In 2019, 7% of recidivists1 were responsible for 78% of DDoS attacks. Obviously, recidivists are too menacing to overlook. Several groups of DDoS recidivists often work together to initiate attacks. Such groups are collectively referred to as an “IP gang”. In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack gangs. In this section, we will profile and analyze major attack gangs.
Largest Gang by the Number of Attack Sources
In 2019, the largest gang with most attack sources was also the most active one. This gang has 88,000 recidivists and its attack source device composition has a distinctive characteristic: According to asset intelligence from NTI, 31% of devices in this gang were IoT devices (28,000), 64% of which were routers (94% from MikroTik). This gang was active in the whole year, using 35,000 attack sources to hit 83 targets on average each month.
Figure 5-10 shows the monthly quantity trend of attack sources and attack targets of this gang. On average, 350,000 active attack sources launched attacks against 83 target each month. The quantity of attack sources of this gang fluctuated from month to month because some members left (the possible reason is that the system owner had removed the malware and fixed the security vulnerability exploited by the attack controller for system intrusion) while new members joined the gang (new systems were infected with malware and became botnet members).
Figure 5-11 shows the activity distribution of the largest gang. The x-axis indicates the date (by day) and the y-axis indicates IP addresses of attack targets. A red spot indicates that this gang hits an IP address on a specific date. The size of a red spot represents the number of IP addresses of attack sources. The more intensive and greater the red spots are, the more active the gang is, that is, frequently performing DDoS attacks in a coordinated way. From the following figure, it can be seen that this gang stayed active throughout the year. Up to 11,300 attack sources in a gang hit one target at the same time in one day, a record high in a single day in 2019.
According to asset intelligence from NTI, IoT devices accounted for 31% of attack sources. Of all such IoT devices, 64% were routers and 94% of those routers were provided by MikroTik. In recent years, two vulnerabilities, CVE-2018-14847 and CVE-2019-3924, have been released for MikroTik. IoT devices are increasingly becoming favored zombies of hackers because they always stay connected, contain vulnerabilities that cannot be fixed in a short time, and are easily to break into and control.