud, distributed nature of DDoS attacks and the key trends that enterprises can learn from in adopting a successful defence.

IoT: A Hotbed for DDoS Botnets

A10 Networks has previously written that IoT devices and DDoS attacks are a perfect match. With the explosion of the Internet of Things (growing at a rate of 127 connected devices per second and accelerating), attackers target vulnerable connected devices and have even begun to develop a new strain of malware named Silex- a strain just for IoT devices. Silex affected 1650 devices in over an hour and wiped the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

The report has highlighted the top-three IoT binary dropped by malware families – two of the three belonged to Mirai – with the Netherlands, UK, USA, Germany and Russia being the top five hosting malware droppers.

The New IoT Threat

A new threat has emerged due to industry-wide adoption of technology with weak security: the UDP implementation of the Constrained Application Protocol (CoAP). This new threat does not have anything to do with Mirai or malware, but its impact has enabled millions of IoT devices to become weaponised as reflected amplification cannons. CoAP is a machine-to-machine (M2M) management protocol, deployed on IoT devices supporting applications such as smart energy and building automation. CoAP is a protocol implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request. A10 identified over 500,000 vulnerable IoT devices with an average response size of 749 bytes. The report also highlights that 98% of CoAP threats originate from China and Russia, with the capability to amplify by 35x.

On the Horizon: 5G

Ericsson recently predicted that the number of IoT devices with cellular connection will reach 4.1 billion by 2024. 5G, with its higher data speeds and lower latency, will be the primary driver behind this rapid expansion. Whilst this is great news in an open dynamic world, the downside is that we will also see an increase in the DDoS weaponry available to attackers.

We have seen mobile carriers hosting DDoS weapons skyrocket over the last six months. Companies such as T-Mobile, Guangdong Mobile and China Mobile have been guilty of amplifying attacks. With 5G, intelligent automation aided by machine learning and AI will become essential to detecting and mitigating threats. IoT devices by Linux are already the target of a new strain of malware which is predominantly dedicated to running DDoS attacks.

Amplified Attack

Amplified reflection attacks exploit the connectionless nature of the UDP protocol with spoofed requests to misconfigured open servers on the internet. Attackers send volumes of small requests with the spoofed victim’s IP address to exposed servers, which are targeted because they’re configured with services that can amplify the attack. These attacks have resulted in record-breaking volumetric attacks, such as the 1.3 Tbps Memcached-based GitHub attack in 2018, and account for many DDoS attacks.

Battling the landscape

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. With DDoS attacks not going away, it’s time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G gains momentum.