The State of DDoS Attacks: The Best Offense is a Strong Defense

While DDoS attacks are becoming more frequent, severe and advanced than ever before, attackers are still leveraging the same weapons to launch them.

This means that organizations have the unique opportunity to focus less on playing catch-up with criminals and more on strengthening their defenses and locating the weapons being used against them.

In our Q4 2018 The State of DDoS Weapons report, we examine the types of weapons being used, where they’re coming from and what DDoS attacks will look like in the near future.

Here, we’ll go over the report’s findings so you can learn more about the weapons attackers are using and how you can effectively protect your organization against them.

Weapons Used in DDoS Attacks

To overwhelm their targets with massive amounts of data, DDoS attackers will often use reflected amplification weapons.

With reflected amplification weapons, attackers zero in on weak spots in the target’s UDP protocol to spoof their IP address and exploit server vulnerabilities that trigger a reflected response.

As a result, the server produces responses that are significantly bigger than the original request, thereby overloading the server’s capacity.

Reflected amplification weapons include:

  • Memcached
  • Network Time Protocol (NTP)
  • DNS resolvers
  • Simple Service Discovery Protocol (SSDP)
  • Connection-less Lightweight Directory Access Protocol (CLDAP)
  • Simple Network Management Protocol (SNMP)

In our report, we analyzed how many times each reflected amplification weapon was used in a DDoS attack. Our results revealed that NTP-based weapons are by far the most common, followed by DNS resolver-based and SSDP-based weapons:

 

Top Tracked DDoS Weapons by Size

 

But where are all these weapons coming from? According to our research, wherever there’s a dense internet-connected population, there will also be DDoS weapons being hosted.

Knowing this, it makes sense that China and the U.S. host the largest number of weapons, with 4,374,660 and 3,010,039 weapons respectively. Italy takes third place, followed by Russia, the Republic of Korea, Germany and India:

 

China and the U.S. host the largest number of DDoS weapons

 

For those weapons to stay online, they need a network to connect to. That’s where ASNs come in: ASNs are collections of IP addresses that are controlled by a single operator, usually a company or organization. Unfortunately, some of those operators allow DDoS weapons to remain connected.

Knowing that most DDoS weapons originate from China, it’s not surprising that two of the three ASNs which host the most DDoS weapons are Chinese. The top two are China Unicom and China Telecom, with Italian company TIM coming in third.

 

ASNs which host the most DDoS weapons are Chinese

 

However, the origins of DDoS weapons don’t perfectly align with the countries being attacked. According to Rapid7 Labs’ 2018 National Exposure Index, the top five countries most vulnerable to internet-based attacks are the United States, China, Canada, The Republic of Korea and the United Kingdom.

 

Rapid7 Labs’ 2018 National Exposure Index

 

How DDoS Weapons Are Used to Attack

Before launching a DDoS attack, attackers first have to do some research, whether they’re searching for specific targets or looking for potential bots they can add to their pool before being sold to the highest bidder.

When performing reconnaissance, attackers search for certain types of ports much more frequently than others.

When looking for IoT ports, the most-searched TCP ports are numbers 445, 23, 80, 8080, 5555, 2323 and 81.

 

Top iOT Port Searches

 

When searching for reflectors, the most-searched UDP ports are numbers 5060, 123, 137, 1900, 53, 161 and 389.

 

Top Reflector Searches

 

In terms of the attacks themselves, it turns out that the biggest ones are all amplified reflection attacks.

With these types of attacks, attackers send large amounts of small requests to exposed servers, with each request bearing the victim’s spoofed IP address. As a result, the exposed servers send requests back to the victim, which can quickly overwhelm the victim’s server.

In our report, we learned that amplified reflection weapons tend to be leveraged against targets in particular countries.

The United States was the country most frequently targeted by DNS resolver-based, NTP-based and CLDAP-based weapons:

 

DNS resolver-based, NTP-based and CLDAP-based weapons

 

Meanwhile, the Republic of Korea is most frequently attacked with SNMP-based weapons, and China is attacked with SSDP-based weapons more than any other country:

 

attacked with SNMP-based and SSDP-based weapons

 

When we look at the big picture painted by the report’s findings, it’s plain to see that it’s absolutely essential for organizations to protect themselves in a few key areas.

In 2019, organizations must take extra care to defend their NTP, TCP ports and UDP ports, while keeping in mind that amplified reflection attacks often prove to be the largest and most devastating.

To learn more about the DDoS weapons that attackers are leveraging today, download our latest The State of DDoS Weapons report now.