In February 2020, U.K. security researchers discovered a vulnerability in free, open source, automation servers that would allow cybercriminals to amplify a Distributed Denial of Service (DDoS) attack by a hundred fold.
For the Federal Bureau of Investigations (FBI), this was the final straw that led to a new warning about "more destructive" DDoS attacks.
FBI warning addresses DDoS amplification attacks
In a recent Private Industry Notification, the FBI warned businesses to watch out for DDoS amplification.
These larger, more destructive DDoS attacks occur when cyberattackers exploit built-in network protocols. The strategy usually requires fewer resources on the attack end, with significant shockwaves of damage on the receiving end.
The FBI has been tracking these attacks for two years:
- In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34.
- As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks.
- In May and August 2019, cyber actors exploited the Web Services Dynamic Discovery (WS-DD) protocol to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits per second (Gbps), in two separate waves of attack.
- Later in 2019, several security researchers reported an increase in cyber actors' use of non-standard protocols and misconfigured IoT devices to amplify DDoS attacks.
- As of August 2019, there were 630,000 Internet accessible IoT devices with the WS-DD protocol enabled.
- In October 2019, cyber actors exploited the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to conduct DDoS amplification attacks.
The February 2020 incident was the straw that finally broke the camel's back.
FBI mitigation strategies for DDoS attacks
The FBI offers several mitigation strategies to protect against the risk of DDoS attacks.
- Enroll in a Denial of Service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.
- Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event. The ISP may retain forensic data necessary for law enforcement investigations.
- Change the default username and passwords for all network devices, especially IoT devices. If the device's default username or password cannot be changed, ensure the device(s) providing Internet access to that device has a strong password and a second layer of security, such as multi-factor authentication or end-to-end encryption.
- Configure network firewalls to block unauthorized IP addresses and disable port forwarding.
- Ensure all network devices are up to data and security patches are incorporated when available.
There are additional considerations in the FBI's Private Industry Notification.