MY TAKE: Why DDoS weapons will proliferate with the expansion of IoT and the coming of 5G

By Byron V. Acohido

A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons.

Related: IoT botnets now available for economical DDoS blasts

In March 2013, several impossibly massive waves of nuisance requests – peaking as high as  300 gigabytes per second—swamped Spamhaus, knocking the anti-spam organization off line for extended periods.

Three years later, October 2016, a DDoS attack, dubbed Mirai, topped 600 gigabytes per second while taking aim at the website of cybersecurity journalist Brian Krebs. His blog, Krebs on Security, was knocked down alright.

The author of Mirai used a sledgehammer to kill a fly: the DDoS bombardment was so large that it also wiped out Dyn, a UK-based internet performance vendor. And since Dyn routed traffic, not just to Krebs’ blog, but also to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal, those popular websites were offline for some 12 hours, frustrating millions.

I mentioned these attacks now because the cyber weaponry deployed in each of those attacks actually remain in high use today. That’s the upshot of a recent state-of-DDoS Weapons report from A10 Networks, a San Jose, CA-based supplier of advanced DDoS detection and mitigation systems.

I had the chance at RSA 2019 to discuss the wider implications with Don Shin, A10 Networks’ senior product marketing manager. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Reflective attacks

DDoS attacks aren’t going to go away anytime soon. They are easier than ever to spin up; very powerful DDoS tools and for-hire services are widely available to anyone with modest technical skills – weaponry that is still very effective.

The Spamhaus attacker, for instance, noticed that there were literally millions of domain name system (DNS) resolvers that remained wide open all over the internet. DNS resolvers were the early building blocks of the internet: they resolved a domain names, such as, to a specific IP address.

This threat actor figured out how to route requests to legitimate DNS resolvers in such a way that those servers would reflect and amplify responses to the targeted website — more than 50 times, swamping the site.

Today, the potential for so-called DNS reflective attacks has become pervasive. A10 Networks’ report found 6.3 million open DNS resolvers in position and available to be leveraged by anyone in a similar DDoS attack.


“DNS resolvers are the number-one tracked DDoS weapon, by size,” Shin said. “Here we are in 2019 and the same attack strategy continues to persist. It’s easy to do when there are six million open DNS resolvers on the internet using poor security practices.”

Beyond DDoS

The innovation that enabled Mirai’s creator to double the peak size of the Spamhaus attack was to leverage the Internet of Things. This attacker easily located IoT devices that used the manufacturers’ default security setting. He set loose a self-replicating internet worm to gain control of 600,000 household IoT devices. And then deployed this IoT botnet to bombard Krebs on Security – and ended up taking out Dyn as collateral damage.

Today, IoT botnet families, including Mirai, Okiru, the Satori, the Masuta, the PureMasuta and Reaper, continue mutating. They are also extending their malicious activities beyond DDoS attacks to also spread ransomware, crypto mine and burrow deep into large enterprises.

The security and business communities aren’t anywhere close to coming up with a consensus approach for addressing emergent IoT exposures. In fact, it can be argued that the opposite is happening. A10 Networks’ report calls out the implementation of the Constrained Application Protocol, or CoAP.

CoAP sets forth device management rules to make it possible for the tiny operating systems inside of IoT devices to communicate, paving the way for new IoT-centric systems running in smart factories and smart homes.

As it now stands, CoAP does not require authentication to reply with a large response to a small request, Shin told me. This is very much the same type a functionality-first thinking that made possible the weaponization of DNS resolvers.

“One of the big problems we face as an industry is the rapid growth of IoT and the weak security practices that are associated with IoT,” Shin said. “Here we are in 2019, after all of these DDoS attacks, we’re rolling out yet another protocol that has a hole in the security posture where it can be used as a reflector and be exploitable by attackers.”

Barest tip

A10 Networks has identified 414,130 IoT devices already being used in early IoT deployments that have this reflector capacity. CoAP already is being discussed in security circles as the next big DDoS scaling tool.

And yet, these CoAP exposures are the barest tip of the iceberg. IoT goes hand in glove with the next generation of mobile cellular system, known as fifth-generation wireless, or 5G. Consider what this means, from a security perspective.

One big attribute of 5G is that it can support low latency, in other words, many tiny computing devices linked together in an IoT system. The giant telecom companies have poured billions into new 5G infrastructure, which will begin replacing current 4G systems later this year and into 2020.

The CoAP exposures highlighted in A10 Networks’ report show which way the table is tilted: toward features, and not necessarily security. “From a DDoS perspective we’re increasing the breadth of weapons available for attackers to leverage,” Shin said. “We’re seeing these leading indicators because we haven’t improved security as we roll these systems out.”

I’m encouraged that A10 Networks and others in the DDoS security space are bringing these notions forward – and developing solutions. Maybe this time around, systemic proactive measures will gain material traction, earlier in the ball game. We’ll see. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone