The Corero Threat Intelligence team is constantly on the lookout for new attack vectors that cybercriminals use to launch new and more sophisticated Distributed Denial of Service (DDoS) attacks. These are commonly known as Zero-Day attacks, because they haven’t been seen in the wild. Recently, security researchers discovered the new TP240PhoneHome and Hikvision SADP vulnerabilities, which can be exploited to launch damaging reflection and amplification DDoS attacks.
It’s easy to see how such discoveries can impact the threat landscape; when cybercriminals discover a new vector, they typically share that information on the Dark Web, and then the owners of booter-stressor services add them as new vectors in their ‘DDoS-for-hire’ armories. As time goes on and more organizations patch a particular vulnerability, the bad actors may rely on that vector less often, but they always manage to find and leverage new vulnerabilities for their attacks.
Obviously, once a vulnerability is discovered, it is better for all that security professionals are made aware of them. Although security researchers routinely share discoveries of new vectors, significant time can pass before awareness becomes widespread, increasing the likelihood that many organizations suffer damaging attacks, such as DDoS, via that new vector. For example, in July 2020, the FBI alerted private industry to four new DDoS attack vectors; however, those vectors had been active in the wild at least 12 months before the warning was issued. Furthermore, the alert didn’t stop cybercriminals from using those same vectors to launch DDoS attacks; the use of which grew throughout 2020 and was still being widely used in 2021.
How to prevent being the victim of a zero-day attack
How can organizations fend off attacks that come from new vectors? Most legacy DDoS mitigation solutions are ill-equipped to recognize zero-day attacks because they don’t have intelligent mechanisms for blocking attacks that haven’t been seen before in the wild. Instead, they rely on fixed filters, which is why an attack needs to have been seen previously to defend against it. To block attacks that haven’t been seen before, you need dynamic, intelligent, behavioral-based, protection that can look for indicators, as well as exact matches.
The Corero SmartWall DDoS solution includes Smart-Rule technology, a patented, proprietary, heuristic-based detection and mitigation mechanism that uses deep packet inspection to detect packets exhibiting specific traits, or indicators, that identify them as being part of a DDoS attack. When a significant rate of packets is seen with the same characteristics, a Smart-Rule convicts them as part of a DDoS attack and automatically blocks the packets, even if that specific packet type has never been seen before.
Respond dynamically
When new attack vectors appear, it is critical to carry out forensic-level analysis to determine that the entire attack was blocked and ensure no collateral damage occurred. Once emerging attack vectors are fully understood, they can then be defended against using exact match filters.
New attack vectors are inevitable; and as more Internet-connected devices become available, bad actors will seek, find, and leverage any vulnerabilities they come across. Since it is virtually impossible for security analysts to detect and mitigate these attacks manually, the best option for defense is a DDoS mitigation solution that delivers zero-day protection.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.