The A10 Networks report says that the continued growth of distributed denial of service (DDoS) attacks became a significant cybersecurity threat and nuisance in 2020. The enterprise threat intelligence report says DDoS attacks are They became more intense and sophisticated during the COVID-19 pandemic as organizations struggled to support the remote workforce during the work-from-home period.
The group says it observed more than 200,000 compromised devices and analyzed their behavior and the vulnerabilities used to hijack the devices.
The A10 research team observed attack agents controlled by botnet command and control (C2) through the implementation of honeypots and the scanning of sources of amplification of DDoS attacks.
The year 2020 saw record DDoS attacks during the COVID-19 pandemic
Researchers noted that DDoS attacks increased during the COVID-19 crisis as threat actors exploited the pandemic to execute attacks large and small against various victims, including healthcare, education, and the government.
Consequently, the research group witnessed an expanding attack landscape in 2020 caused by the COVID-19 pandemic. The report claims that DDoS attacks continue to be the biggest nuisance during the COVID-19 pandemic and for the foreseeable future. In particular, A10 Networks witnessed a 12% increase in DDoS weaponry in the second half of 2020.
Rich Groves, Director of Security Research at A10 Networks, says that the increase in the number of DDoS weapons and connected devices, the deployment of the 5G network and the use of new exploits and malware by attackers, “made these IoT devices be compromised. ”
The improved internet connection speeds of 5G led to higher internet traffic, which ultimately led to an increase in the number of attacks.
The A10 report also correlated with observations from Amazon and Google indicating that DDoS attacks peaked at 2.3 Gbps on Amazon’s web services and 2.5 Gbps on Google’s cloud platform. Akamai also blocked 809 million packages destined for the Akamai platform on June 21, 2020.
The high volume of online shopping caused by the COVID-19 pandemic also led to an increase in DDoS attacks during the holiday shopping season.
Top DDoS weapons by size include Simple Services Discovery Protocol and SNMP
The team discovered changes in the choice of DDoS weapons used by threat actors during the DDoS attacks experienced during the COVID-19 pandemic. The previously preferred DDoS weapon, Portmap, fell in popularity to third place during the second half of 2020.
Simple Services Discovery Protocol (SSDP) became the most widely used DDoS weapon in 2,581,384 attacks, while SNMP (1,773,694) ranked second. ODNS Resolver (1,706,338) and TFPT (1,409,121) ranked fourth and fifth respectively.
Exponential growth of botnets witnessed during the COVID-19 crisis
A10 researchers observed an exponential growth in DDoS attacks from botnets located in India. Botnets are computing nodes that include routers, IP cameras, servers and computers, IoT devices, etc., infected with malware and used to carry out DDoS attacks.
The report’s authors noted that botnets “provide maximum flexibility to DDoS attackers, as they can be obtained from different locations around the world, depending on the attacker’s requirements.”
Researchers from the A10 network found 130,000 unique IP addresses exhibiting scanning behavior similar to that of the Mirai botnet in the first two weeks of September. 2020. The investigation tracked a total of 846,700 botnet agents during the period.
A leading Indian broadband provider was the largest contributor to DDoS activity, according to the report. The broadband provider partnered with up to 200,000 unique sources of “Mirai-like” activity at the peak of the campaign.
India and Egypt among the top countries hosting DDoS botnets
India was home to about a third (32%) of the botnet operators, followed by Egypt which was home to almost a quarter (24%) of the hijacked devices. China (17%) emerged as the third largest source of DDoS botnets, while Brazil (2%) and Taiwan (2%) tied for fourth place. ASN’s top hosting botnet agents include Hathway India (26%), Telecom Egypt (24%), China Unicom (11%), China Telecom (4%), and MTNL India (3%).
The main sources of DDoS weaponry include China, the US and South Korea
The research notes that although DDoS attacks were distributed globally, they often originated in certain countries. The report also found that those countries were home to the most DDoS weapons. To determine the main sources of DDoS weaponry, the researchers analyzed the autonomous system number (ASN), a group of IP addresses under a single administrative operator. They observed that “a large number of weapons belonging to their users can remain connected to their network and play a role in attacking other systems.”
China displaced the United States as the main source of DDoS weaponry, taking it to second place. The country is home to 2,000,313 DDoS weapons compared to 1,900,812 in the United States. South Korea (1,140,497) maintained its third position while a new entrant, Brazil (756,540), took fourth position, pushing Russia (679,976) one notch down to fifth position. The remaining 7,291,999 DDoS weapons resided in other countries around the world.
The top organizations hosting DDoS weapons include China Telecom (767,898), Korea Telecom (703,639), China Unicom CN (665,053), Taiwan Chungwha Telecom (286,973), and CANTV Venezuela (286,019).
Amplification weapons and attacks
Amplification of DDoS attacks involves sending small requests to the victim’s IP address, causing the servers to respond with large amplified responses.
DNS, NTP, SSDP, SNMP and CLDAP UDP-based services are generally exploited during these types of attacks.
In the second half of 2020, A10 Network researchers observed more than 2.5 million unique systems exploiting SSDP services. In all, the researchers tracked more than 11.7 million amplification attacks.
For SSDP-based attacks, the top countries were South Korea with 436,165 unique sources, followed by China (320,828) and Venezuela (289,874).
The United States (557,280), China (291,717) and Russia (97,512) topped the unique SNMP amplification sources.
The investigators advised investigators to perform various security operations to rule out the possibility of compromise. Researchers at the A10 network advised companies to check their network traffic and disconnect connections they don’t need.
A10 Networks said that #DDoS attacks increased during the pandemic as #hackers exploited new tools, 5G networks and the growing number of #connected devices. #cybersecurity #respectdata
Upgrading of IoT devices was also encouraged, employing “DDoS baseline techniques, artificial intelligence (AI) and machine learning (ML).”
Source: cpo magazine