Getty Images
FBI Alerts to Rise in DDoS Attacks Via Exploited Built-In Network Protocols
Hackers are exploiting built-in network protocols to fuel more destructive distributed-denial-of-service (DDoS) cyberattacks using limited resources, according to a recent FBI alert.
The FBI is warning private sector organizations of an increase of threat actors exploiting built-in network protocols to amplify distributed-denial-of-service (DDoS) cyberattacks using limited resources, which can lead to significant disruptions in operations and impact services.
In-network protocols are used to reduce operational overhead of operational systems and other daily system functions. However, cybercriminals are actively exploiting these protocols to make their DDoS much more impactful and destructive on the targeted networks.
“A DDoS amplification attack occurs when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim,” officials explained. “Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources.”
“Cyber actors likely will increasingly abuse built-in network protocols,” they added.
These DDoS attacks were first spotted attacking US networks in December 2018. But in February 2020, researchers identified new built-in network protocol vulnerabilities that significantly increased the enterprise attack surface but have not yet been exploited by hackers.
The open-source evidence points to host-based, mobile, and IoT device protocol exploitation, which could result in amplified attacks on network environments.
In particular, UK researchers found flaws in Jenkins servers, free, open source, automation servers that support the software development process. An amplified DDoS attack on these vulnerable servers could result in 100 times the normal traffic against the online infrastructure of victim organizations across all sectors.
Hackers have also successfully targeted the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, as well as the multicast and command transmission features of the Constrained Application Protocol (CoAP).
Twice in 2019, hackers exploited the Web Services Dynamic Discovery (WS-DD) protocol in more than 130 amplified DDoS attacks and reaching sizes of more than 350 Gbps. A second wave of attacks in 2019 was detected by security researchers, who found threat actors using non-standard protocols and misconfigured IoT devices in amplified DDoS attacks.
“IoT devices are attractive targets because they use the WS-DD protocol to automatically detect new Internet-connected devices nearby,” researchers explained. "WS-DD operates using UDP, which allows actors to spoof a victim’s IP address and results in the victim’s being flooded with data from nearby IoT devices.
“As of August 2019, there were 630,000 internet-accessible IoT devices with the WS-DD protocol enabled,” they added.
The alert is highly relevant to the healthcare sector, given an Ordr report found many IoT devices operate on FDA-recalled platforms or with known vulnerabilities.
FBI shared these insights to support system administrators and security leaders to defend against persistent, malicious activities. Indicators of compromise include unusually slow performance, including opening files and accessing websites, along with access issues with websites or web-based resources.
A defense-in-depth strategy can help organizations strengthen their security posture, FBI explained. However, these policies called for built-in features like ARMS, WS-DD, and CoAp to be disabled, which can reduce the functionality of business productivity and connectivity.
And it’s unlikely device manufacturers will disable these features by default, as it would interfere with user experience, according to the FBI.
Instead, the FBI recommended organizations enroll in a DDoS mitigation service able to detect abnormal traffic flows and redirect traffic from the network. Enterprises should also proactively partner with their local internet service provider to control network traffic actively targeting the enterprise network during an event.
Further, the default credentials should be changed on all network devices, especially IoT devices. If it’s not possible, admins should make sure the device uses a strong password and a second layer of security, like multi-factor authentication or end-to-end encryption.
Network firewalls must be configured to block unauthorized IP addresses, while port forwarding needs to be disabled. Lastly, all network devices need to be up to date, with implemented patches whenever possible.
“Cyber actors’ abuse of built-in network protocols may enable DDoS amplification attacks to be carried out with limited resources and result in significant disruptions and impact on the targets,” FBI officials explained.
“In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” they concluded.