The State of DDoS Attacks: The Best Offense is a Strong Defense

Ahmad Nassiri
February 19, 2019

The State of DDoS Attacks: The Best Offense is a Strong Defense

A new version of the State of DDoS Weapons Report has been published. Learn more about the new report here.


While DDoS attacks are becoming more frequent, severe and advanced than ever before, attackers are still leveraging the same weapons to launch them.

This means that organizations have the unique opportunity to focus less on playing catch-up with criminals and more on strengthening their defenses and locating the weapons being used against them.

In our State of DDoS Weapons report, we examine the types of weapons being used, where they’re coming from and what DDoS attacks will look like in the near future.

Here, we’ll go over the report’s findings so you can learn more about the weapons attackers are using and how you can effectively protect your organization against them.

Weapons Used in DDoS Attacks

To overwhelm their targets with massive amounts of data, DDoS attackers will often use reflected amplification weapons.

With reflected amplification weapons, attackers zero in on weak spots in the target’s UDP protocol to spoof their IP address and exploit server vulnerabilities that trigger a reflected response.

As a result, the server produces responses that are significantly bigger than the original request, thereby overloading the server’s capacity.

Reflected amplification weapons include:

  • Memcached
  • Network Time Protocol (NTP)
  • DNS resolvers
  • Simple Service Discovery Protocol (SSDP)
  • Connection-less Lightweight Directory Access Protocol (CLDAP)
  • Simple Network Management Protocol (SNMP)

In our report, we analyzed how many times each reflected amplification weapon was used in a DDoS attack. Our results revealed that NTP-based weapons are by far the most common, followed by DNS resolver-based and SSDP-based weapons:


Top Tracked DDoS Weapons by Size

But where are all these weapons coming from? According to our research, wherever there’s a dense internet-connected population, there will also be DDoS weapons being hosted.

Knowing this, it makes sense that China and the U.S. host the largest number of weapons, with 4,374,660 and 3,010,039 weapons respectively. Italy takes third place, followed by Russia, the Republic of Korea, Germany and India:


China and the U.S. host the largest number of DDoS weapons

For those weapons to stay online, they need a network to connect to. That’s where ASNs come in: ASNs are collections of IP addresses that are controlled by a single operator, usually a company or organization. Unfortunately, some of those operators allow DDoS weapons to remain connected.

Knowing that most DDoS weapons originate from China, it’s not surprising that two of the three ASNs which host the most DDoS weapons are Chinese. The top two are China Unicom and China Telecom, with Italian company TIM coming in third.


ASNs which host the most DDoS weapons are Chinese

However, the origins of DDoS weapons don’t perfectly align with the countries being attacked. According to Rapid7 Labs’ 2018 National Exposure Index, the top five countries most vulnerable to internet-based attacks are the United States, China, Canada, The Republic of Korea and the United Kingdom.


Rapid7 Labs' 2018 National Exposure Index

How DDoS Weapons Are Used to Attack

Before launching a DDoS attack, attackers first have to do some research, whether they’re searching for specific targets or looking for potential bots they can add to their pool before being sold to the highest bidder.

When performing reconnaissance, attackers search for certain types of ports much more frequently than others.

When looking for IoT ports, the most-searched TCP ports are numbers 445, 23, 80, 8080, 5555, 2323 and 81.


Top iOT Port Searches

When searching for reflectors, the most-searched UDP ports are numbers 5060, 123, 137, 1900, 53, 161 and 389.


Top Reflector Searches

In terms of the attacks themselves, it turns out that the biggest ones are all amplified reflection attacks.

With these types of attacks, attackers send large amounts of small requests to exposed servers, with each request bearing the victim’s spoofed IP address. As a result, the exposed servers send requests back to the victim, which can quickly overwhelm the victim’s server.

In our report, we learned that amplified reflection weapons tend to be leveraged against targets in particular countries.

The United States was the country most frequently targeted by DNS resolver-based, NTP-based and CLDAP-based weapons:


DNS resolver-based, NTP-based and CLDAP-based weapons

Meanwhile, the Republic of Korea is most frequently attacked with SNMP-based weapons, and China is attacked with SSDP-based weapons more than any other country:


attacked with SNMP-based and SSDP-based weapons

When we look at the big picture painted by the report’s findings, it’s plain to see that it’s absolutely essential for organizations to protect themselves in a few key areas.

In 2019, organizations must take extra care to defend their NTP, TCP ports and UDP ports, while keeping in mind that amplified reflection attacks often prove to be the largest and most devastating.

To learn more about the DDoS weapons that attackers are leveraging today, download our latest The State of DDoS Weapons report now.

Learn more about A10’s DDoS protection solutions.


Ahmad Nassiri
February 19, 2019

About Ahmad Nassiri

Ahmad Nassiri is the Security Solutions Architect for A10 Networks' eastern region. Mr. Nassiri is responsible for supporting pre-sales efforts of A10 Networks' security solutions portfolio. Mr. Nassiri is also focused on providing visibility to market, trends and developments within the security field to help A10 Networks expand its security solutions offering. Before joining A10 Networks, Mr. Nassiri was a Systems Engineer at Arbor Networks, focusing on network security and monitoring solutions for global networks. In this role, Mr. Nassiri assisted with the pre- and post-sales engineering support to Arbor's Service Provider-focused account teams. Mr. Nassiri has also held Sales/Systems Security Engineering roles with Verisign's Network Intelligence and Availability (NIA) division. During his tenure, he was focused on security intelligence, cloud-based DDoS protection, and Managed DNS services. Earlier, Mr. Nassiri held numerous security and engineering roles with BT Global Services. Mr. Nassiri holds a Bachelor of Science in Information Technology degree from the University of Massachusetts in Lowell. READ MORE


2022 DDoS Attack Report

Learn about latest developments in the world of DDoS that can help you improve your security posture and protect your resources against devastating DDoS attacks.

Get the Free Report 2022 DDoS Attack Report