A10 Networks: DDoS Weapons Multiplying Amid Increasing Attacks

Over the past three years, distributed denial of service (DDoS) weapons have more than doubled, reaching 15.4 million in 2021.

That’s according to A10 Networks’ new DDoS threat report. It covers the increasing scope and intensity of such attacks, and the geographical splay of the attacks. It also offers preventive steps organizations can take to mitigate these.

Key findings include:

• Over three years, the number of DDoS weapons rose from 5.9 million to 15.4 million.
• China led the list of countries hosting the most DDoS weapons, with more than 2 million amplification weapons and botnet agents.
• There was a 100% year-on-year increase of more obscure potential amplification weapons, including Apple Remote Desk (ARD), used in the Russia-Ukraine conflict.
• Attackers have been quick to leverage the well-known Log4j vulnerability, with more than 75% of Log4j scanners originating in Russia.

Plethora of Options to Leverage, Create Botnets

Babur Nawaz Khan is A10 Networks‘ senior product marketing manager.

A10 Networks’ Babur Nawaz Khan

“The steady growth of IoT is providing a plethora of options for attackers to leverage and create botnets,” he said. “This, coupled with the widespread use of malware in the automated exploitation and creation of botnets, has fueled the surge of DDoS attacks in recent years. A recent example of this is the use of the Log4j vulnerability in DDoS.”

The popularity of the well-known Log4j vulnerability has helped to fuel the surge in DDoS attacks that A10 Networks has been monitoring, with the scale of its use potentially extending to billions of devices worldwide, Khan said.

“According to NIST, the Java Naming and Directory Interface (JNDI) features within Log4j, used in configuration and logging, can easily be hijacked by attackers who can control log messages or log message parameters to execute malicious code,” he said. “At the same time as the disclosure of the Log4j vulnerability was being made public, A10 Networks’ analysis of hosts affected by the [vulnerability] revealed that 75% of all scanning was sourced from Russia.”

Log4j Used to Acquire Systems for DDoS Attacks

A10 Networks discovered cybercriminals using Log4j to acquire systems for DDoS attacks globally, Khan said. The vulnerability had the potential to create large botnets capable of carrying out large-scale DDoS attacks.

“Furthermore, the use of protocols like the Simple Service Discovery Protocol (SSDP), a dangerous and potent DDoS weapon that topped the list of the most potential amplification weapons, has been made easy since most of these systems are exposed to the internet and readily exploitable for large-scale amplification attacks,” he said. “This was undoubtedly a contributing factor as to why the number of DDoS weapons tracked by A10 Networks has risen to over 15.4 million in 2021.”

It is well-reported that the pandemic caused a spike in cyberattacks, including malware, ransomware and DDoS attacks. Threat actors have sought to disrupt not only services people rely on everyday like health care, education and financial, but also critical infrastructure, like food supply chains, utilities and government agencies. Correspondingly, there has been a dramatic increase in the weapons that cybercriminals can use to launch these attacks.

“To counter the ongoing threat of DDoS attacks, organizations should prioritize implementation of zero-trust strategies to identify and isolate problem areas, use modern artificial intelligence/machine learning (AI/ML)-based automated DDoS defenses to protect against all DDoS attacks, and monitor devices, traffic and users to ensure networks are not weaponized and used against the internet,” Khan said.

Attacks Will Only Intensify

While the world eases into a more normal operating environment, cyberattacks, including state-sponsored attacks, will only continue to intensify, Khan said.

“This is mainly due to the fact that with each passing year, the acquisition of DDoS weapons and the ability to launch a DDoS attack has almost become ubiquitous,” he said. “The motives for launching DDoS attacks also seem to evolve.”

Cybercriminals are using DDoS attacks as arbitrary tools of distraction or disruption for financial gain or to make a statement.

As illustrated by state-sponsored attacks by Russia, there’s clear evidence that these closely coordinated attacks are complementing physical confrontation on the ground, Khan said. That’s likely to continue with future conflicts.

“It is therefore essential for governments to remain vigilant,” he said.