DECEMBER 2016 DDoS & Cyber Security Insights Unprecedented and Uncertain In terms of Distributed Denial of Service (DDoS) activity, 2016 was a year like no other. More attacks, more

DDoS & Cyber Security Insights

DECEMBER 2016

Analysis from the front lines in the battle against DDoS attacks

NEUSTAR SECURITY OPERATIONS CENTER EXCLUSIVE

Introduction 03

2016 Attack Analysis 06

Multi-Vector 15

DNSSEC Update 18

Forensic Files - Profiles 19

2017 Predictive Insights 20

Summary 21

Table ofContents

02


2016 Unprecedented and UncertainIn terms of Distributed Denial of Service (DDoS) activity, 2016 was a year like no other. More attacks, more ferocity, new code, and old exploits taking advantage of old vulnerabilities to create new havoc. Big brand websites went down and gaming networks were taken offline, stranding millions and choking revenue flows. A game phenomenon of chasing fictional characters took the world by storm only to be hit by a DDoS storm itself. Then came Mirai.

It was evident early on that bad actors had plenty of malicious intention this year. Right out of the gate, they got to work. Neustar saw a marked increase of direct customer mitigations in January 2016 – up 200% over January 2015. This was a harbinger of things to come. By the end of November, attack mitigations for direct customers were up 40% over the same period last year and new forces were unleashed that pushed mitigation activity even higher.

In addition to direct customer mitigations, Neustar provides infrastructure to help resolve and protect partner Internet Service Providers (ISPs) and hosting provider platforms. Combined with attacks against these targets, the Neustar mitigation platform handled and put down large volumes of attacks, even when compared to the high level of mitigation activity that occurred in a very active 2015.

In defending against attacks for customers and partners, the Neustar mitigation platform saw attacks of all sizes and types. The monthly attack peak sizes mitigated by the Neustar platform grew significantly through November. Average peak sizes for direct customer mitigations showed aggressive activity and revealed a diversity of attack methods.

INTRODUCTION

NUMBER OF DDOS ATTACK MITIGATIONS

Jan-Nov YoY 2015 v. 2016

DDoS & Cyber Security Insights 03

TCP SYN floods and DNS-based amplification attacks continued to be a very popular form of attack with many of such attacks using Domain Name System Security Extensions (DNSSEC) domains. This extended a trend from 2015 in part because of the ease and practicality in which resources from DNSSEC domains could be used to create massive amplification attacks. While the DNS administrative community argued and engaged in a debate regarding the management of DNSSEC domains, attackers went about their business, using amplification factors that averaged 28x – with one domain peaking at 217x.

As Fall came into view, nasty assemblies of botnet-creating malware with command and control code were used to marshal activity from Internet of Things (IoT) resources. Bursting onto the scene, one of those forms of code called “Mirai” was used by attackers to bludgeon some of the world’s most

prominent websites into serious disruption. As more botnets were built on compromised, poorly secured IoT devices, attacks witnessed in the industry broke the 1 Tbps barrier. The Mirai code used in these attacks made its way around the hacking community, even being published publicly, morphing as it went into even more diabolical strains. The end result was a seismic event in the fight against DDoS and its consideration as a legitimate security threat to organizations around the world.

For all of the attention and headlines paid to the predicted entrance of IoT devices into the DDoS fray, the dangers from the many other types of attacks risked being shadowed from mainstream view. The insights provided in this report affirm that the dangerous risks from DDoS attacks did not shift, they expanded – the spectrum just got broader.

2016 NEUSTAR PLATFORM MITIGATIONS

Peaks and Averages by Month (Gbps)

04


IoT Botnets Come of Age as DDoS WeaponsThe threat of IoT devices being compromised and used maliciously as part of DDoS botnets is not new. What was new in 2016 was the impact and sheer power of these attacks. Bashlight, Mirai, and Linux/IRCTelnet are all types of malware that use reconnaissance code to compromise device credentials and enroll them into botnets complete with command and control structures. Although Mirai is not the only botnet creating malware out there (Linux/IRCTelnet has been discovered recently), Mirai is currently one of the largest and most pervasive.

Unfortunately, the security and business communities are only at the beginning of this new wave of attack threats. As these code assemblies are published, shared, and experimented, capabilities continue to increase such as persistent device enrollment. Persistent device enrollment is the ability for botnet operators to keep devices included even when they are rebooted or operationally dormant.

The aggregate attack sizes seen in the industry have exceeded 1 Tbps in recent months. Analysis of attack data experienced by Neustar confirms that these assaults are comprised of numerous, simultaneous small attacks blended with periodic large attacks. In one instance, the average individual size of the smaller attacks 6.5 Mbps that was augmented by two massive attacks of 319 Gbps and 249 Gbps. These types of assaults use many vectors and create a virtual onslaught that can devastate the online presence of organizations.


A Year of Change in More Ways than OneWhile the sheer number of attacks increased, what made 2016 a notable year went beyond the types of attacks and their numbers. The new tactics and botnets unleashed a drastic increase in the quantity of multi-vector attacks. While overall attack mitigations through November 2016 were up 40% from 2015, multi-vector attack mitigations by Neustar in direct customer security operations saw an increase of 322%. Within those multi-vector attacks, certain combinations and attack strengths appeared to stand out revealing attacker tendencies and use of practical methods to launch attacks.

Attackers were using more than one attack method at once in an attempt to confuse or evade defenders as well as supplement attack volume. A mitigation device that works well against one attack vector may be less effective against others - or at least that is the hope of the attacker.

2016 ATTACK ANALYSIS


Attack AnalysisWithin the several major types of attacks, Neustar mitigated many vectors, the primary ones targeting direct customers are detailed below. The year saw continued use of particular attack types with significant rises in TCP-based attacks and DNS-based attacks. However, there were also drops in formerly active types of attacks, such as SSDP that were down 78%, from 2015. Below are how the major attacks types stacked up through Q3/2013 followed by individual comparisons against the same time in 2015.

NEUSTAR CUSTOMER MITIGATION ATTACK VECTORS

2016 Q1-Q3

28%

21%

16%

15%

13%

3%

2%

1%

0.2%


TCP TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

Transmission Control Protocol Synchronize (TCP)

A steady and significant rise in these attacks, especially in multi-vector assaults, were mitigated. The danger of these attacks is revealed not in brute size, but in packets per second.

WHAT NEUSTAR SAW

52.5 Mppspeak size

39%part of multi-vector attacks


TCP SYN attacks can be difficult to detect as they offer a false appearance of legitimate traffic and may often be seen in concert with other cyber activities such as malware activation.

WHAT MAKES THEM DANGEROUS

DNS TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

Domain Name System (DNS)

DNS-based attacks soared in 2016 in part because attackers made more use of DNSSEC to generate massive amplification resulting in high rates of packet fragmentation.

WHAT NEUSTAR SAW

64 Gbpspeak size



DNS attacks offer attackers relatively easy and practical means to ramp up large attacks. DNS continues to show up in multi-vector attacks given the volumetric pressure they can bring.


UDP TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

User Datagram Protocol (UDP)

UDP volumetric attacks are a primary form of attack and Neustar mitigations of UDP-based assaults increased notably over 2015. On a downward trend early, by mid-year, the pace picked up.

WHAT NEUSTAR SAW

156 Gbpspeak size



UDP attacks can quickly overwhelm and challenge the defenses of unsuspecting targets. Speed in detection and effective action is key to denying attackers the objectives they seek in using this volumetric strategy. UDP frequently serves as a smokescreen to mask other malicious activities such as compromising personally identifiable information or execution of malware and remote code execution.


ICMP TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

Internet Control Message Protocol (ICMP)

Neustar protected customers from a large increase in ICMP attacks. Many of these attacks were encountered in multi-vector efforts that leveraged DNSSEC.

WHAT NEUSTAR SAW

64 Gbpspeak size



ICMP are easy to build and launch, but it’s their volumetric value in multi-vector attacks that can create serious challenges to targeted organizations if not quickly arrested.


SSDP TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

Simple Service Discovery Protocol (SSDP)

The downward trend of pure SSDP mitigations – which were first signaled in 2015 - continue in a steep decline through 2016. Better ISP defenses and more attention to patch management disciplines by organizations have helped stay the once-great onslaught of these attacks.

WHAT NEUSTAR SAW

31 Gbpspeak size



SSDP attacks are used for quick, large attacks and use compromised equipment, typically poorly secured network devices such as home-based internet routers. Left unchecked, these easy-to-build attacks can cause serious havoc.


NTP TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

Network Time Protocol (NTP)

Neustar continues to see and mitigate NTP-based attacks. It is notable, however, that despite showing up in a fraction of all multi-vector attacks, nearly all NTP attacks mitigated were part of multi-vector strikes.

WHAT NEUSTAR SAW

29 Gbpspeak size



NTP can be used to build sizable, unrelenting attacks that, through amplification, can seriously impact network availability – especially in multi-vector attacks. NTP can be a difficult attack to stop if not properly detected and diagnosed.


OTHER TYPES OF ATTACKS

2016 v. 2015 Q1-Q3

Other

These attacks include IP Private, Chargen, SNMP, HTTP, and other less common types of attacks. Off the beaten path, these strains can be tricky for organizations to recognize. As with the NTP attack mitigations, all but a handful of these attacks were part of multi-vector combinations.

WHAT NEUSTAR SAW

10 Gbpspeak size



These attacks have unique characteristics, making them difficult to detect without expertise. Attackers also revived older style attacks, such as TCP reflection which was popular years ago, to create uncommon mixes and unfamiliar views.


MULTI-VECTOR

Multi-Vector Attack AnalysisIn 2016, Neustar mitigated more multi-vector attacks in more variety of combinations than in 2015. As Mirai came onto the scene, a startling change from attack mixtures to numerous, repetitive attacks from tens of thousands of compromised devices took hold but did not diminish the quantity or the intensity of multi-vector attacks. In what may be on its way to becoming standard practice, multi-vector attacks became much more frequent as the year progressed.

Analyzing the data from Q1 through Q3, trends were revealed that showed a ramping of attacks as 2016 progressed. With the advent of attackers using Mirai-based code, or variants thereof, multi-vector quickly became a prevalent practice of attack.

of mitigated attacks involved the use of multiple attack vectors – more than double that of 201552%

KEY STATISTICS

of all SSDP and NTP attacks were engaged in multi-vector waves reflecting volumetric pressures as part of complex attacks99%

of multi-vector attacks were the combination of UDP, ICMP, DNS, and IP Fragmentation with indications of attackers leveraging DNSSEC35%

of TCP based attacks were part of multi-vector initiatives that include peak sizes of 52 million packets per second47%

of all multi-vector attacks used at least 4 vectors with some that used as many as 743%


Multi-vector attacks took the form of an emerging standard practice, as attackers appeared to test and unleash DDoS arsenals. Through the first three quarters of 2016, multi-vector attacks were well on the rise and as encounters with new attack strains, including IoT botnets, soared.

MULTI-VECTOR ATTACKS BY QUARTER

2016 v. 2015 Q1-Q3

MULTI-VECTOR ATTACKS BY MONTH

2016 v. 2015 Q1-Q3

16


Comparing the period Q1-Q3/2016 against the same period in 2015, Neustar experienced peak multi-vector attack sizes much greater than last year. In fact, the average size of maximum monthly peak sizes was more than double the largest monthly attack averages in 2015. This reflects, in part, a higher potency of attack strength mustered by powerful vector combinations and new attack methods involving IoT botnets.

2015 V. 2016 NEUSTAR PLATFORM MITIGATIONS

Multi-Vector Peaks by Month (Gbps) YoY Q1-Q3


DNSSEC has resulted in the exchange of more credible Internet information, however, the additional data included in such exchanges is leveraged by malicious actors to quickly and efficiently create large DDoS attacks. While DNS has been leveraged as an attack vector for many years, recently a large number of DNS reflection and amplification attacks have widely been attributed to DNSSEC.

In 2016, Neustar compiled the resulting information below by issuing four separate queries against 1,349 DNSSEC domains using a small 80 byte ANY query. This was done to measure amplification factors and quantify potential misuse potential.

DNSSEC – An Update On a Problem That Is Not Going Away

DNSSEC UPDATE

the average amplification factor for a DNSSEC signed zone

28.9x 17,377 bytesthe largest amplification response across all domains

2,313 bytesthe average response “return on investment” for an 80-byte query

The data summarized reflects why DNSSEC is showing more favor as a DDoS attack vector. Attackers can rapidly establish and launch an attack force with greater efficiency. From these findings, Neustar recognizes that:

- For the average company with a modest DDoS defense, a DNSSEC-based flood attack could knock the website offline

- DNSSEC attacks can also serve as smokescreens, or distractions to hide the hacker’s real intent to insert malware or mask the exfiltration of sensitive information

- In multi-vector combinations, DNSSEC remains a popular option by attackers to pose serious challenges to organizations of all types

RESEARCH STATS

Refer to report for full use case

18


https://hello.neustar.biz/dnssec_report_it_security_lp.html

As is the case in any crime, there are telltale signs that can be used to highlight the perpetrator’s attack sophistication and behavior. Understanding the type of attacker whom you are up against is an important element in executing effective defenses. Neustar is well seasoned with techniques and characteristics that help identify the maturity of the attacker, and even stay a couple of steps ahead by anticipating their next moves.

Here are a few differentiating factors between the novice and those of a seasoned attacker:

From the DDoS Forensic Files

FORENSIC FILES - PROFILES

Novice Veteran

Volume Less volume since it usually costs more

Knows how to access a larger network to launch larger attacks

Complexity Standard attack types with little variation; tend to attack one vector at a time, experimenting with published Mirai code

Deploys complex, multi-vector attacks either in waves or all at once

Preferred Vector DNS and NTP reflection Basic SYN flood

Intricate TCP floods, DNS using DNSSEC, GRE floods

Variation None Will change vectors if first attempts are stymied

Calling Card Tells friends Takes to social media (mainly Twitter) to take credit for attacks


INSIGHTS

Pivoting from 2016, there are some well-grounded observations and experiences that indicate what can be expected as we look into 2017. Clearly, attacks are expected to maintain a high threat tempo with which organizations of all types must contend.

2017 Predictive Insights

There will be many catalysts in 2017 to inspire attackers and many manufactured excuses to act. Cyber attackers saw serious returns in 2016 and there is no reason to expect them to change from performing in the interests of their own agendas. The foreseeable road ahead, with a toxic combination of events and technologies to exploit, with money to be made and stolen, and with reputations to be built in the hacking community, will compel organizations to take more decisive action.

1 Mirai was just the beginningAs now-published code that has morphed already from its initial incarnation, new strains and code variants will only increase attack size, complexity, and ferocity in 2017. Mirai type of attacks, those that reconnoiter and test credentials as part of an effort to compromise and enroll devices in botnet arsenals, will significantly shape DDoS attack strategies and experiences. As defenses continue to adapt and mitigate Mirai-based attacks, there will be a substantial ebb and flow in online combat as attackers and defenders work to one-up each other.

2 Conventional DDoS attacks continue to pose a significant threatMulti-vector attacks are more prevalent as attackers demonstrate a trend of using botnets and techniques to better test and exercise their arsenals. From January 1 through November of 2016, 48% of the identified attacks that Neustar mitigated used multiple vectors. As the world focuses on Mirai, the quiet, targeted attacks will remain constant, steady, and dangerous.

3 New threats will be realized in 2017The advent of IoT technology ubiquity and its exploitation is just one area in which attackers became more emboldened in 2016 as their actions resulted in highly publicized outages. The effectiveness of ransomware, phishing, and malware all reveal many inroads to create lucrative chaos in organizations. Next year will produce unlimited opportunity and potential for bad actors to achieve objectives that include theft, disruption, extortion, and impact.

TOP INSIGHTS THAT NEUSTAR EXPECTS IN THE COMING YEAR

20


3 Key Takeaways from This Report

SUMMARY

1Big is just a part of badMonstrous Mirai-based attacks are the latest addition to a long line of tactics and means by which DDoS attackers can cause problems, but the serious threats of other attacks remain. Different attackers have different objectives and not all involve cataclysmic volumetric assaults. With Neustar research of more than 2,000 organizations around the world revealing that nearly 1 in every 2 attacked experienced a breach, organizations must take all threats into account and not guide defense strategies against just one.

2Defend your DNSIt is an unfortunate fact that DNS systems continue to be targeted and in some notable cases, taken offline. DNS disruption remains one of the ripe objectives sought by those seeking to harm organizations or build notoriety for themselves. The evidence and the operational information from Neustar affirms that DDoS Protection for DNS must be addressed in establishing effective defense strategies.

3More complex attacksThe significant rise in multi-vector attacks is reflecting a practice that is quickly becoming standard for serious attackers. Leveraging the Mirai code, and the variants thereof, as well as the continued used of DNSSEC as an active attack vector shows a proclivity to exercise DDoS arsenals. With many more options and tremendous unlocking of attack strength now available, it may no longer be a challenge to simply fend off one attack, but organizations can expect to be forced to fend off multiple attacks during the same assault.


About Neustar.

Every day, the world generates roughly 2.5 quadrillion bits of data. Neustar (NYSE: NSR) isolates certain elements and analyzes, simplifies and edits them to make precise and valuable decisions that drive results. As one of the few companies capable of knowing with certainty who is on the other end of every interaction, we’re trusted by the world’s great brands to make critical decisions some 20 billion times a day. We help marketers send timely and relevant messages to the right people. Because we can authoritatively tell a client exactly who is calling or connecting with them, we make critical real-time responses possible. And the same comprehensive information that enables our clients to direct and manage orders also stops attackers. We know when someone isn’t who they claim to be, which helps stop fraud and denial of service before they’re a problem. Because we’re also an experienced manager of some of the world’s most complex databases, we help clients control their online identity, registering and protecting their domain name, and routing traffic to the correct network address. By linking the most essential information with the people who depend on it, we provide more than 12,000 clients worldwide with decisions—not just data.

More information is available at

www.neustar.biz

©2016 Neustar, Inc. All rights reserved. All logos, trademarks, servicemarks, registered trademarks, and/or registered servicemarks are owned by Neustar, Inc. All other logos, trademarks, servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.

RPRT-SOC-54354-12.12.2016

Documents

DECEMBER 2016 DDoS & Cyber Security Insights Unprecedented and Uncertain In terms of Distributed Denial of Service (DDoS) activity, 2016 was a year like no other. More attacks, more