March 23, 2020

How Vietnam networks unwittingly expose themselves to IoT botnet exploits

While Vietnam’s internet penetration continues to grow with demand for faster connectivity and Internet of Things (IoT) on the rise, it is becoming increasingly clear that many of the country’s ISPs are woefully underprepared to guard against malicious exploits by threat actors to launch DDoS attacks against domestic and overseas targets. The need to protect an ISP network against this threat has never been greater. 


In fact, Vietnam has been one of the world’s top sources of DDoS attacks in recent years, behind cyberattack superpowers China and the United States. In 2018, Vietnam ranked fourth globally and first out of all Southeast Asian countries by country of attack origin. Though Vietnam was overtaken by countries such as Russia and Turkey in 2019, it remained as seventh in global ranking and second in Southeast Asia.


Unlike other countries where attacks are mainly generated from within, Vietnam networks tend to provide a launchpad not only for local cybercriminals but also for global attackers to harass global networks. The reason behind Vietnam’s rise to become a major country of attack origin is the rapid deployment of IoT that began in 2017. There are now a large number of insecure IoT devices, such as connected cameras and DVR systems, which are exposed to exploit risks posed by the notorious Mirai, Satori and newer botnets.


In 2017, three hackers extended the capabilities of Mirai and Satori to create a new botnet known as Tsunami or Fbot. As of March 2018, the new botnets infected up to 30,000 devices, mostly Goahead cameras, mainly deployed in Vietnam. With IoT devices coming online rapidly and the arrival of the 5G era, attackers are poised to add more firepower to their attacks, exerting pressure on local network throughput, exacerbated by the growing prevalence of DDoS-for-hire services. 


The effect is more pronounced this year.  In Q1 2020, DDoS attacks that occurred within Vietnam increased by 50 percent from the preceding quarter. More than 97 percent of the local attacks were in the form of DNS amplification between Q1 2019 and Q1 2020, which we believe is due to the more rampant abuses of DNS open resolvers by these botnets. 


DDoS attack activity in Vietnam, Q1 2019-Q1 2020



DNS Amplification


NTP Amplification


SSDP Amplification




Q1 2019





Q2 2019





Q3 2019





Q4 2019





Q1 2020






Aware of the threat posed by IoT devices, the Vietnam government is expected to create and tighten regulations to raise the security standards for IoT products; and educate its citizens on cybersecurity practices to close the security gap. Vietnam also needs to develop a cybersecurity talent pool to ensure the security standards of locally made IoT products and protect local networks from abuses and attacks.


For Vietnam’s communications service providers (CSPs), getting access to the right mix of people, processes and technology in order to withstand increasingly massive and complex DDoS attacks will be key to staying competitive. At Nexusguard,  we not only protect your network infrastructure but also enable you to profit from reselling our comprehensive DDoS mitigation services to customers looking for uptime protection.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.