While many companies accelerated their digital transformation during the last couple of years as the world battled COVID-19—the pandemic serving as a catalyst for businesses to adapt to new operating modes relative to remote working—the impact of COVID-19 on cybersecurity has been significant. As we slowly work our way back to normalcy, the cyber world remains engulfed by a new pandemic of cyber-attacks, cyber warfare in the Russia-Ukraine conflict notwithstanding. As more malicious actors seek to exploit confusion, there is a rise in the volume of potential weapons that could be used to launch attacks and an increase in the sophistication of deployed tactics.
For decades now, DDoS attacks have been systematically used as tools of distraction or disruption for reasons such as financial gain or to make an ideological statement. Our most recent threat report highlights why DDoS attacks continue to find their way into headlines, how the use of DDoS weapons is evolving and intensifying, and how organizations can improve their security posture and protect resources against devastating DDoS attacks.
More Weapons, Greater Sophistication, Easier Access
We’re now tracking 15.4 million potential DDoS weapons. The total number of DDoS weapons, which was previously recorded at 15 million, has grown by over 400,000 or 2.7 percent in a six-month period. There was also evidence of a doubling in the emergence of more obscure protocols, including Apple Remote Desktop (ARD), Connectionless Lightweight Directory Access Protocol (CLDAP), and others.
Notably, ARD was used in the cyberattacks on Ukraine in the initial stages of Russia’s invasion. Particularly, investigating one of our research honeypots, focusing on the first day spike, we saw that hackers were attempting to co-opt legitimate U.S.-based systems into a coordinated DDoS amplification and reflection attack in conjunction with the physical confrontation. This overt cyber warfare, where state-sponsored DDoS attacks are timed to complement military action, is likely to be a common feature of future conflicts and points to the role of governments in tackling large botnets that can be marshaled as weapons of war.
When we look at the most common DDoS weapons, Simple Service Discovery Protocol (SSDP) remained at the top, showing a 13 percent increase in size year-over-year. Portmap saw a 15 percent increase and SNMP a six percent increase. However, outside the usual suspects, the leap of more than 100 percent in other types of weapons shows that organizations need broad visibility of potential attack vectors to build an effective defense. Data feeds tracking the millions of IP addresses of exploited hosts used in DDoS attacks can be consumed by DDoS protection solutions, which allow organizations to implement surgical security and DDoS attack mitigation activity against known bad sources.
Turning Intelligence into Action: Driving Urgency with Zero Trust DDoS Defenses
Organizations must monitor and ensure their systems are not abused for cyberattacks, illegal actions, and other negative purposes. First, there is the risk of becoming victim to a disruptive DDoS attack and all the financial, reputational, and operational issues this entails. Second, there is the risk of becoming an accomplice to attacks—even nation-state warfare—by unwittingly allowing unsecure corporate devices to be recruited to botnets or be used in amplification and reflection attacks.
Moreover, organizations must address their security posture and stand up effective modern defenses against DDoS attacks and weaponization. This is vital not just for their own protection but also in a bid to limit the field for botnet recruitment and prevent any infrastructure or system from being deployed in international cyber warfare. This has a societal as well as commercial benefit and should be seen as part of the organization’s corporate social responsibility stance.
The upside: Zero Trust offers an approach to strengthen security across today’s highly distributed environments, whether service provider or enterprise infrastructure, and work-from-anywhere workforce.
Zero Trust principles tell us only legitimate users should have access to resources. To eliminate bad actors, illegitimate flows, probes, and more, practical defenses need a modern approach, so as well as standard defense policies and baselining, a modern set of technologies can be applied. For effective DDoS defense, threat intelligence to block multiple categories of known bad actors, artificial intelligence (AI) and machine learning (ML) to identify and stop zero-day threats, and automation at multiple levels to find and mitigate large, small, and stealthy DDoS attacks are needed. These techniques can reduce the threat surface and illegitimate access.
Among the foundational capabilities of a Zero Trust framework is inspecting traffic, especially encrypted traffic as it can be a prime hiding place for malware. Using a dedicated, high-performance SSL/TLS inspection capability to support and empower the entire security stack at once can help stop malware of all kinds, whether botnet-related, ransomware, or more.
These solutions allow more effective visibility and mitigation of cyber-attacks, stopping them sooner and more efficiently. This, in turn, means organizations can reduce their attack surface for better digital resiliency and overall operations.
Paul Nicholson is Sr. Dir. Product Marketing, at A10 Networks.