At NETSCOUT, we refer to all of the technologies and services that enable companies and individuals to stay connected to the internet as the Connectivity Supply Chain. This includes services that underpin all interconnected devices—enterprise Internet of Things (IoT) devices and sensors, computers, mobile devices, and so forth—as well as services that enable enterprises to digitally transform and move resources to the cloud.
The Connectivity Supply Chain is a prime target for malicious actors. Attackers have long been focused on bringing down services that underpin connectivity, targeting both subscribers and the operational infrastructure of the companies themselves. But the dramatic increase in attacks—especially distributed denial-of-service (DDoS) attacks—since the beginning of the COVID-19 pandemic isn’t a coincidence.
As shown in the latest NETSCOUT Threat Intelligence Report, in the 1st half of 2021 service providers that provide connectivity accounted for four of the top 10 verticals targeted by DDoS attacks. Wired telecom carriers took top billing, with 283,516 attacks; wireless providers were third with 84,151 attacks; all other telecommunication carriers were seventh with 14,628 attacks, and telecom resellers were ninth with 2,175 attacks.
Not surprisingly, increases in attacks against these suppliers of connectivity have coincided with increases in attacks against the enterprises and government organizations that utilize them. This has been especially true since the beginning of the pandemic, which forced agencies to move quickly in order to support work-from-home (WFH) and remote-work initiatives much faster than expected.
Specifically, attackers have focused their attention on technologies that enable things such as cloud computing to function over the internet—especially Domain Name System (DNS) servers, virtual private networks (VPNs), and internet exchanges.
Where is the government’s Connectivity Supply Chain most vulnerable to attack? There are four areas of particular concern in the connectivity supply chain that agencies should focus on in order to protect their resources from DDoS attacks and ensure uninterrupted connectivity:
- DNS servers – According to the latest NETSCOUT Threat Intelligence Report, there were about 4,000 DDoS attacks in the first half of the year that targeted the DNS, the database that stores internet domain names and translates them into IP addresses. Most frequently, these were DNS reflection/amplification DDoS attacks that cause connection and timeout issues for websites.
- VPNs – More than 41,000 attacks were leveled against VPNs, the use of which skyrocketed during the COVID-19 pandemic as enterprises were forced to support remote-work initiatives. Attacks such as the Lazarus Bear Armada (LBA) DDoS extortion campaign against VPNs disconnect users from enterprise assets and prevent security teams from responding to attacks.
- Internet Exchanges – NETSCOUT research indicates that Internet Exchanges experienced more than 1,000 DDoS attacks during the first half of the year, 70 percent of which were TCP SYN floods.
The most important aspect of attacks on these critical areas of connectivity is the collateral damage inflicted. Even if the attack does not take the component fully offline, these services represent hundreds of thousands, if not millions, of consumers, and are the gateways to everything we do online. Take one down, and you impact a huge array of people, organizations, and service providers.
This should be of considerable concern to government agencies – many of which are still working remotely due to COVID-19. Government agencies and military organizations have extremely essential and important missions, protecting Americans and offering necessary services. Any disruption to the services connected remote government workforces – whether they be civilian military employees or the dedicated public servants of federal civilian agencies.
Luckily, there are four steps that service providers and enterprises can take to protect the connectivity supply chain against DDoS attacks. These include:
- Ensuring compliance with industry best current practices (BCPs) for organizations with business-critical public-facing internet properties
- Implementing appropriate DDoS defenses for public-facing internet properties and supporting infrastructure
- Performing recurring, realistic tests of the DDoS mitigation plan for organizations that operate mission-critical, public-facing internet properties and infrastructure
- Customizing countermeasure selection, tuning, and deployment