Constrained Application Protocol (CoAP)-based attacks rise…
Approximately 7.7 million new internet-connected devices are coming online everyday, and their typical insecurity means it’s an “eat all you can” buffet for script kiddies and cybercriminals, says cybersecurity firm NETSCOUT.
Insecure IoT devices, from home routers to connected toothbrushes, are typically hit with malware within minutes of coming online, and pulled into botnets that are used to launch distributed denial of service (DDoS) attacks.
The company today pointed to five new DDoS threat vectors in its half year threat intelligence report, even as the high volume attacks seen in 2018 caused by the exploitation of insecure memcached servers have been thwarted by “collective action”.
(“Tried-and-true” Mirai botnet tactics that exploit the use of hard-coded administrative
credentials remain “incredibly effective” the company added).
Positively, there has been an impressive 32 percent decrease in high volume attacks of more than 500 Gbps, thanks to efforts to snuff out memcached attacks, which used the open-source, distributed, object-caching system to amplify denial of service assaults.
DDoS attacks in the “juicy middle” (between 100 Gbps and 400 Gbps) grew by 776 percent in H1 however, NETSCOUT said, adding that wired, telecommunications firms continue to bear the brunt of a rise in DDoS attacks. (See graphic, left).
These are increasingly using novel new DDoS threat vectors. Here are five that NETSCOUT has increasingly seen in 2019.
1: Apple Remote Management Services (ARMS)
“In late June 2019, a new DDoS reflection attack vector using UDP port 3283 was used to attack service providers in Eastern Europe,” the company says.
Its researchers discovered that attackers were taking advantage of a vulnerability in the Apple Remote Desktop (ARD) protocol, in this case the operational management of the protocol running on UDP port 3283. ARD is disabled by default on Apple computers, but when remote sharing is enabled, anyone can send a small UDP packet to the computer and receive a large reply. “By spoofing the source IP address, the attacker can generate a DDoS reflection attack with a respectable 35:1 amplification factor.”
2: Ubiquity Discovery Protocol
Ubiquiti Networks manufactures a variety of networking devices, including wireless access points, routers, switches, and firewalls. In February 2019, researchers reported
new DDoS reflection-type attacks taking advantage of a vulnerability in the discovery protocol used by Ubiquiti devices (UDP port 10001).
“This vulnerability allowed anyone to send a small 56-byte UDP query to the device and receive a large reply, containing a list of all devices discovered. Using a spoofed source IP, this allowed the attacker to launch a DDoS reflection-type attack with an amplification factor of up to 35:1.” Rapid patching by the manufacturer means the number of vulnerable devices on the internet has fallen from 485,000 to 190,000.
3: CoAP (A new Memcached?)
The Constrained Application Protocol (CoAP) is a specialised protocol for IoT devices (sensors, controllers, and the like) but is also included in smartphones for use in home automation. The protocol is in many ways similar to the memcached protocol, offering memory caching to reduce communication and processing overhead.
As NETSCOUT notes: “The CoAP protocol is designed without any security features, assuming that encryption and authentication will be handled by higher layers in the communication stack.” But low power device developers often skip these layers. A rise in insecure CoAP deployments (from 388,000 in January 2019 to 600,000+ in May 2019), has led to attackers using it for DDoS reflection-type attacks in similar fashion as memcached reflection-type attacks, with a reflection factor of 34:1.
4: Web Services Dynamic Discovery (WS-DD)
The Web Services Dynamic Discovery protocol (WS-DD) is designed to locate services on a local network. As NETSCOUT puts it: “Unfortunately, when devices implementing this protocol are connected directly to the internet, they can be used as DDoS reflectors with a reflection ratio of up to 300:1. Small-scale attacks using this attack vector were seen on the internet in May 2019. At that time there were about 65,000 vulnerable devices connected to the internet.”
5: HTML5 Hyperlink Auditing Ping Redirection
“This attack uses a common HTML5 attribute in web sites — the tag ping — tricking any visitor to the web site to send HTML ping packets to the target as long as that user is connected to the site. Attacks seen in April 2019 were of moderate size, resulting in around 7,500 malicious requests per second in one case.”