By Darren Anstee, Chief Technology Officer, SBO International, NETSCOUT

The risk posed by the weaponization of internet infrastructure for DDoS attack generation will be a hot topic for ISPs once again in 2020. Hackers continue to use reflection amplification techniques to launch massive DDoS attacks, as they have done for over a decade, but now they’re using new protocols and infrastructure to circumvent defenses and build new capabilities.

Appreciating the scale of the risk posed by connected devices that can be used to reflect and amplify DDoS traffic is key.  The range of devices that can launch attacks, the clean-up rate after identifying attack vectors, and the rate of discovery and weaponization of new protocols are key factors when we look at the evolving threat landscape.  Understanding these factors and their regional variations are a must for network operators looking to model the risks they face.

The number of devices connected to the internet is increasing very quickly, driven by the proliferation of the Internet of Things (IoT) devices, the continuing growth and availability of fixed broadband services across all geographies, and the rapid expansion of 4G and 5G mobile infrastructure. Threat actors are “weaponizing” vulnerable or poorly configured devices, adding them to botnets and using them as DDoS reflectors, proxies or for other nefarious purposes.

And, unfortunately, this is only going to get worse:

*It is easy for threat actors to scan the internet or vulnerable devices, which are easily exploitable once they’re detected.
*In many instances, it takes only five minutes to detect and compromise a new device connecting to the internet.
*Millions of IoT devices are connected daily, but most of those devices run on obsolete firmware containing known vulnerabilities i.e. they’ll be compromised almost immediately.
*Most network endpoints, including Small Office Home Office (SOHO) routers, voice-over-IP phones, CCTV cameras, DVRs, laptops and other connected devices, are not routinely patched and do not have their configuration optimized for security.

After every large or well-publicized DDoS attack leveraging IoT devices, many enterprise organizations will re-apply best practices, auditing their internet or enterprise network-connected devices to ensure they are as secure as they can be, patched, etc. And, many have deployed Intelligent Detection and Mitigation Systems (IDMS) or purchased Cloud DDoS Protection Services to protect themselves from attacks originating from devices elsewhere in the connected world. These measures help, but unfortunately, most of the vulnerable devices out there are not managed by enterprise organizations, and many businesses are still not protected from the DDoS threat – and today pretty much anyone can be (and frequently is) targeted.

In 2020, hackers will continue to compromise both existing and new devices. Until the security of a new device is a key buying criterion or regulatory focus, this will continue – fueling the capability of the attackers out there.

All stakeholders need to collaborate and confront the reality of a weaponized internet. ISPs, cloud providers, governments, enterprises, and equipment manufacturers all need to take ownership of this problem. If they do, they will make the connected world a better place for everyone.

About the Author

Darren Anstee, Chief Technology Officer, SBO International, NETSCOUT.  Darren Anstee has 20 years of experience in pre-sales, consultancy, and support for telecom and security solutions. As Chief Technology Officer, SBO International, at NETSCOUT, Darren works across the research, strategy, and pre-sales aspects of Arbor’s traffic monitoring, threat detection, and mitigation solutions for service providers and enterprises around the world. He is an integral part of Arbor’s Security Engineering & Response Team (ASERT), which delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators.  Learn more about him at