China is the top target for DDoS reflection attacks
China bore the brunt of DDoS reflection attacks last month, with 61 percent of the top attack destinations observed hitting Chinese-based systems, according to Nexusguard. Of the 21,845 attack events during the period, 77 percent of them used NTP vulnerabilities, reinforcing hackers’ favor for the vector as the most popular DDoS reflection method.
Organizations continue to see increases in distributed reflection denial-of-service (DrDoS) attacks due to the ease with which hackers can start the attacks and their high amplification, causing outages and masking infrastructure intrusions and other digital mischief.
The sustained popularity of NTP reflection attacks secured the top spot in the 21,845 attack events measured between Sept. 1 and Sept. 30, 2015.
CHARGEN was the second-most scanned protocol at 35 percent of the 23,743 scan events. Although there has been less need for the protocol in recent times, many CHARGEN-enabled devices are online worldwide, with the default settings leaving the protocol vulnerable.
Key findings:
- Sept. 2 showed a single target event, which used NTP vulnerabilities for multiple attacks that lasted for more than 9 hours. This may correlate with crises in Europe and the Middle East regarding reports on Europe’s refugee response and conflicts in Syria.
- CHARGEN scans gradually increased in frequency over the course of the month, while SSDP scans trended downward.
- The second-highest volume source network for attack scans was Comcast. Given the Internet service provider is based in the U.S., the high volume may be attributable to a large number of hosting companies that are quick to respond to abuse reports.
“We were not surprised by who was scanning or attacking, as much as who was not there. We were expecting to see a list of malicious hosting companies scanning and a number of DDoS mitigation providers being attacked, but these types of organizations weren’t as active in September,” Zane Witherspoon, security researcher at Nexusguard, told Help Net Security.