The FBI warned organisations last week that attackers are increasingly using built-in network protocols to launch destructive distributed denial of service attacks.
For many, the reason for having built-in network protocols on servers & systems is to cut down on the computational overhead needed to carry out day to day operational activities on end-user machines.
Attackers are up ending the script & using these protocols against US networks, the Federal Bureau of Investigation recently warned organisations.
Denial of Service
Attackers are using the protocols to conduct larger & larger distributed denial of service (DDoS) amplification attacks, something that can cause a significant disruption & impact on targets, the FBI’s Cyber Division warned in a Private Industry Notification last week.
“Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources. Cyber players likely will increasingly abuse built-in network protocols,” the warning comments.
Protocols
That attackers are using these built-in protocols to parcel out DDoS attacks is not necessarily new – the FBI cites examples dating back to Dec. 2018, but its apparently still enough of an issue to prompt a warning notification.
The notice offers a few relatively new network protocols being used as vectors.
Apple Remote
Some of the types of features attackers are targeting include Apple Remote Management Service – ARMS, Web Services Dynamic Discovery – WS-DD, & Constrained Application Protocol – CoAP. The notice adds that organisations could disable them, but that the action would likely result in a loss of business productivity.
“In the near term, cyber players likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” the notice reads.
Procedures
To mitigate the issue, the FBI is encouraging organisations if they are not already, to follow a series of procedures, including:
- Deploy a denial of service mitigation service that can detect abnormal traffic flows & redirect traffic from your network
- Form a partnership with your local internet service provider & work with them to control any network traffic that attacks your network. The ISP can save any necessary forensic data needed to fulfil law enforcement investigations
- Change the default name & password for all network devices, especially IoT devices. If the username & password cannot be changed, make it so the device that is providing internet access to the device has a strong password & second layer of security, like multi-factor authentication or end to end encryption
- Ensure there are network firewalls to block unauthorised IP addresses, disable port forwarding
- Ensure network devices are up to date, & security patches are applied when available
