DDoS Vector Discovery and Attack Enablers
Increasingly, adversaries are creating their own and/or abusing different types of infrastructure as platforms to conduct reconnaissance and launch attacks. The following analysis highlights how some of that abusable infrastructure is leveraged in attacks and how adversaries discover new DDoS attack vectors and methodologies.
Dissecting Adversary Attack Generators
Threat actors are now relying more on DDoS-capable botnets, Tor nodes, and open proxy servers to generate and obfuscate the actual sources of direct-path DDoS attacks. As a result of the great rebalancing described in our 2H 2022 DDoS Threat Intelligence Report—we have seen a renewed emphasis on direct-path attacks and a transition from a nearly decade-long stint of reflection/amplification preeminence.
Attacks Targeting ISPs 1H 2023
Although reflection/amplification attacks remain the primary DDoS attack methodology used to target service provider properties and infrastructure, botnets, open proxies, and Tor nodes are employed primarily in attacks directed toward enterprises and other types of endpoint networks.
All three types of attack sources display disproportionately high rates of activity in security events targeting institutions of higher education and data-hosting services. The Y-axis in the figure below represents the percentage above observed baselines (proxies, Tor nodes, and botnet nodes) in comparison to other types of hosts. DDoS botnets frequently are used in attacks targeting state and local governments, whereas open proxies have seen disproportionate use in attacks against federal/national governments. Proxy use against federal/national governments is notable because proxies are a favorite tool of ideologically motivated adversaries such as Killnet for launching application-layer DDoS attacks against web servers and online portals.
A Vector is Born
Like defense in traditional warfare, the protection of digital assets during cyberwarfare is significantly enhanced by early warnings combined with top-notch visibility. NETSCOUT’s unmatched ability to observe emerging DDoS vectors is of the utmost importance in safeguarding global networks. This level of visibility allows us to identify adversary attempts to exploit abusable hosts and services to launch DDoS attacks.
In mid-2019, NETSCOUT received notification of significant DDoS attack traffic sourced from User Datagram Protocol (UDP)/3283, a previously unused and unknown attack vector. ASERT researchers immediately began reverse-engineering the attack. Within four days, NETSCOUT had successfully replicated this never-before-seen reflection/amplification DDoS attack, which leveraged unpatched systems running ARMS. Our testing revealed a substantial amplification ratio of 35.5:1.
NETSCOUT then created surgical deny lists of abused ARMS reflectors/amplifiers, published customer and public advisories on mitigating this new DDoS attack vector, and worked with the vendor on mitigation/remediation recommendations. At discovery, there were a total of 54,000 abusable nodes on the public internet, and today that number is ~6,000 thanks to in part to NETSCOUT visibility, remediation guidance to network operators, education efforts, and patching by Apple. This early identification of a new DDoS vector allowed us to publish mitigation recommendations before adversary activity became commonplace in early 2020.
TP240 Phone Home Reflection/Amplification
But this was not just lightning in a jar. Beginning in January 2022, NETSCOUT observed probes targeting services running on UDP/10074. Concurrently, NETSCOUT, via partnerships with global network operators, vendors, and research teams, began investigations into a potential new DDoS attack vector dubbed TP240 Phone Home. ASERT discovered that this vector had an astonishing potential amplification ratio of 4,294,967,296:1—capable of generating more than 53 million packets per second. NETSCOUT initially identified more than 5,000 abusable nodes on the public internet. Today that number is fewer than ~2,800, due in part to NETSCOUT’s visibility, remediation, and public education efforts.
Most recently, NETSCOUT witnessed the emergence of a new vector with the greatest lead time yet. We discovered the activity in 1H 2023, but after investigating traffic in our global honeypot network found that adversaries started probing UDP/427 in September of 2022. These early probes originated from a security researcher looking into vulnerabilities in the SLP protocol. In April of 2023, ASERT characterized and provided mitigation recommendations and surgical deny lists for this new DDoS attack vector, which is capable of amplifying traffic at a ratio of 2200:1 with proper priming. At discovery, NETSCOUT identified more than 40,000 abusable reflectors/amplifiers on the public internet. Today, that number is ~38,000 and declining. NETSCOUT mitigation and remediation guidance has minimized this vector’s effectiveness, ensuring customers are proactively protected against SLP reflection/amplification attacks.