Editor's Picks, Features

DDoS: a weapon of mass disruption

As organisations take their businesses online, they become vulnerable to cyber-attacks that are increasing in frequency, intensity and sophistication. Distributed Denial-of-Service (DDoS) attack remains as one of the most popular cyber threats. Security correspondent Daniel Bardsley speaks to industry experts to discuss the current state of DDoS attacks and how organisations can steer clear.

Any doubt about the scale of the threat posed by Distributed Denial-of-Service attacks is swept away by looking at A10 Networks’ “DDoS Weapons Intelligence Map”.

This map from the Californian-headquartered cybersecurity company A10 Networks offers a dynamic, constantly active depiction of DDoS threats around the world.

Areas with high levels of existing Distributed Denial of Service (DDoS) weapons activity are shown as patches of white, while new DDoS weapons are revealed as blinking orange circles, several of which flash up each second.

Meanwhile, entries in the DDoS weapons database that are deemed to no longer be a threat (because they are no longer active as weapons, or the agent no longer exists with that IP address) show up in as short-lived blue circles. As with the orange dots, every second several of these blue dots appear and disappear every second.

The map’s frenetic pace of change depicts in vivid terms the scale and dynamic nature of the threats posed by DDoS attacks, which involve multiple computers simultaneously sending data to a network, causing it to become paralysed.

A ticking number of total DDoS weapons detected worldwide can be brought up near the centre of the map. The number changes continuously, but about 21 million is typical.

Clicking on individual countries highlights their particular level of activity, in terms of total DDoS weapons they host. In China there might be about six million DDoS weapons at any given time – the largest number of any country. For the United States, a typical figure is about 2.75 million while for India, about half a million is to be expected.

The numbers of DDoS weapons that other countries host are often much smaller, but not insignificant, and that includes the figure for the UAE.

Zoom in on the Emirates and click on the country, and the counter might display about 75,000 or 85,000, which will typically be more than double the number for Saudi Arabia, and many times the figure for other neighbouring countries, such as Oman and Kuwait.

Therefore, the scale of threats posed by DDoS attacks is not in doubt. However, the threat they pose now could, in future, appear relatively modest compared to the hazards they create in future.

The reason for this is the burgeoning popularity of Internet of Things (IoT) devices.

Rich Macfarlane, a lecturer in the School of Computing at Edinburgh Napier University in the United Kingdom who has researched DDoS attacks, said this growth in the number of IoT devices “certainly increases the likelihood and increases the possibilities” of DDoS attacks.

“A lot of these IoT devices have huge problems. The IoT stuff has taken our thinking back 20 years where computers had some of these vulnerabilities,” says Macfarlane.

A recent report by A10, The State of DDoS Weapons, highlights the way in which IoT will likely make DDoS attacks an even more significant problem than they are now. As is well known, malware can cause IoT devices to flood target sites with traffic.

“We’re right at the very beginning of the massive growth of IoT devices,” says Don Shin, a senior product marketing manager for the A10 Networks.

The growth in the numbers of IoT devices is, indeed, likely to be dramatic.

According to figures from IoT Analytics, in 2016 there were 4.7 billion devices connected to the internet. Forecasts published by Norton suggest that in 2021 there will be 11.6 billion IoT devices, and by 2025 the number will have reached 21 billion, a rapid increase driven in part by the spread of 5G.

Reports have noted that IoT is seeing a shift away from Real Time Operating Systems (RTOS) to Linux-based devices. Shin says that these Linux-based systems “have very weak security parameters”.

“IoT devices running Linux don’t have things like antivirus on them. As a result, it makes it simpler for attackers to exploit IoT devices and use them as weapons for DDoS attacks,” he says.

“It’s driving the intensity, the total number, the frequency and, to a certain degree, the sophistication as well.”

A key talking point in The State of DDoS Weapons is the way in which a protocol generated by IoT devices, the Constrained Application Protocol (CoAP), could be used to launch attacks. CoAP attacks are implemented through the User Datagram Protocol (UDP), a communications protocol.

A10 Networks describes CoAP as “a lightweight machine-to-machine protocol that can run on smart devices where memory and computing resources are scarce”. It is used particularly with applications in fields such as building automation and smart energy.

According to the company, more than 400,000 of these weapons are now being used in attacks.

“As an industry, we’ve decided to implement the protocol for CoAP for machines to be able to talk to each other. The problem with this particular communication is that it’s being developed with some security holes inside it,” says Shin.

These openings can, says Shin, be exploited by attackers for the launching of reflected amplification attacks, also known as amplified reflection attacks. As A10 Networks defines them, amplified reflection attacks are “a type of DDoS attack that exploits the connectionless nature of the UDP protocol with spoofed requests to misconfigured open servers on the internet”.

“As an attacker, you will go and search for machines with this CoAP running on them. You will make a request to these machines, but spoof the IP address of the victim. These machines will send their responses back to the victim,” he says.

Shin says that A10 Networks is trying to help people to understand the way in which the nature of DDoS attacks is being affected by the emergence of this new protocol.

In the first quarter of this year, A10 Networks tracked a total of 22.9 million DDoS weapons and found that a number of protocols other than CoAP still play a dominant role.

The five most commonly used in attacks were the Domain Name System (DNS) protocol, the Network Time Protocol (NTP) based weapons, the Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP) and the Trivial File Transfer Protocol (TFTP), this last of which is a new entrant into the top five.

So, as new protocols are being highlighted as the source of DDoS weapons, and the total number of attacks looks set to grow, what security measures can be taken?

Cybersecurity companies compile millions-strong inventories of DDoS weapons, allowing blacklisted IP addresses to be blocked. Shin says that A10 Networks can create up to 96 million entries in a blacklist.

“If you can get ahead and identify them, we can use this as a strategy to prevent DDoS attacks,” says Shin.

A10 Networks and its partners use several approaches, including tracking bot-herders, analysing forensic data, scanning the internet for weapons signatures and tapping networks. Shin says it is important to have an “actionable defence”.

“Knowing where the command and controls are is important, but during the DDoS attack, a huge portion is being able to identify where the weapon system is, and blocking that action,” he says.

“So by creating a strategy to block IP addresses, you can take a proactive approach to defend against them.”

Previous ArticleNext Article


The free newsletter covering the top industry headlines