Active Families
- Gafgyt
As one of the largest IoT DDoS families, Gafgyt compromises such devices as routers and cameras by means of password cracking and exploits to receive C&C commands and launch DDoS attacks.
In 2019, the Gafgyt family continued to be active, mainly targeting North America, Europe, and Australia. The number of Gafgyt-based malware increased fourfold compared with 2018 and the
average daily increase of C&C attacks reached 34.5%. Compared with 2018, the number of DDoS attack directives increased by 175%, most of which were UDP flood attacks targeting ports 80 and
443 for HTTP services and ports 3074, 300000, 30100, and 32000 for gaming services.
C&C servers of the Gafgyt family are mainly deployed on virtual private servers (VPSs). In 2019, the Gafgyt family used servers from more than 90 different VPS providers. According to the statistics, the cheaper a server the more popular it is with attackers.
Attackers who exploit Gafgyt keep foraging vulnerabilities existing in various devices. According to NSFOCUS Security Labs, the exploit payload targeting Huawei HG532 router and ZyXEL P660HN router was most frequently used. A large number of Gafgyt programs continuously scan routers for vulnerabilities after being executed. Once a vulnerable device is within the scanning scope, it will be compromised immediately and become a new scanning node. In this way, the size of Gafgyt nodes keeps expanding. This is the biggest headache brought by IoT devices.
Furthermore, Gafgyt also uses other scripts for launching DDoS attacks and executing other commands, so as to make up for the inefficiency of DDoS directives and bypass DDoS protection policies of certain cloud service providers.
- Mirai
At present, Mirai is one of the biggest IoT DDoS families. In 2019, NSFOCUS Security Labs have tracked as many as 1660 C&C addresses, nearly half of which were deployed on the cloud/VPS
hosts (see the following figure), and captured over 10,000 pieces of malware throughout the year (excluding cross-compiled and repeated types).
In 2019, Mirai variants kept increasing and their exploits exceeded 40.
In addition, Mirai variants continuously updated their DDoS attack arsenals so as to be able to launch more diverse attacks such as TCP reset attacks, small UDP packet attacks, abnormal TCP packet attacks, HTTP POST attacks, HTTP GET attacks, and DNS reflection attacks.
Another new characteristic of Mirai variants in 2019 is that Tor was used as a proxy for C&C communication. Before connecting to the C&C server, zombies first connect to the proxy server. They will not connect to the C&C server on the dark web for receiving directives until they receive a message confirming the successful connection.
Looking Forward
Most security experts agree that DDoS attacks are here to stay and they’re not going away any time soon. With 5G technology becomes more widely available, anyone with a 5G phone can easily launch a DDoS attack greater than 1G of bandwidth. Network security practitioners need to consider adding DDoS protection to the edge network to mitigate against 5G based DDoS attacks.
Gartner analysts project that demand for security-as-a-service, referred to as secure access service edge (SASE), will grow significantly in the next five years, estimating that by 2024, a minimum of 40% of companies will have plans to adopt SASE. You should make plans to beef up security protection for cloud edge.
Analysis finds that 7% of DDoS recidivists were responsible for 78% of attack events. Network security practitioners should monitor IP chain-gangs and take proactive measures.
With the expected growth of 5G based DDoS attacks and Gartner’s recommendation for SASE, network security practitioners should consider hybrid DDoS solution as the standard DDoS solution. With hybrid solution, the on-premises solution allow network administrators to develop security polices to protection edge network with more granular control and lower latency while leveraging cloud based DDoS protection for less frequent but larger scale attacks.