The risk posed by the weaponisation of Internet infrastructure for DDoS attack generation will be a hot topic for ISPs once again in 2020.

Techniques such as reflection/amplification have been used by attackers to launch huge DDoS attacks for over a decade.

Attackers are using new protocols and infrastructure, both to circumvent defences and replace capabilities that have been lost to them (due to clean-up/patching/better network design).

Understanding the populations of devices across the Internet that can be used to launch attacks, the clean-up rate when attack vectors are identified, and the exploitation of new/additional protocols are all key to modelling the risk these threats pose in different regions.

The number of connected devices is increasing very quickly, driven by the proliferation of IoT (Internet of Things), the continuing growth and availability of fixed broadband services across all geographies, and the rapid expansion of 4G and 5G mobile infrastructure.

The conditions are favourable for threat actors to use this environment and “weaponise” vulnerable devices by either making them part of botnets and/or using them as DDoS reflectors. And, there are other factors that will make matters worse moving forward:

• Scanning of the internet by threat actors to detect and recruit vulnerable devices has been constantly increasing in the past few years and the trend will continue
• In many instances, it takes only up to five minutes to detect and compromise a new device connecting to the internet
• Millions of IoT devices are connected daily with a very high percentage of those devices lacking security protection and others having obsolete software with security vulnerabilities
• A high number of network end points, including Small Office Home Office (SOHO) routers, voice-over-IP phones, IoT (CCTV cameras, DVRs), laptops and other connected user devices are not periodically patched and secured.

When looking at the weaponisation of the Internet infrastructure it is common to observe that after a very large and well publicised attack, many organisations tend to react and take appropriate measures such as software patching vulnerable devices, applying well established Best Common Practices (BCPs), and deploying Intelligent Detection and Mitigation Systems (IDMS), among other strategies.

Although these measures do help to mitigate the scale and impact of some of the most well-known and largest attacks (i.e. Memcached, Mirai, DYN, etc.) in the immediate aftermath, it is also true that other factors play a role. The dynamics surrounding this issue can be summarised as follows:

• The number of devices available across the connected world for a specific attack vector do not always decrease significantly even after the vulnerability has been detected and publicised
• This is in part because it takes time for security organisations within the ISPs and hosting providers to patch and/or shut down compromised devices. There are millions of new devices being connected to the internet on a daily basis, many of which are vulnerable and will be compromised almost immediately
• Threat actors are continuously looking for new protocols and devices that can utilised

The fact that many of these vulnerable connected devices are home based IoT or CPE devices installed and operated by people without any security background makes the task of decreasing the size of botnets or reflectors even more daunting.

As in previous years, we will most likely continue to observe the adoption of new protocols as part of campaigns to launch large volumetric reflection/amplification DDoS attacks.

By our own research, we have seen the increase of these protocols by a factor of two in the last couple of years and are very certain that this trend will continue in 2020.

As in the previous considerations, the explosion in the number of new connected devices and the introduction of new transport technologies and protocols will be the main contributing factor in this dynamic.

It is paramount that all the stakeholders in the internet community; ISPs, network suppliers, manufacturers of connected devices, integrators, cloud providers, government entities, enterprises, cybersecurity industry, and others take ownership in a collaborative effort to confront the reality of a “weaponised” internet to make it a better place for everyone.

Darren Anstee is CTO, SBO International at NETSCOUT.