GUEST ESSAY: How amplified DDoS attacks on Ukraine leverage Apple’s Remote Desktop protocol

By Paul Nicholson

Cyber-attacks continue to make headlines, and wreak havoc for organizations, with no sign of abating. Having spiked during the COVID-19 pandemic, threats such as malware, ransomware, and DDoS attacks continue to accelerate.

Related: Apple tools abuse widespread

A10’s security research team recorded a significant spike in the number of potential DDoS weapons available for exploitation in 2021 and early 2022. The total number of DDoS weapons, which was previously recorded at 15 million, has grown by over 400,000 or 2.7 percent in a six-month period.

This includes a notable 2X increase in the number of obscure potential amplification weapons such as Apple Remote Desktop (ARD).

The war in Ukraine has seen likely state-sponsored attacks using these types of DDoS attacks. The Log4j vulnerability has predictably proved fertile ground for hackers as well, putting millions of systems at risk, with Russia accounting for more than 75 percent of Log4j scanners and helping drive. In this intensifying threat landscape, the urgency for modern DDoS defenses becomes clearer every day.

A new report by the A10 Networks security research team explores the global state of DDoS weapons and tactics. Key findings follow.

Ukraine targeted

DDoS attacks have long been a favorite tactic of bad actors for disruption. In a recent example, A10’s security research team observed significant, sustained attacks on Ukrainian government networks and commercial assets beginning February 24, 2022, the first day of the invasion.

These included targeted, large-scale attacks on a block of address associated with Kharkiv and Severodonetsk, and on the Secretariat of the Cabinet of the Ministers of Ukraine.


The largest of the attacks on Ukraine used amplification and reflection methods to increase their impact. The attack on the Secretariat of the Cabinet of the Ministers of Ukraine demonstrated a common strategy in which multiple requests are sent by the attacker; however,  the intended victim’s IP address is faked by the sender (spoofed) so the UDP-based services contacted will send replies to the victim’s IP.

The attacks on Kharkiv and Severodonetsk used a less common form of amplification leveraging Apple Remote Desktop (ARD) protocol on UDP port 3,283. In this case, the tactic achieved a response size of approximately 34X larger than the original request; A10 recorded two million requests to a single U.S.-based machine.

Log4j adds to the mix

The use of more obscure potential amplification weapons, such as ARD, more than doubled over the past year; the total number of amplification attack weapons worldwide reached 15 million.

On December 10, 2021, by the discovery of CVE-2021-44228, a critical vulnerability in the widely used Apache Log4j logging framework. According to NIST, the vulnerability allows attackers to carry out unauthenticated remote code executions (RCE) to install malware. Before its public disclosure, our team began scanning for affected hosts.

Within a week, activity was spiking in more than 10 countries, with three-quarters sourced from Russia. By December 20, 2021, we had detected clear signs that Log4j was being used for viral spread, with the potential to create massive botnets capable of carrying out large-scale DDoS attacks.

Zero-trust factors in

With the anticipated rise in cyber-attacks and state-sponsored cyber warfare given the ongoing Russia-Ukraine conflict, it is important for organizations to ensure that networks are not weaponized by adopting a Zero Trust framework. Central to Zero Trust is the idea of “never trust, always verify”—using continuous checks throughout the network to ensure that resources are accessed only by authorized users.

Micro-segmentation, micro-perimeters, comprehensive visibility, analytics, automation, and a well-integrated security stack complete the Zero Trust model.

When planning a Zero Trust policy for DDoS defense, a modern approach is needed. This modern set of technologies includes adaptive baselining to learn your network, threat intelligence to block known bad actors, artificial intelligence (AI) and machine learning (ML) to identify and stop zero-day threats, and automation at multiple levels to find and mitigate large, small, and stealthy DDoS attacks.

As a post-pandemic era takes shape, it’s clear that cyberattacks are here to stay—and organizations must act accordingly. Read the 2022 A10 Networks DDoS Threat Report for further insights, and steps you can take in response

About the essayist: Paul Nicholson is senior director, product marketing, at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services. He has held technical and management positions at Intel, Pandesic and Secure Computing. 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone