The Bureau expects cybercriminals to increasingly
abuse new threat vectors for large-scale DDoS attacks
The Federal Bureau of
Investigation (FBI) has issued an alert warning private sector organizations in
the United States about a ramp-up in the use of built-in network protocols for
large-scale distributed denial-of-service (DDoS) amplification attacks.
“A DDoS amplification
attack occurs when an attacker sends a small number of requests to a server and
the server responds with more numerous responses to the victim. Typically, the
attacker spoofs the source Internet Protocol (IP) address to appear as if they
are the victim, resulting in traffic that overwhelms victim resources,” wrote the
FBI. The alert has been posted online, including on the website of the the New Jersey
Cybersecurity and Communications Integration Cell (NJCCIC).
The FBI highlights recent
threat vectors and developments, noting that the first DDoS amplification
attacks to abuse the network protocols go back to December 2018, when
cybercriminals exploited the multicast and command transmission features of the
Constrained Application Protocol (CoAP). Most of the internet-accessible CoAP
devices can be found in China and are using peer-to-peer networks.
During the summer of 2019,
attackers took aim at the Web Services Dynamic Discovery (WS-DD) protocol to
launch more than 130 DDoS attacks, some of which achieved a magnitude of 350
Gigabits per second. Internet of Things (IoT) devices use WS-DD protocols to
automatically detect other devices nearby and since there are 630,000 with this
protocol enabled, they can be attractive targets used to amplify DDoS attacks.
That same year, researchers also reported a rise in the use of misconfigured
IoT devices in amplified DDoS attacks.
In October 2019, miscreants
abused the Apple Remote Management Service (ARMS), a part of the Apple Remote
Desktop (ARD), to conduct DDoS amplification attacks. This protocol is usually
employed by large organizations to manage their Apple computers.
Making matters worse, in
February 2020 researchers found a vulnerability in the built-in network
discovery protocols of Jenkins servers, which could potentially allow attackers to amplify DDoS attack traffic
a hundredfold against their victims. There is no record of the flaw being
exploited so far, but the FBI highlighted the resulting increase in the attack
surface.
“In the near term, cyber
actors likely will exploit the growing number of devices with built-in network
protocols enabled by default to create large-scale botnets capable of
facilitating devastating DDoS attacks,” said the FBI in its private industry notification.
The Bureau also outlined
several steps to defend against the threat:
· Set up a network firewall that will block access to
all unauthorized IP addresses.
· Ensure all your connected devices are updated to
the newest firmware versions and have the newest security patches applied.
· Change all the default usernames and passwords on
your IoT and other devices and use two-factor authentication.
· Register with a DDoS mitigation service.
DDoS attacks typically
involve flooding a target with traffic that came from a large number of devices
that have been corralled into a botnet, effectively bringing the victim’s services
offline. These onslaughts are often unleashed as a way to extort money from the
targets or even as a cover for other attacks. Whatever the motive, DDoS attacks
in any of their flavors are known to cost organizations millions in lost
revenue.