The exponential growth of botnets fueled by the proliferation of Internet of Things (IoT) devices and the immense power they command is driving up the sophistication, scale and speed of today’s Distributed Denial of Service (DDoS) attacks. Compounding the DDoS challenge for Communications Service Providers (CSPs) are cataclysmic IoT-based attacks to constantly and automatically change parameters and signatures in response to cyber-defense.
An emphatic red flag raised by DDoS mitigation leader Nexusguard’s observation of the evolving attack landscape in 2018 is the woeful inadequacy of CSPs’ legacy solutions that provide ‘cleanpipe’ service to customers. With digital transformation initiatives well underway in many companies and the world becoming more interconnected, cybercriminals have stepped up efforts to discover new vulnerabilities and exploit them.
Exposed DNS, Memcached servers
As with IoT devices where security is done as an afterthought, poorly configured DNSSEC-enabled DNS servers and unguarded Memcached servers have allowed attackers to launch waves of amplification attacks. The amplification factor of attacks leveraging Memcached servers can go as high as 51,000X, dwarfing the 2,000X to 11,000X achieved by NTP or DNS attacks.
Memcached servers– typically used to speed up dynamic database-driven websites – are meant to be placed in a secure zone, not exposed to the internet, where cybercriminals can scan, identify and exploit these servers to reflect amplification attacks. Memcached servers in leading domain registrars, hosting companies and ISPs as well as universities and government agencies, have been compromised.
Hence, Nexusguard and the security community have urged service providers to update security configurations and virtual patches on their Memcached servers throughout their lifecycle. Service providerpartners are rate-limiting UDP service on port 11211 from the internet to eliminate most Memcached attack traffic upstream before they reach Nexusguard’s scrubbing network and client networks downstream.
Intensifying IoT botnet activity has fueled massive DDoS attacks against networks and mission-critical services. Targets included the 2018 FIFA World Cup and cryptocurrency-related businesses. The Satori malware, a variant of the notorious Mirai malware, exploited zero-day vulnerabilities in home routers and other IoT devices. They generated network-layer DDoS attacks, such as junk UDP, TCP SYN, and TCP ACK packets. Jumbo-sized TCP SYN floods, particularly, contributed significantly to multiple-fold increases in the scale of attacks.
Nexusguard has been readying CSPs for such attacks by giving them access to cloud DDoS protection to increase their scalability, , especially those whose infrastructures are not built for full redundancy and failover.
Attackers were not only ramping up the scale of attacks but also applied sneaky new tactics. In attacks on CSPs, especially those at the autonomous system number (ASN) level, they contaminate legitimate traffic across hundreds of IP prefixes with small-sized, junk that bypass detection thresholds. Compared with a year ago, about 50% more ASN-level CSPs were targeted by these ‘bit-and-piece’ attacks in Q4 2018.
These DNS Amplification attacks, carried out in a piecemeal way, essentially use spoofed IP addresses to send small queries to open DNS resolvers that elicit large responses, which are directed to the targeted victim’s actual IP address. But mitigating small-sized attack traffic broadly distributed across hundreds of IPs is difficult at the CSP level. Such attack methods compel CSPs to enhance network security posture and find better ways to protect their critical infrastructure and tenants.
Attack trends for 2019
The mutating Mirai botnet implies that botnet builders continue to find ways to exploit zero-day vulnerabilities of internet-connected devices. Again, the vulnerabilities present in unsecured IoT devices, publicly accessible Memcached servers and badly configured DNSSEC-enabled DNS servers open the door to malware propagated by exponentially growing botnets that are driving up the scale of attacks.
Recent fervor around cryptocurrencies has also triggered DDoS attacks on lending and exchange platforms such as BitConnect, Bitfinex, Bittrex, and Poloniex as well as the launch of digital currency Bitcoin Gold.Users are denied access to services. In the world of trading, every second of downtime translates to significant financial risk. Taking a leaf out of the ransomware playbook, some threat actors have begun demanding for payment in cryptocurrencies, embedding ransom messages in the attack traffic. Attackers are also leveraging botnets tospread cryptocurrency mining malware.
Further, more powerful DDoS attacks are poised to be unleashed with the use of AI by perpetrators to perform scanning, identify vulnerabilities and launch targeted strikes.
As DDoS attacks evolve to become more potent and stealthier than ever, CSPs ought to take a more proactive stance and seriously consider moving DDoS mitigation to the cloud for the sake of scalability, resilience and a centralized intelligence platform.
To stay ahead of the constantly evolving threat landscape and keep CSPs’ network and customers safe, Nexusguard’s highly scalable and fully redundant global scrubbing network offloads traffic spike to a multicast scrubbing facility to alleviate congestion to the destination ASN. The scrubbing centers are strategically placed in nine regions globally. Since Nexusguard builds and owns its detection and mitigation stack, each scrubbing center is infinitely scalable both horizontally and vertically.
Coupled with Nexusguard’s scalable and automated DDoS mitigation deployments, CSPs will be empowered to not only address advanced DDoS threats but also enhance revenue potential from security-aware customers; deliver on the uptime promise; and protect its reputation.
This is a QuestexAsia feature commissioned by Nexusguard.