GUEST ESSAY: How amplified DDoS attacks on Ukraine leverage Apple’s Remote Desktop protocol


Protect Your Access to the Internet

Cyber-attacks continue to make headlines, and wreak havoc for organizations, with no sign of abating. Having spiked during the COVID-19 pandemic, threats such as malware, ransomware, and DDoS attacks continue to accelerate.

Related: Apple tools abuse widespread

DevOps Connect:DevSecOps @ RSAC 2022

A10’s security research team recorded a significant spike in the number of potential DDoS weapons available for exploitation in 2021 and early 2022. The total number of DDoS weapons, which was previously recorded at 15 million, has grown by over 400,000 or 2.7 percent in a six-month period.

This includes a notable 2X increase in the number of obscure potential amplification weapons such as Apple Remote Desktop (ARD).

The war in Ukraine has seen likely state-sponsored attacks using these types of DDoS attacks. The Log4j vulnerability has predictably proved fertile ground for hackers as well, putting millions of systems at risk, with Russia accounting for more than 75 percent of Log4j scanners and helping drive. In this intensifying threat landscape, the urgency for modern DDoS defenses becomes clearer every day.

A new report by the A10 Networks security research team explores the global state of DDoS weapons and tactics. Key findings follow.

Ukraine targeted

DDoS attacks have long been a favorite tactic of bad actors for disruption. In a recent example, A10’s security research team observed significant, sustained attacks on Ukrainian government networks and commercial assets beginning February 24, 2022, the first day of the invasion.

These included targeted, large-scale attacks on a block of address associated with Kharkiv and Severodonetsk, and on the Secretariat of the Cabinet of the Ministers of Ukraine.


The largest of the attacks on Ukraine used amplification and reflection methods to increase their impact. The attack on the Secretariat of the Cabinet of the Ministers of Ukraine demonstrated a common strategy in which multiple requests are sent by the attacker; however,  the intended victim’s IP address is faked by the sender (spoofed) so the UDP-based services contacted will send replies to the victim’s IP.

The attacks on Kharkiv and Severodonetsk used a less common form of amplification…