Two different types of massive security threats -- IoT-powered botnets and reflection amplification attacks -- will likely be combined in the near future to create crippling multi-terabit DDoS attacks, a key security vendor is warning.
In releasing its 12th annual Worldwide Infrastructure Security Report (WISR), the Arbor Networks unit of NetScout Systems Inc. (Nasdaq: NTCT), pointed to new capabilities of the Mirai software code that famously enabled millions of Internet of Things devices to be used in last fall's attack on the Dyn DNS infrastructure that crippled many major US-based Internet sites. Recent variants of the Mirai software include the capability to spoof source addresses, says Gary Sockrider, Arbor principal security technologist, and that creates the ability to combine IoT-based botnets with reflection amplification attacks. (See Arbor Report Shows Size, Complexity of Network Attacks Exploding.)
"So now you take the massive number -- billions of IoT devices out there, which have this incredible capacity to deliver large-scale attacks, and add on top of that an emerging reflection amplification ability," he tells Light Reading in an interview. "Independently, either one of those two was generating the biggest attacks we've ever seen. It's only a matter of time before we start seeing the two combined for even bigger attacks, and you could easy generate multi-terabit attacks with those types of techniques. We haven't seen it happen live yet, but I think it's inevitable."
The Arbor WISR combines a survey conducted by the vendor annually with the results from its own deployed security gear, covering roughly one-third of Internet traffic. This year's numbers are truly frightening in showing an expected uptick in scale, complexity, frequency and consequences of distributed denial-of-service (DDoS) attacks, even as it also shows much greater efforts at vigilance and mitigation. The full report can be accessed here.
This year's WISR report was dominated by the massive -- up to 800Gbit/s -- attacks largely based on using unsecured IoT devices to launch DDoS attacks. That overshadowed reflection amplification attacks, Sockrider notes. But those are definitely still around and causing problems too. According to Arbor, the largest monitored reflection amplification attack was up to 498 Gbit/s, which is a 97% jump from 2015. A quick look at stats on growth in attack size can be found here.
"Reflection amplification didn't go away," he says. "It was a little bit overshadowed by IoT, but it is still happening at a very high rate. I kinda shudder to think of the combination of the two, but I do think it's going to happen."
Taking a brief break from the relentless bad news, Arbor's research did reveal a better understanding of the damage DDoS attacks can do to company reputation, resources and operations costs and an uptick in focus on best practices for preventing or mitigating attacks. The survey showed 77% of service provider respondents are capable of mitigating attacks in less than 20 minutes and just over half of enterprises are conducting simulated DDoS attacks to test their defenses, with 40% doing so quarterly.
That's a step forward from the past when enterprises too often put network defense in place and assumed the job was done, not paying attention to the need for regular testing, patching and updating.
The reality of DDoS attacks is that they are commonplace, says Sockrider, but most are mitigated. This year's report showed 41% of enterprise, government and education respondents and 61% of data center operators reported attacks exceeding their total Internet capacity, effectively taking their networks down and in some cases, putting them out of business for some period of time.
"Both of those numbers are up for last year, and we are really seeing the impact of these large attacks," he says, adding that there are so many DDoS attacks happening at any one moment, but the majority don't take the target down. "The majority get mitigated either by a service provider or a third-party cloud mitigation service, or even in some cases the network operator or the victim themselves," he says.
The rise in volume and complexity of attacks is likely to continue to increase the ability of attacks to take down targets, Sockrider adds, and that obviously means a greater impact on businesses.
Given the volume of unsecured IoT devices deployed globally, DDoS attacks using those as botnets represent a growing threat that is difficult to mitigate, he admits. In late 2016, Arbor took a snapshot of IoT-based attacks, using a honeypot technique, and saw "over a million log-in attempts from IoT devices, coming from 92,000 unique IP addresses." Sockrider says, "In Asia and South America, in particular, we saw more than one attempt per minute per device."
The takeaway, Sockrider says, is even if you do patch your device in Asia, a minute later there will be another attempt to crack it.
That doesn't mean there should be any slowdown in efforts to make IoT devices and networks in general more secure, of course. One thing Sockrider stresses is the need to turn off networking features that are considered default "features" but are rarely used, such as the ability to convert wireless printers to web access points. Turning off network connections that are rarely if ever used reduces the number of potential vulnerabilities in the long run, he says.
— Carol Wilson, Editor-at-Large, Light Reading