By: Amr Alashaal, A10 Networks
The world has been going through significant changes: facing a global COVID-19 pandemic, researching how the SARS-CoV-2 virus works, and then delivering a defense via vaccines to fight back. Similarly, in the world of cybersecurity, we saw many changes in the first half of 2021. A10 Networks’ recent report on the H1 2021: The Global State of DDoS Weapons sheds light on potential DDoS weapons and their behavior to ensure DDoS attacks can be mitigated regardless of the country or organization they belong to. The report provides detailed insights into the origins of DDoS activity, how easily and quickly modern malware can hijack IoT devices and convert them into malicious botnets, and what organizations can do to protect against such activities.
As per the report, while DDoS attacks kept growing in size and frequency, attackers particularly focused on low-volume attacks that ran for longer periods, frequently injecting attack traffic. These low-volume attacks helped them evade basic defensive measures, but low thresholds still had a significant impact on systems and operations. We also saw some positive changes, for example, a large-scale botnet takedown by an international operation across different continents. Organizations began paying a lot more attention to DDoS, raising awareness around the role of malware in DDoS attacks, and providing insights into how systems and operations can be protected from attacks, large or small.
Organizations are paying more attention to infectious malware, like Mozi. Some vigilante groups have even started using DDoS attacks as a defensive measure, attacking systems that exhibit scanning behavior. A10 has seen this behavior exhibited on our honeypots. While employing DDoS attacks against the very attackers might be considered controversial, it helps ultimately reduce DDoS attacks and the expansion of botnets.
Key Insights from the report:
- The total number of DDoS weapons has increased by approximately 2.5 million in the first half of 2021, in line with the last two reports, with a total number of approximately 15 million weapons. This number includes both reflected amplification weapons as well as botnet agents readily available for exploitation by attackers.
- SSDP (Simple Service Discovery Protocol), which can be a dangerous and potent DDoS weapon, remained at the top with over 3.2 million potential weapons exposed to the internet. The rest of the weapons remained virtually the same as before, with SNMP, Portmap, TFTP, and DNS Resolvers as the top five. It is important to note that almost all of these weapons experienced a growth in numbers except for DNS Resolvers, which had a reduction of over 300,000 weapons.
- China continues to lead in hosting the highest number of potential DDoS weapons (almost 2 million), including both amplification weapons and botnet agents.
- The United States remains the second-largest source of DDoS weaponry, particularly amplification weapons.
- The number of total botnet agents was almost halved, with China hosting 44% of the total number of drones available worldwide.
- Mozi, one of the highly prevalent malware in the DDoS world, topped out at over 360,000 unique systems using more than 285,000 unique source IP addresses, likely due to address translation. First identified in 2019, Mozi has been evolving and increasing in size ever since. It can now persist on network devices by infiltrating the device’s file system, remaining functional even after the device has been rebooted. The Mozi botnet includes infected bots around the globe with China, India, Russia, Brazil, and Vietnam leading the list of countries and regions.
In conclusion, cybercriminals and cyberattacks have been evolving at a steady pace. With new attacks and new malware variants that come out, we see new layers of sophistication in how IoT and smart devices are weaponized. While these attacks become more prevalent, one thing is quite obvious — they don’t go unnoticed. Now is the time to update our defensive strategies by incorporating the Zero Trust model and investing in modern, artificial intelligence/machine learning-based solutions that will not only defeat attacks in real-time but also protect against the unknown.