DDoS Vector Discovery and Attack Enablers

Increasingly, adversaries are creating their own and/or abusing different types of infrastructure as platforms to conduct reconnaissance and launch attacks. The following analysis highlights how some of that abusable infrastructure is leveraged in attacks and how adversaries discover new DDoS attack vectors and methodologies.

Like defense in traditional warfare, the protection of digital assets during cyberwarfare is significantly enhanced by early warnings combined with top-notch visibility. NETSCOUT’s unmatched ability to observe emerging DDoS vectors is of the utmost importance in safeguarding global networks. This level of visibility allows us to identify adversary attempts to exploit abusable hosts and services to launch DDoS attacks.

In mid-2019, NETSCOUT received notification of significant DDoS attack traffic sourced from User Datagram Protocol (UDP)/3283, a previously unused and unknown attack vector. ASERT researchers immediately began reverse-engineering the attack. Within four days, NETSCOUT had successfully replicated this never-before-seen reflection/amplification DDoS attack, which leveraged unpatched systems running ARMS. Our testing revealed a substantial amplification ratio of 35.5:1.

NETSCOUT then created surgical deny lists of abused ARMS reflectors/amplifiers, published customer and public advisories on mitigating this new DDoS attack vector, and worked with the vendor on mitigation/remediation recommendations. At discovery, there were a total of 54,000 abusable nodes on the public internet, and today that number is ~6,000 thanks to in part to NETSCOUT visibility, remediation guidance to network operators, education efforts, and patching by Apple. This early identification of a new DDoS vector allowed us to publish mitigation recommendations before adversary activity became commonplace in early 2020.

But this was not just lightning in a jar. Beginning in January 2022, NETSCOUT observed probes targeting services running on UDP/10074. Concurrently, NETSCOUT, via partnerships with global network operators, vendors, and research teams, began investigations into a potential new DDoS attack vector dubbed TP240 Phone Home. ASERT discovered that this vector had an astonishing potential amplification ratio of 4,294,967,296:1—capable of generating more than 53 million packets per second. NETSCOUT initially identified more than 5,000 abusable nodes on the public internet. Today that number is fewer than ~2,800, due in part to NETSCOUT’s visibility, remediation, and public education efforts.

Most recently, NETSCOUT witnessed the emergence of a new vector with the greatest lead time yet. We discovered the activity in 1H 2023, but after investigating traffic in our global honeypot network found that adversaries started probing UDP/427 in September of 2022. These early probes originated from a security researcher looking into vulnerabilities in the SLP protocol. In April of 2023, ASERT characterized and provided mitigation recommendations and surgical deny lists for this new DDoS attack vector, which is capable of amplifying traffic at a ratio of 2200:1 with proper priming. At discovery, NETSCOUT identified more than 40,000 abusable reflectors/amplifiers on the public internet. Today, that number is ~38,000 and declining. NETSCOUT mitigation and remediation guidance has minimized this vector’s effectiveness, ensuring customers are proactively protected against SLP reflection/amplification attacks.