DDoS Attack Vectors Live or Die
Truth or Lie?
Dozens of known attack vectors ranging from obscure or little-used protocols (Citrix-ICA) to very common and vastly used protocols (DNS and NTP) give DDoS attackers a smorgasbord of available vectors to choose from. Some of these vectors are relatively new, such as ARMS, COAP, and WS-DD (as noted in our 1H 2019 Threat Report). Others, such as OpenVPN and RMCP/IPMI, witnessed a revival in usage, as adversaries discovered new ways to weaponize them. Part of NETSCOUTs ongoing effort to provide visibility into the DDoS threat landscape involves finding and identifying the devices that attackers may leverage for DDoS attacks. Our research yielded interesting, but somewhat contradictory findings. This blog focuses on only two of the 28+ UDP Amplification/Reflection vectors we track but look for more detailed analysis of the attack vectors in the fourth issue of our Threat Intelligence Report, out in February.
- While the number of devices available for some attack vectors diminish over time, others continue to grow month over month.
- Attackers generally leverage a small percentage of available reflectors/amplifiers for attacks.
- Even using such a relatively small population of available reflectors, attackers are still able to launch attacks in the 100 to 400 Gbps range.
The two UDP Amplification/Reflection vectors examined for this short study are Constrained Application Protocol (COAP) (version 1 and 2) and Ubiquiti Discovery Protocol (a protocol often used by networking devices such as Ubiquiti brand wireless access points, routers, switches, and firewalls). COAP is a simple UDP protocol intended for low-power computers on unreliable networks, such as IoT or mobile devices. Both of these attack vectors appear frequently in the wild as part of attacks against customers protected by NETSCOUT products, which prompted us to research the vectors themselves and identify known reflectors/amplifiers that an attacker can use.
To perform this research, we use a high-powered scanner as part of a research initiative to ferret out vulnerable devices, protocols, and applications. Scans conducted on December 31st, 2019 revealed the following:
- ~616k - Devices vulnerable to abuse for COAP Version 1
- ~689k - Devices vulnerable to abuse for COAP Version 2
- ~166k - Devices vulnerable to abuse for Ubiquiti Discovery Protocol
These numbers might seem negligible compared to the sheer number of IoT and other devices available on the internet. However, further analysis revealed that attackers utilize an even smaller percentage of the available devices for attacks:
- The largest attack we observed for COAP Version 1 used ~2,800 (0.46%) of the available 616k+ devices
- The largest attack we observed for COAP Version 2 used ~2,900 (0.42%) of the available 689k+ devices
- The largest attack we observed in ATLAS was 148.93 Gbps for both COAP versions in the second half of 2019.*
- The largest attack we observed for Ubiquiti used 24.57% of available devices
- The largest attack we observed in ATLAS was 348.91 Gbps in the second half of 2019.*
* NOTE: The largest attack size information obtained through our ATLAS data often overlaps with our scanner data, but correlation is not an exact science and rather an approximation. For example, .46% and .42% utilization of available devices for COAP is an approximation and may vary in the attack that achieved 148 Gbps size.
This discovery led to other interesting conclusions but ultimately, we wanted to figure out whether attack vectors followed a predictable life cycle. After all, the above percentages are inherently dependent on the availability of devices. Looking back at all available scan data, we see a startling discovery about the nature of availability for these attack vectors (Figure 1).
Comparing these two vectors side by side, it is apparent that while some vectors ultimately continue to dwindle in number, others, such as COAP, see a steady increase despite a precipitous drop in late June of 2019, likely a result of refining our scan methods. This discovery required a little backtracking to look at the vectors themselves to understand this trend. COAP protocol exists within IoT and mobile devices, which increases at drastic rates, while Ubiquiti is a protocol in network devices, which often have some form of administration interface, or users that understand devices sufficiently to apply some modicum of patching or updates, thus removing the vulnerable vector.
Though it isn’t as drastic a decline as we’d hoped, it is encouraging that some of the vectors do have a visible shelf life in sight. However, protocols that leverage the ever-growing IoT “gold rush” thrive in spite of researchers exposing the vulnerability and calling for security of the devices. COAP is just one of many attack vectors to exhibit this behavior and drives home the crucial need for more scrutiny of IoT devices and the manufacturers’ default security of IoT devices.
Stay tuned for NETSCOUT's 4th semi-annual Threat Intelligence Report, featuring the 15th Annual Worldwide Infrastructure Security Report, set to go live later this month. You may also sign up for a webinar covering the report here.