April 26, 2019
Botnets have traditionally sought to compromise desktop computers, but our latest findings confirm the continued shift to mobile devices, creating a new breed of botnets.
In Q1 2019, application attacks continued to be more prevalent than network attacks. After tracing the source IPs of some of the application attacks, we found that most source IPs originate from mobile gateways. In other words, mobile devices were responsible for most of the application attacks captured in the past three months.
By OS, about 39 percent of the application attacks originated from Android devices, while about 21 percent came from IOS devices. Other platforms such as BlackBerry contributed to an insignificant share. Of course, we are not talking about how insecure the mobile devices are, because we believe a lack of security awareness among end-users is the greatest inhibitor to defending against DDoS threats.
| Attack Sources | Share of application attacks | |
| Mobile Devices | Android (Samsung, Huawei, etc.) | 39.00% |
| IOS (iPhone, iPad and iPod) | 21.34% | |
| Others (e.g. BlackBerry) | 0.002% | |
| Computers and servers | Windows | 24.06% |
| Macintosh | 1.26% | |
| Other OS's | 6.73% | |
| Others | Playstation, Smart TV, Smart Hub, etc | 7.61% |
Table 1. Application attack sources by type of IoT device
Meanwhile, attack methods are now more complex than before. For example, some HTTP/HTTPS GET Flood attacks request large data files such as mp3 files by adding a Query string "/web/flash/sound.mp3?<random string>" to the GET request.
When the victim server including load balancers, proxy server, etc. tries to handle such requests, the random string in the query string makes the cache function unable to retrieve the requested content. As a result, the cache function is bypassed. The server has to process the resource-intensive request anew every time.
Figure 2. Application attacks were more prevalent in Q1 2019
As seen from the chart above, more complex application attacks have become increasingly frequent, which added up to as many as 28 counts in a day in Q1 2019. By duration, attacks lasted from seconds to longer than a month.
Implications
Smartphones and connected devices have already become an inevitable part of our fast-paced lives, but they also come with security vulnerabilities. From our observation, IoT botnets have been advanced to mount more complex, destructive DDoS attacks since December 2018.
The upcoming 5G will further increase their firepower. As we move forward in the 5G era, make sure your system is thoroughly protected from DDoS threats so that mission-critical services are always available.
