For many organizations, the point of having built-in network protocols on servers and systems is to cut down on the computational overhead needed to carry out day to day operational activities on end-user machines.

As of late, attackers are flipping the script and using these protocols against US networks, the Federal Bureau of Investigation recently warned organizations.

Attackers are leveraging the protocols to conduct larger and larger distributed denial of service (DDoS) amplification attacks, something that can result in a significant disruption and impact on targets, the FBI's Cyber Division warned in a Private Industry Notification last week.

“Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources. Cyber actors likely will increasingly abuse built-in network protocols,” the warning reads.

That attackers are exploiting these built-in protocols to parcel out DDoS attacks isn't necessarily new - the FBI cites examples dating back as far as December 2018 - but its apparently still enough of an issue to prompt a warning notification. The notice offers a few relatively new network protocols being used as vectors.

Some of the types of features attackers are targeting include Apple Remote Management Service - ARMS, Web Services Dynamic Discovery - WS-DD, and Constrained Application Protocol - CoAP. The notice adds that organizations could disable them but that the action would likely result in a loss of business productivity.

"In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks," the notice reads.

To mitigate the issue, the FBI is encouraging organizations if they're not already, to follow a series of steps, including:

• Deploy a denial of service mitigation service that can detect abnormal traffic flows and redirect traffic from your network
• Form a partnership with your local internet service provider and work with them to control any network traffic that attacks your network. The ISP can save any necessary forensic data needed to fulfill law enforcement investigations
• Change the default name and password for all network devices, especially IoT devices. If the username and password can't be changed, make it so the device that's providing internet access to the device has a strong password and second layer of security, like multi factor authentication or end to end encryption
• Ensure there are network firewalls to block unauthorized IP addresses, disable port forwarding  
• Ensure network devices are up to date and security patches are applied when available