DoS and password login attacks dominate security attacks since 2018
Denial-of-Service (DoS) and password login attacks such as brute force and credential stuffing are on the rise, according to new research from F5 Labs.
The analysis of three years of incidents reported to the F5 Security Incident Response Team (SIRT) also found that Application Programming Interface (API) attacks are becoming increasingly widespread.
“Attackers, as always, choose the most efficient ways to turn a profit. Our weaknesses are their opportunities. We can definitely expect more password login, DoS and API attacks on the horizon,” says Raymond Pompon, director of F5 Labs.
F5 Labs found that nearly a third (32%) of all F5 SIRT’s annually reported incidents were DoS attacks. However, the percentage is creeping up, with 36% of incidents reported in 2020.
Most DoS attacks are network volumetric floods (commonly known as TCP SYN or UDP floods). F5 SIRT also received reports of “Slow POST/Slowloris” attacks, designed to initiate and keep as many of a victim’s connections open as possible. 19% of reported DoS incidents involved attacks on DNS.
DoS attacks were most prominent in the APCJ region, accounting for 57% of its reported SIRT incidents. EMEA was next in the firing line with 47%, followed by the US and Canada (33%) and LATAM (30%). EMEA experienced the biggest jump in its percentage of reported incidents since 2018, rising from 2,2% to 23% in 2020, which represents an eye-catching 945% spike.
The most targeted sectors were service providers and educational institutions, with both reporting DoS attacks as 59% of all incidents. Finance and public sector organisations were the next highest at 36% and 28%, respectively.
Continuing password login attacks
Attacks on password logins continue to grow year-on-year. Despite a slight dip in 2019, F5 Labs noted that password login attacks accounted for 32% of all reported SIRT incidents over the past three years. Separate analysis in the fourth edition of F5’s Phishing and Fraud Report also reflected how phishing incidents rose 220% during the height of the first waves of the COVID-19 pandemic when compared to the yearly average.
Password login attacks were the most reported type of incident in the United States and Canada, representing 45% of all reported incidents. LATAM took second spot (40%), trailed by EMEA (30%) and APCJ (11,7%). Sector-wise, banking and financial services organisations suffered most (46% of all incidents), followed by the public sector (39%) and service providers (27,8%).
“Financial institutions have got better at defending their systems, but attackers are going after the weakest link; their customers. It’s hard for a financial services organisation to know if a consumer is reusing their password somewhere else, especially somewhere with weaker security,” Pompon explained.
API attacks become more widespread
F5 Labs’ analysis also emphasised the growing problem of attacks on APIs, which are extensively used in the cloud, for mobile apps, in software-as-a-service offerings, and in containers. Of all reported F5 SIRT incidents, 4% were API-related and, of those, 75% of them were password login attacks. Finance and service providers are the top industries reporting API attacks to the F5 SIRT.
“As APIs are essentially web logins, often password logins grant elevated access to critical applications. What is troubling is that attackers are using password login attacks, such as brute force, knowing full well that 69% of API breaches in 2019 were attributable to poor access control,” says Pompon.
The F5 Security Incident Response Team (F5 SIRT) helps customers tackle security incidents in real time. In 2020, F5 Labs analysed what occurred at the beginning of the pandemic based on F5 SIRT cases. This new analysis looks back at all F5 SIRT cases from the beginning of 2018 to the end of 2020.