Skip to main content Skip to search
Blog

The State of DDoS Weapons, Q1 2019

A new version of the State of DDoS Weapons Report has been published. Learn more about the new report here.

(Archived)

A10 Network’s recently released State of DDoS Weapons Report provides unique insights into Distributed Denial of Service (DDoS) attack techniques by tracking and taking inventory of the millions of DDoS weapons in the wild that can be exploited and used to launch attacks.

A10 Network’s recently released State of DDoS Weapons Report provides unique insights into Distributed Denial of Service (DDoS) attack techniques by tracking and taking inventory of the millions of DDoS weapons in the wild that can be exploited to launch attacks. The threat intelligence derived from our research is an invaluable resource that helps A10 Networks and our customers proactively strengthen their defenses.

Why inventory DDoS weapons? Well, while you probably won’t know when your organization might be attacked, why, or who might instigate it, you can have advance notice of where an attack might come from. That’s because the first “D” in DDoS is”Distributed.” Unlike stealthy, obfuscated intrusions, distributed weapon attacks are noisy and commonly observed. The attack weapons are composed of malware infected DDoS-for-hire botnets and exposed servers whose vulnerabilities are exploited to reflect and amplify an attack.

Knowing how to defend against both known and previously unseen attacks is important. But equally important is to know where the attacker’s weapons are actually located. To that end, A10 Networks and our partner DDoS threat researchers analyze forensic data, tap networks, track bot-herder activities, and scan the Internet for weapon signatures. We then create an up-to-date threat inventory that includes millions of IP addresses behind the DDoS weapons. This weaponry roadmap enables defenders to take a proactive stance against attackers by focusing on the location of DDoS weapons and the BGP Autonomous System Number (ASN) that hosts them upstream on the Internet.

Actionable intelligence is made available by leveraging a weaponry inventory and dynamically applying it to create blacklists with millions of entries listing the suspect IPs. This methodology is very effective because it doesn’t matter what kind of attack is sourced from the weapon — If you know in advance based on its location that the weapon has a track record for launching attacks, policies can be developed to proactively block it. The proactive actions thus enabled are especially effective for DDoS defense.

Key DDOS Weapon Observations Q1 2019

  • TFTP reflected amplification weapons creep into top 5 weapon category
  • 414,130 weaponized IoT CoAP reflected amplifier devices identified
  • DDoS weapons swelled in Spain to make it the third highest hosted country
  • Uptick in scanning activity for SQL reflectors over UDP pot 1434

We update the State of DDoS Weapons Report regularly. Download a free copy of the latest report here.

Categories:


Donald Shin
|
January 21, 2019

Don has over 15 years of experience in the Networking and Security industries. Prior to A10, Don work in a variety of roles in R&D, product management, and… Read More