Distributed denial-of-service (DDoS) attacks on service providers are significantly on the rise, according to new research from F5 Labs.
An analysis of global customer security incident data from the past three years – both mobile and landline – also found that brute force attacks, though still prevalent, are on the wane.
Other prominent observed threats include compromised devices and web injection attacks.
DDoS attacks were by far the biggest threat to service providers between 2017 and 2019, accounting for 49% of all reported incidents during this period.
There was a big jump in 2019, with attacks rising to 77% of all incidents – up from just 25% in 2017.
Denial of service attacks in the service provider space tends to be customer-facing (such as DNS) or focused on applications that allow users to, for example, view bills or monitor usage.
Most attacks were sourced from within the service provider’s subscription base. Many of these, particularly in the case of DNS-related incidents, will leverage service provider resources to attack others.
F5 Labs found that most reported incidents focused on DNS DDoS such as reflection and water torture attacks.
Brute force attacks, which involve trying massive numbers of usernames and passwords against an authentication endpoint – were the second most reported incident.
F5 Labs observed a marked downturn in brute force attacks, from 72% of all incidents in 2017 to just 20% in 2019. There was, however, an uptick in attacks on service providers focusing on the financial vertical.
F5 Labs noted that the first indications of these types of attack are usually customer complaints related to account lockout rather than any sort of automated detection.
Other notable attacks recorded by F5 Labs included compromised devices within service provider infrastructure, which accounted for 8% of incidents in 2018. These were usually detected due to increased outbound traffic as the compromised devices were used to launch denial of service attacks.
F5 Labs also reported that general web attacks accounted for 8% of all incidents in 2019, with injections dominating as a specific tactic. The attacks try to leverage bugs in web application code to prompt command execution. In the case of an SQL injection, attempts are made to execute commands on back-end database servers, often leading to data exfiltration. Such attacks are usually caught by WAF technologies or via alerts triggered from web server logs.
On the Internet of Things (IoT) front, the influence of a bot named Annie, a fast-following variant of Mirai, continued to wield influence.
First discovered in 2016, the bot targeted the custom protocols TR-069 and TR-064 used by ISPs to remotely manage large fleets of routers over port 7547.
According to F5 Labs, ports 7547 and 8291 were the top targeted ports in the Middle East and Latin America in the 4th quarter of 2019, which indicates variable use of these ports from region to region.
“ISPs in Europe surely learned from the news of Annie years ago, and attackers focus their efforts where there are gains to be had. ISPs in the Middle East and Latin America likely to still have some work to do” added Malcolm Heath, Senior Threat Research Evangelist, F5 Labs.