Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Q2
201
8
Threat ReportDistributed Denial of Service (DDoS)
Metrics
Quarterly Focus - IoT Botnet-generated Attacks Skyrocket
DDoS Activities
Types of Attack Vectors
Top 3 Attack Vectors
Quantity of Attack Vectors
Top 5 Multi-vector Attacks
Attack Durations
Attack Size Distribution
Global Attack Source Distribution
APAC Attack Source Distribution
Reflective DDoS Attacks by Autonomous System Number (ASN)
Conclusions
Research & Methodology
ContentsQ2 2018 Threat Report
02
03
06
07
08
09
10
11
12
13
14
15
16
Metrics
vs. Q2 2017
vs. Q1 2018
Total DDoS Attacks
DDoS Attack YoY & QoQ Comparison
vs. Q2 2017 29.02%
vs. Q2 2017 463.58%
vs. Q1 2018 12.21%
vs. Q2 2017 543.17%
vs. Q1 2018 65.54%
vs. Q1 2018 25.14%
51.29%
40.44%
TCP SYN Attacks
66.28%
88.65%
UDP Attacks Application Attacks
78.97%
70.91%
Amplification Attacks
183.27%
60.05%
Q2 2018 Threat Report
Q2 2018 Overall
Maximum Size
359.00GbpsAverage Size
26.37Gbps
03 Quarterly Focus
The IoT botnets are back! And as evidenced by the skyrocketing size of attacks in Q2, perpetrators have
increasingly deployed them as powerful weapons. In the quarter we saw an increase in both the average
and maximum size of attacks over Q4 2017, and our insecure cyberworld became a target-rich battlefield:
The 2018 FIFA World Cup came under attack, while cryptocurrency-related businesses continued to be
targeted. DDoS attacks inflicted on Verge Network (XVG), for instance, caused a whopping loss of 35
million XVG tokens worth more than $1.7 million.
In addition, severe botnet epidemics like last year’s Satori continued to threaten cyberspace by exploiting
zero-day vulnerabilities. Since its high-profile attack on Huawei home routers in December 2017, Satori
has wreaked havoc over the past few months on various IoT devices, including: GPON-capable routers
manufactured by South Korea’s Dasan, D-Link’s DIR-620 routers, and XiongMau uc-httpd 1.0.0 IoT devices.
Additionally, the quarter saw the emergence of the Anarchy botnet, which exploited zero-day vulnerabilities
in a similar fashion as Satori. In all, the growing presence of IoT botnets is highly suspected to be behind
the skyrocketing growth in attack sizes seen in recent quarters. In YoY (Year-over-Year) and QoQ
(Quarter-over-Quarter) comparisons, we saw a drastic uptrend in both the maximum and average size of
attacks.
Table 1. QoQ and YoY Comparison of Attack Size Increases, Q2 2018
Attack Size Q2 2018 vs. Q1 2018 (QoQ) Increase Q2 2018 vs. Q2 2017 (YoY) Increase
Maximum
Average
12.21%
65.54%
463.58%
543.17%
Quarterly Focus - IoT Botnet-generated Attacks Skyrocket
Q2 2018 Threat Report
04 Quarterly Focus
The average size of attacks rose gradually between Q2 and Q4 2017, and then escalated rapidly in the first
two quarters of 2018. As for the maximum size, Nexusguard observed a very steep upslope between Q3
and Q4 2017, and a steady one from Q4 2017 to Q2 2018. Attacks recorded between Q4 2017 and Q2 2018
owed their rapidly growing size to TCP SYN. (Maximum-sized attacks in Q4 2017 consisted of TCP RST
Flood, HTTP GET Flood, SYN ACK Flood, UDP Flood, and TCP SYN Flood, while those in Q1 2018 consisted
of TCP RST Flood and TCP SYN Flood.)
Q2 2018 Threat Report
Figure 1. Average Attack Sizes, Q2 2017-Q2 2018 (YoY)
Figure 2. Maximum Attack Sizes, Q2 2017-Q2 2018 (YoY)
2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2
2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2
30
20
10
0
400
300
200
100
0
Aver
age
Size
of A
ttack
s (G
bps)
Max
. Siz
e of
Atta
cks
(Gbp
s)
05 Quarterly Focus
Table 2. Ratio of TCP SYN within Differently Sized Attacks, Q2 2018
Blended TCP SYN Pure TCP SYN
Attacks Larger than 100Gbps
Attacks Larger than 200Gbps
Attacks Larger than 300Gbps
96.30%
100.00%
100.00%
74.07%
92.31%
100.00%
Delving into the details of sizeable attacks in Q2, we saw an overwhelming ratio of pure and blended TCP
SYN attacks. As botnets can mass-generate large attacks without amplification, it’s clear to see that pure
or blended TCP SYN attacks played a crucial role in boosting attack sizes in the quarter.
As for packet sizes, our observations showed them to be abnormally large, ranging between 887 and 936
bytes. A SYN packet is supposed to be simple and small when sent as a first step in establishing a
Three-way Handshake connection. Since the rate of packets transmitted per second is subject to the
inherent limitations of a given IoT device, increasing the quantity of packets will not generate a sizeable
attack. However, perpetrators can orchestrate sizeable attacks by significantly increasing the size of
individual packets.
In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on
Communication Service Providers (CSP). Serving as a link between attack sources and victim servers and
infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or
destination. As such, Internet service is degraded.
Q2 2018 Threat Report
06 Quarterly Focus
Q2 2018 Threat Report
In the quarter, UDP (3,407 attacks/31.56% of total attacks), TCP SYN (1,997 attacks/18.50% of total
attacks), and ICMP (1,006 attacks/9.32% of total attacks) took first, second, and third place,
respectively. In terms of attack sizes, UDP ranged from 15.2Mbps to 290Gbps. With such widespread
coverage and heavy adoption, UDP was the most commonly used attack vector in Q2.
TCP SYN attacks increased 40.44% QoQ, with attacks mostly ranging between 14.8Mbps and 359Gbps.
And most of large-sized TCP SYN attacks were single vector. ICMP attacks ranged from 72.9Mbps to
137.9Gbps. QoQ, both HTTP Flood and HTTPS Flood fell significantly by 78.30% and 36.71%,
respectively.
DDoS Activities
Types of Attack Vectors
Figure 3. Distribution of DDoS Attack Vectors, Q2 2018
UDP Attack
TCP SYN Attack
ICMP Attack
NTP Amplification Attack
DNS Amplification Attack
TCP ACK Attack
IP Fragmentation Attack
UDP Fragmentation Attack
IP BOGONS
SSDP Amplification Attack
HTTP Flood
Memcached Attack
HTTPS Flood
TCP RST Attack
DNS Attack
CLDAP Reflection Attack
TCP Fragmentation Attack
CHARGEN Attack
SNMP Amplification Attack
SIP Flood
0.0% 10.0% 20.0% 30.0%
Q2 2018 Threat Report
07 DDoS Activities
No.2 TCP SYN Attacks
TCP SYN (Transmission Control Protocol Synchronized Packet)
attacks take place when voluminous SYN requests with spoofed IP
addresses are sent out, triggering targeted servers to respond with
SYN-ACK. However, the messages can’t be sent back from the
targeted server to consummate the Three-way Handshake required to
complete the connection. Consequently, with no SYN-ACK or ACK
responses, the connection between the perpetrator and the available
ports on a targeted server remains half-open, causing the server to
malfunction.
18.50 %
1,997
No.3 ICMP Attacks
ICMP (Internet Control Mechanism Protocol) is a connectionless
protocol that generates error messages to source IPs and is exploited
by attackers to overwhelm targeted computers with ICMP echo
requests. Flooded by request packets from spoofed IP addresses,
targeted servers consume excessive amounts of bandwidth processing
and replying to request packets and thus become overloaded.
9.32 %
1,006
No.1 UDP Attacks
UDP (User Datagram Protocol) attacks can quickly overwhelm the
defenses of unsuspecting targets. Speed in detection and response is
key to thwarting attackers using this volumetric strategy. UDP
frequently serves as a smokescreen to mask other malicious activities
such as efforts to compromise personal identifiable information (PII)
or the execution of malware or remote codes. The attacks flood ports
with numerous UDP packets, causing the host to repeatedly check for
applications listening at that port. This process saps host resources
and can ultimately make them inaccessible.
31.56 %
3,407
Top 3 Attack Vectors
Q2 2018 Threat Report
08 DDoS Activities
Multi-vector attacks accounted for 47.97% of the total observed in the quarter, while single vector attacks
accounted for 52.03%. Six vectors was the maximum.
Figure 4. Distribution of Attack Vectors, Q2 2018
Atta
ck V
ecto
rs
6
5
4
3
2
1
10.0% 20.0% 30.0% 40.0% 50.0%0.0%
Quantity of Attack Vectors
Multi-vector attacks
47.97 %Single-vector attacks
52.03 %
Q2 2018 Threat Report
09 DDoS Activities
UDP was utilized as a vector in each of the quarter’s Top 5 blended, multi-vector attacks. Attacks
leveraging UDP use the connectionless protocol to enlarge the attack size and boost its volumetric
power by launching mass-generated botnets.
The top multi-vector attack consisted of NTP Amplification and UDP. An NTP (Network Time Protocol)
amplification factor of 556.9 (US-Cert) combined with the volumetric power of UDP enables very large
attacks.
Number two was comprised of ICMP and UDP. ICMP attacks misuse the Internet Control Message
Protocol, which is normally used for error reporting between devices. ICMP is commonly abused as a
weapon whose source IP and packet size can be spoofed and crafted in a similar way to UDP. ICMP/UDP
blended attacks are very effective at increasing the size of attacks.
The third multi-vector blended ICMP, NTP Amplification, and UDP. The three vectors combined their
attack characteristics and rolled them into one to deliver massively enlarged attacks.
Number four involved NTP Amplification and CLDAP Reflection. By abusing CLDAP (a connectionless
variant of Lightweight Directory Access Protocol that uses UDP for directory access), such attacks are
similar to UDP-based, volumetric multi-vectors. NTP Amplification/CLDAP Reflection attacks have an
amplification factor of 56 to 70, according to US-Cert.
In the fifth spot, TCP SYN and UDP combined to deliver a powerful, expansive punch. In our quarterly
research, TCP SYN/UDP multi-vectors were responsible for many of the most sizeable attacks,
particularly those larger than 100Gbps.
Table 3. Top 5 Multi-vector Attacks, Q2 2018
Rankings Attack Vector 1 Attack Vector 2 Attack Vector 3 Distribution of Multi-vectors
1
2
3
4
5
NTP Amplification
ICMP
ICMP
CLDAP Reflection
TCP SYN
UDP
UDP
UDP
UDP Fragmentation
UDP
N/A
N/A
NTP Amplification
N/A
N/A
17.06%
9.41%
6.47%
5.29%
4.71%
Top 5 Multi-vector Attacks
Q2 2018 Threat Report
10 DDoS Activities
Attacks lasting less than 90 minutes occupied 55.28% of the total, while those lasting longer accounted
for 44.72%. 4.62% lasted longer than 1,200 minutes. The average duration was 318.10 minutes, while the
longest attack lasted 6 days, 5 hours, and 22 minutes. Cyber perpetrators typically focus on the peak
operation hours of their targets to maximize the impact of their attacks and seek to complete their
attacks within 90 minutes.
Figure 5. Distribution of Attack Durations, Q2 2018
<90 minutes
55.28 %
Attack Duration (Minutes)
90 90-240 240-420 420-720 720-1200 1200+
60.0%
40.0%
20.0%
0.0%
Attack Durations
Q2 2018 Threat Report
11 DDoS Activities
Of total attacks, 64.13% were smaller than 10Gbps (35.87% were larger). The average size was 26.37Gbps
and the maximum 359.00Gbps. Attacks smaller than 1Gbps made up 19.84%, while those ranging
between 1Gbps and 10Gbps accounted for 44.29%.
A surge in attack sizes greater than 10Gbps significantly increased the average attack size in Q2 2018 —
both QoQ and YoY. As the quarter’s primary culprit, single-vector TCP SYN attacks were mostly
responsible for boosting attack sizes in the quarter.
Table 4. Comparison of Maximum and Average Attack Sizes, Q2 2018
Q2 2017
Maximum
Average
Q2 2018Attack Size in Gbps
359.00
26.37
Q1 2018
319.95
15.93
63.70
4.10
Attack Size Distribution
Figure 6. Distribution of Attack Sizes, Q2 2018
The largest attack in the quarter
359.00 Gbps
Attack SIze (Gbps)
50.0%
40.0%
30.0%
20.0%
10.0%
0.0%<1G >=10G and
< 100G>=100G and
< 200G>=1G and
< 10G>=200G and
< 300G>=300G
Q2 2018 Threat Report
12 DDoS Activities
With more than one billion Internet users between them (nearly one-third of the worldwide total), the US
and China were the top two global attack source regions. France followed in the third spot, with Germany
and Russia rounding out the top five.
Global Attack Source Distribution
Table 5. Top 10 Global Attack Sources, Q2 2018
Regions Percentage
United States of America
China
France
Germany
Russian Federation
Brazil
Vietnam
United Kingdom
South Korea
Italy
Others (137 regions)
20.00%
16.27%
7.25%
4.16%
4.15%
4.04%
3.57%
3.00%
2.95%
2.58%
32.03%
Q2 2018 Threat Report
13 DDoS Activities
China again led the way, while Vietnam — ranked seventh in the global attack source distribution —
followed in the second spot for APAC.
APAC Attack Source Distribution
Table 6. Top 10 Sources for APAC Attacks, Q2 2018
Regions Percentage
China
Vietnam
India
Thailand
Indonesia
Taiwan
Singapore
Japan
Hong Kong
Malaysia
Others (13 regions)
54.56%
11.96%
7.74%
4.58%
4.29%
3.42%
2.87%
2.40%
1.82%
1.56%
4.80 %
Q2 2018 Threat Report
14 DDoS Activities
The US, China, and France occupied the top three spots for ASNs by country of origin, closely mirroring
the global attack source distribution.
Reflective DDoS Attacks by Autonomous System Number (ASN)
Table 7. Top 10 ASN Attack Rankings, Q2 2018
ASN Percentage
16276
14061
45090
4134
16509
45899
4766
14618
4837
4808
Others
Network Name
OVH, FR
DIGITALOCEAN-ASN - DigitalOcean, LLC, US
CNNIC-TENCENT-NET - AP Shenzhen Tencent Computer Systems Company Limited, CN
CHINANET-BACKBONE No.31,Jin-rong Street, CN
AMAZON-02 - Amazon.com, Inc., US
VNPT-AS-VN - VNPT Corp, VN
KIXS-AS-KR - Korea Telecom, KR
AMAZON-AES - Amazon.com, Inc., US
CHINA169-BACKBONE CHINA UNICOM - China169 Backbone, CN
CHINA169-BJ - China Unicom Beijing Province Network, CN
1973 ASNs
5.87%
5.70%
3.90%
3.15%
3.14%
2.35%
1.53%
1.43%
1.35%
1.34%
70.24%
Q2 2018 Threat Report
15 DDoS Activities
Nexusguard research data from Q2 2018 strongly supports the view that IoT botnets were largely
responsible for the expansive DDoS attacks against networks and mission-critical services during the
quarter. The dramatic rise in IoT botnet activity coincided with Satori malware exploits. Satori, a variant
of the notorious Mirai malware, is designed to generate network-layer DDoS attacks — such as junk UDP,
TCP SYN, and TCP ACK packets — by exploiting zero-day vulnerabilities in certain types of home routers.
While such attacks can be launched from spoofed IP addresses that make it difficult to track down the
attacker, our findings reinforce our belief that IoT botnets were the major driving force behind the surge
in attack sizes in the second quarter.
YoY, the maximum size of DDoS attacks captured by our mitigation platform soared by more than
four-fold, while the average attack size rose by a factor of more than five times. The five-fold increase in
average attack size was fuelled by a dramatic rise of jumbo-sized TCP SYN floods.
Attackers remained largely focused on hit-and-run tactics, launching carefully timed attacks to strike
during peak hours critical to their targets’ revenue-generating objectives. More than half of attacks
lasted less than 90 minutes, the longest spanned more than six days.
In light of today’s rampant growth of large-scale DDoS attacks, Communications Service Providers
should take steps to enhance their preparedness to protect bandwidth, especially if their infrastructures
are not built for full redundancy and failover.
Conclusions
Q2 2018 Threat Report
16 Conclusions
As a global leader in Distributed Denial of Service (DDoS) attack mitigation, Nexusguard observes and
collects real-time data on threats facing enterprise and service-provider networks worldwide. Threat
intelligence is gathered via attack data, research, publically available information, Honeypots, ISPs, and
logs recording traffic between attackers and their targets. The analysis conducted by our research team
identifies vulnerabilities and measures attack trends worldwide to provide a comprehensive view of
DDoS threats.
Attacks and hacking activities have a major impact on cybersecurity. Because of the comprehensive,
global nature of our data sets and observations, Nexusguard is able to evaluate DDoS events in a
manner that is not biased by any single set of customers or industries. Many zero-day threats are first
seen on our global research network. These threats, among others, are summarized in the quarterly
Threat Reports produced by Nexusguard’s research team:
• Tony Miu, Research Direction & Security Data Analysis
• Ricky Yeung, Data Mining & Analysis
• Dominic Li, Data Analysis & Content Development
Research & Methodology
About Nexusguard
Founded in 2008, Nexusguard is a leading cloud-based distributed denial of
service (DDoS) security solution provider fighting malicious internet attacks.
Nexusguard ensures uninterrupted internet service, visibility, optimization and
performance. Nexusguard is focused on developing and providing the best
cybersecurity solution for every client across a range of industries with specific
business and technical requirements. Nexusguard also enables communication
service providers to deliver DDoS protection solution as a service. Nexusguard
delivers on its promise to provide you with peace of mind by countering threats
and ensuring maximum uptime.
www.nexusguard.com
20180906-EN-A4
Copyright 2018 Nexusguard Limited. All rights reserved.