The Bureau expects cybercriminals to increasingly abuse new threat vectors for large-scale DDoS attacks
The Federal Bureau of Investigation (FBI) has issued an alert warning private sector organizations in the United States about a ramp-up in the use of built-in network protocols for large-scale distributed denial-of-service (DDoS) amplification attacks.
“A DDoS amplification attack occurs when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim. Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources,” wrote the FBI. The alert has been posted online, including on the website of the the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).
The FBI highlights recent threat vectors and developments, noting that the first DDoS amplification attacks to abuse the network protocols go back to December 2018, when cybercriminals exploited the multicast and command transmission features of the Constrained Application Protocol (CoAP). Most of the internet-accessible CoAP devices can be found in China and are using peer-to-peer networks.
During the summer of 2019, attackers took aim at the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, some of which achieved a magnitude of 350 Gigabits per second. Internet of Things (IoT) devices use WS-DD protocols to automatically detect other devices nearby and since there are 630,000 with this protocol enabled, they can be attractive targets used to amplify DDoS attacks. That same year, researchers also reported a rise in the use of misconfigured IoT devices in amplified DDoS attacks.
In October 2019, miscreants abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD), to conduct DDoS amplification attacks. This protocol is usually employed by large organizations to manage their Apple computers.
Making matters worse, in February 2020 researchers found a vulnerability in the built-in network discovery protocols of Jenkins servers, which could potentially allow attackers to amplify DDoS attack traffic a hundredfold against their victims. There is no record of the flaw being exploited so far, but the FBI highlighted the resulting increase in the attack surface.
“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” said the FBI in its private industry notification.
The Bureau also outlined several steps to defend against the threat:
- Set up a network firewall that will block access to all unauthorized IP addresses.
- Ensure all your connected devices are updated to the newest firmware versions and have the newest security patches applied.
- Change all the default usernames and passwords on your IoT and other devices and use two-factor authentication.
- Register with a DDoS mitigation service.
DDoS attacks typically involve flooding a target with traffic that came from a large number of devices that have been corralled into a botnet, effectively bringing the victim’s services offline. These onslaughts are often unleashed as a way to extort money from the targets or even as a cover for other attacks. Whatever the motive, DDoS attacks in any of their flavors are known to cost organizations millions in lost revenue.