DDoS attackers are pouncing on unpatched vulnerabilities

IoT manufacturers are failing to help prevent DDoS attacks by fixing known vulnerabilities, allowing criminals to launch years-long campaigns.

Unpatched or poorly secured devices, purpose-built to keep costs down, allowed attackers to launch over 27,000 botnet-driven DDoS attacks during March alone. New figures from NetScout reveal that service providers were hit with an average of one attack every two minutes.

Overall, there were around 880 confirmed DDoS attacks per day, peaking on March 10 with more than 1,600 incidents.

The average event lasted about 18 minutes and 24 seconds - slightly longer than in previous months, and much longer than the five-to-fifteen-minute global average for DDoS attacks. This, said the firm, indicates a trend towards smaller, more persistent targeting.

NoName057(16) was behind more than 475 claimed attacks in March, more than three times as many as the next most active group.

The group's particularly involved in politically motivated DDoS campaigns targeting governments, infrastructure and organisations.

"We observed more than 26,000 attack configurations linked to the group’s infrastructure, representing variations in vector combinations, targets, and timing," NetScout said.

"In total, more than 500 IP addresses and more than 575 domains were targeted, indicating a substantial volume of unclaimed activity and sustained command-and-control operations throughout the month."

The most common TCP port combo, NetScout found, was 80 and 443, used in more than 850 attacks. For UDP, 443 and 80 dominated, reflecting a focus on encrypted and web-facing services.

Top attack vector was TCP SYN floods, appearing in more than 5,500 attacks, and accounting for one-in-five of all DDoS events in March. Multi-vector attacks were common, including combinations such as TCP SYN + DNS Flooding and TCP ACK + TCP SYN.

There were a number of sources for these attacks: Mongolia led with more than 2,900 attacks, mainly traced to localized IoT and router infections.

But there were also a number of multi-country combinations, the top one being Germany and the US, which were involved together in more than 600 attacks.

"This pairing likely reflects attacker interest in leveraging reliable infrastructure — such as cloud-hosted resources or enterprise devices — alongside continued abuse of under-secured networks in other regions," said NetScout.

Many of the vulnerabilities exploited are old, public, and well-documented. They include CVE-2017-16894, CVE-2019-17050, and CVE-2021-41714, often seen in bot clusters focused on service-provider infrastructure. Meanwhile, CVE-2021-27162 and related exploits showed up across thousands of events, pointing to broader exploitation campaigns.

"Service providers are still squarely in the crosshairs, and March made that even more obvious," said the firm, advising service providers to be vigilant.

"It’s not just about stopping traffic; it’s about understanding where that traffic is coming from, why it’s happening, and what it could become. March’s activity shows that DDoS attacks are still growing in sophistication and intent."

MORE FROM ITPRO

• Surging DDoS attack rates show no sign of slowing down
• How to recover from a DDoS attack – and what they can teach businesses
• NCA takes down world’s most prolific DDoS-for-hire website