Warning on DDoS Attack vectors

The FBI sent an alert last week warning about the discovery of new network protocols that have been abused to launch large-scale distributed denial of service (DDoS) attacks.

The alert lists three network protocols and a web application as newly discovered DDoS attack vectors.

The list includes CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software.

Three of the four (CoAP, WS-DD, ARMS) have already been abused in the real-world to launch massive DDoS attacks, the FBI said based on ZDNet’s previous reporting.

CoAP

In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, according to open source reporting. As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks.

WS-DD

In May and August 2019, cyber actors exploited the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits per second (Gbps), in two separate waves of attack, according to open source reporting. Later the same year, several security researchers reported an increase in cyber actors’ use of non-standard protocols and misconfigured IoT devices to amplify DDoS attacks, according to separate open source reporting. IoT devices are attractive targets because they use the WS-DD protocol to automatically detect new Internet-connected devices nearby. In addition, WS-DD operates using UDP, which allows actors to spoof a victim’s IP address and results in the victim’s being flooded with data from nearby IoT devices. As of August 2019, there were 630,000 Internetaccessible IoT devices with the WS-DD protocol enabled.

ARMS

In October 2019, cyber actors exploited the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to conduct DDoS amplification attacks, according to open source reporting. With ARD enabled, the ARMS service started listening on port 3283 for incoming commands to remote Apple devices, which attackers used to launch DDoS amplification attacks with a 35.5:1 amplification factor. ARD is used primarily to manage large fleets of Apple Macs by universities and enterprises.

Jenkins

In February 2020, UK security researchers identified a vulnerability in the built-in network discovery protocols of Jenkins servers-free, open source, automation servers used to support the software development process that cyber actors could exploit to conduct DDoS amplification attacks – according to open source reporting. Researchers estimated cyber actors could use vulnerable Jenkins servers to amplify DDoS attack traffic 100 times against the online infrastructure of targeted victims across sectors.

Researchers believe that these new DDoS threats will continue to be exploited further to cause downtime and damages for the foreseeable future.

These alerts are devastating when it comes. Companies need to start investing on security enhancement to mitigate these type of attack vectors and other forthcoming attacks

DDoS Attacks on Rise..WFH

There is a rise in the internet usage pattern which in turn triggered the DDoS Attacks on a peak. Adopting to New normal WFH a challenge to most of the organisation

internet traffic patterns ddos

Growing stealth on internet

The pandemic effect was clear in traffic to specific websites, such as the 250% increase in queries for a popular collaboration platform as lockdowns commenced and the sharp rise in traffic to the website of  masks manufacturer.

A noticeable rise in traffic was noticed in mid-March correlating with the dates that schools and organizations began to implement isolation policies, and query numbers continued to rise afterward, with a sharp uptick about a month after isolation policies had begun to take hold.

There was a 14% increase in DNS query volumes between March 1 and May 3, as the full impact of the pandemic set in around the world.

Of course, not all industries have been affected equally. As might be expected, queries to retail companies and streaming services saw a large increase during the one-month period coinciding with the beginning of stay-at-home orders, while the travel industry saw decline initially but appears to be recovering.

Traffic patterns and increasing attacks

Concurrent with these changes in traffic patterns, there was dramatic rise in DDoS and other attacks across virtually every metric measured, including increases in the overall number of attacks; attack severity, which considers the volume of attack and attack intensity

“It’s no surprise that in this massive and unplanned shift of the global workforce now suddenly being reliant on home internet and corporate VPN connectivity, bad actors and cyber criminals would seek to take advantage of emerging network vulnerabilities,” .

internet traffic patterns ddos

The DNS hijacking threat

While many DDoS and other types of attacks focus on corporate assets, there has also been an increase in DNS hijacking a technique in which DNS settings are changed to redirect the user to a website that might look legitimate but often contains malware disguised as something useful.

Combined with the growing number of threats against the internet’s DNS infrastructure, the unexpected need to support a fully distributed workforce often exposes new vulnerabilities that are difficult for organizations to guard against, underscoring the importance of having effective cybersecurity measures like always-on DDoS protection services in place to ensure operational continuity.