DDoS Attacks Against Global Service Providers On The Rise: Report
F5 Labs: 77% of all recorded service provider security incidents in 2019 related to DDoS
Distributed denial-of-service (DDoS) attacks on service providers are significantly on the rise, according to new research from F5 Labs.
An analysis of global customer security incident data from the past three years – both mobile and landline – also found that brute force attacks, though still prevalent, are on the wane.
Other prominent observed threats include compromised devices and web injection attacks.
“In general, service providers have made important strides to defend their networks, but there is still room for improvement. This is particularly true when it comes to detecting attacks early without compromising an ability to scale and meet customer demands,” said Malcolm Heath, Senior Threat Research Evangelist, F5 Labs.
DDoS attacks were by far the biggest threat to service providers between 2017 and 2019, accounting for 49% of all reported incidents during this period.
There was a big jump in 2019, with attacks rising to 77% of all incidents – up from just 25% in 2017.
Denial of service attacks in the service provider space tend to be customer-facing (such as DNS) or focused on applications that allow users to, for example, view bills or monitor usage.
Most attacks were sourced from within the service provider’s subscription base. Many of these, particularly in the case of DNS-related incidents, will leverage service provider resources to attack others.
F5 Labs found that most reported incidents focused on DNS DDoS such as reflection and water torture attacks.
Reflection attacks use service provider-hosted resources (such as DNS and NTP) to reflect spoofed traffic so that responses from the leveraged service end up going to the target, not to the initiator.
DNS “Water Torture” is a form of reflection attack that uses intentionally incorrect queries to generate increased load on the target’s DNS servers. However, requests still go through the service provider’s local DNS servers, generating increased load strains, and occasionally rise to the level of Denial of Service.
The first indication of attack is usually an increase in network traffic discovered by a service provider’s operations team. Other red flags include customer complaints, such as slow network service or non-responsive DNS servers.
“The ability to quickly compare the characteristics of normal, expected network traffic with deviations during attack conditions is of critical importance,” explained Heath.
“It is also crucial to quickly enable in-depth logging for network services like DNS in order to identify unusual queries.”
Authentication attacks significant but waning
Brute force attacks, which involve trying massive numbers of usernames and passwords against an authentication endpoint – were the second most reported incident.
Attackers often use credentials obtained from other breaches, which are then used to target services via a tactic known as “credential stuffing”. Other forms of brute force attacks simply use common lists of default credential pairs (i.e. admin/admin), commonly used passwords, or randomly generated password strings.
F5 Labs observed a marked downturn in brute force attacks, from 72% of all incidents in 2017 to just 20% in 2019. There was, however, an uptick in attacks on service providers focusing on the financial vertical.
F5 Labs noted that the first indications of these types of attack are usually customer complaints related to account lockout rather than any sort of automated detection.
“Early detection is once again key,” said Heath.
“An increase in failed login attempts over a short period of time, compared to normal activity levels, should be flagged and immediately actioned. It is also important to initiate the widespread use of multi-factor authentication to keep persistent attackers at bay.”
Compromised devices, web attacks and IoT Bots
Other notable attacks recorded by F5 Labs included compromised devices within service provider infrastructure, which accounted for 8% of incidents in 2018. These were usually detected due to increased outbound traffic as the compromised devices were used to launch denial of service attacks.
F5 Labs also reported that general web attacks accounted for 8% of all incidents in 2019, with injections dominating as a specific tactic. The attacks try to leverage bugs in web application code to prompt command execution. In the case of an SQL injection, attempts are made to execute commands on back-end database servers, often leading to data exfiltration. Such attacks are usually caught by WAF technologies or via alerts triggered from web server logs.
On the Internet of Things (IoT) front, the influence of a bot named Annie, a fast-following variant of Mirai, continued to wield an influence.
First discovered in 2016, the bot targeted the custom protocols TR-069 and TR-064 used by ISPs to remotely manage large fleets of routers over port 7547.
Although the threat actor that created Annie admitted to not using the bot in December 2016, the targeting of port 7547 is still prevalent and continues to intensify in 2019. Attacker interest in the Mikrotik remote management port 8291 has also exponentially increased over the past six months.
According to F5 Labs, ports 7547 and 8291 were the top targeted ports in the Middle East and Latin America in the 4th quarter of 2019, which indicates variable use of these ports from region to region.
“ISPs in Europe surely learned from the news of Annie years ago, and attackers focus their efforts where there are gains to be had. ISPs in Middle East and Latin America likely to still have some work to do,” added Heath.