ddos data report 2017 - nbip€¦ · nationale beheersorganisatie internet providers | ddos data...

DDoS data report 2017

The rise of cunning DDoS attacks

2Nationale Beheersorganisatie Internet Providers | DDoS data report 2017

Colophon

SummaryDDoS attacks are often called large and complex. However, in 2017, DDoS attacks did not increase in size. This research not only shows that these attacks are actually becoming smaller, but also that they are being carried out much more efficiently. This report also shows the rise of combined attacks, so-called multivector attacks.

The NBIP DDoS data report 2017 is published by the Dutch National Internet Providers Management Organisation (Nationale Beheersorganisatie Internet Providers - NBIP).

Publication dateMay 2018

Editor-in-chiefOctavia de Weerdt (NBIP)

EditorGerald Schaapman (NBIP)

ContributionsBureau NBIP

Final editingLorenz van Gool (Splend)

Marketing and artworkMichiel Cazemier (Splend)Lorenz van Gool (Splend)

FormThis report is made in the PDF format

© 2018


Table of contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The impact of a DDoS attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Research method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Research results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Number of DDoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Types of DDoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Effective attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

The rise of multivector attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Expectations for 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Appendix: DDoS attack types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Main categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Amplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

About NBIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

4

This is the first externally published report by the foundation ‘Nationale Beheersorganisatie Internet Providers’ (NBIP) with figures and trends on the DDoS attacks mitigated by the NaWas (Nationale Wasstraat). This scrubbing center was established in 2013 and is fully operational as of 2014.

In addition to internal reporting to participants of the NaWas, in previous years the NBIP made figures on DDoS attacks available to the National Cyber Security Centre for their annual Cyber Security Assessment of the Netherlands. This year, in addition to making the figures available to the NCSC, we have decided to publish our own report and study as well.

At the time of the publication of this report (May 2018), the word ‘DDoS attack’ has become established among the general public, as they

Nationale Beheersorganisatie Internet Providers | DDoS data report 2017

Preface

were directly confronted with its consequences at the beginning of this year. At the NaWas we experienced these days as ‘business as usual’.

This report describes the figures and trends we have seen in 2017. Figures and trends we have collected since the existence of the NaWas are also worth mentioning:

• Since 2014, we have repelled 2150 DDoS attacks;

• There has not been a single attack that could not be repelled;

• In 2014, there was an average of one DDoS attack every two days; in 2017, more than two attacks per day;

• We are not even at one fifth of the Gbps capacity;

• In 2017 we already saw the emergence of the now known memcached attacks.

So there are plenty of reasons to be proud. The NaWas is truly unique in its role, performance and design. We are especially grateful for all the participants who made this possible. For a board that has propagated their vision and is passionate about a unique concept. For the team that has brought the NaWas to operational success - people who deploy their knowledge and skills every day.

Together we are smarter and stronger. We believe in this and we will continue to believe in it. Because every participant is a link in the chain that contributes to a safe digital infrastructure in Europe.

Sincerely,

Octavia de WeerdtDirector NBIP



Introduction

At the beginning of this year, several DDoS attacks dominated Dutch headlines. They were aimed at banks, the Tax and Customs Administration and other ‘chosen’ websites. This has woken up the Netherlands to the dangers and consequences of inadequate IT security. It turned out to be very easy to carry out these disruptive attacks. The 18-year-old perpetrator could easily buy the attacks online. His motivation for these attacks was “because it’s funny”.

Most DDoS attacks do not appear in the headlines. Every year the NBIP detects many hundreds of attacks, which for the general public happens under the radar. These attacks generally have a more harmful motive and are carried out with a growing amount of resources and expertise.

NBIP has collected and analysed data from DDoS attacks in 2017. It turned out to be a special year, because the Netherlands was one of the top 10 countries in the world that had been most attacked that year.

It is therefore important to get a clear picture of how these attacks work exactly, what their impact is and how to prevent damage from a DDoS attack.

This will be discussed in the next chapter. In chapter 3 we explain exactly how this report came about - a justification of our research method. What follows are the results in clear graphs, and an explanation of these data in chapter 4. Finally, we will make recommendations based on these research results.

https://nos.nl/artikel/2215746-verdachte-ddos-aanvallen-banken-moeten-het-op-orde-hebben.html

https://www.techzine.nl/nieuws/107162/kaspersky-ddos-aanvallen-steeds-complexer-nederland-top-10-meest-aangevallen-landen.html


In order to understand the impact of a DDoS attack, it is necessary to know exactly how such an attack works, what can happen during and after a DDoS attack and how to counter it.

How does a DDoS attack workWhat is a DDoS attack? DDoS stands for Distributed Denial of Service. In order to carry out a DDoS attack, the attacker infects a large number of computers or other Internet-connected devices. This is done with, for example, malware or via e-mail attachments. This creates a ‘botnet’, a network of infected devices. This network is then instructed to send data to the target server in order to overload that server. If the server can no longer handle the traffic, and users can no longer access the servers, the attack is successful.

That sounds very simple, and unfortunately it is. A DDoS attack can be carried out with little technical knowledge. DDoS attacks can be bought on special websites (there are thousands of them), and not only on the dark web. It is also possible to create an attack with relatively little knowledge: manuals to set up one’s own botnet are easy to find.

Why are DDoS attacks so popular?This is one of the reasons why a DDoS attack is still the most obvious way to disrupt a website or online services. But there is more to it than that. There are a number of factors that maintain the ease and attractiveness of this type of attack.

First, the increasing number of DDoS services in the cloud makes attacking easier. Hosting is cheap and there is more and more bandwidth available. Buying rogue services on the internet is therefore becoming easier and easier. These services are purchased via so-called ‘stressers’ or ‘booters’. The vast majority of DDoS attacks come via such an intermediary.

Booters also benefit from attractive business models aimed at quick profits. Attacks purchased via booters are not even very advanced, and that’s not in the interest of the booter service provider either. Because these people want to make money as quickly as possible with as little effort as possible, booters disappear just as quickly as they appear.

In addition, the Internet of Things (IoT) is a development that should not be underestimated, as it’s maintaining the frequency and simplicity of DDoS attacks. More and more devices are connected to the Internet. From baby cameras to toasters: many have wifi and in the future there will only be more.

The impact of a DDoS attack

Booters benefit from

attractive business

models, aimed at quick

profits


These are often devices with poor (or no) standard security. And so IoT devices are an easy target to serve as pawns in a botnet. Gartner estimates that more than 20 billion such devices will circulate in the year 2020.

Consequences of a DDoS attackThe consequences of a DDoS attack are diverse. From minor irritation to major disruptions, it’s all possible. One person can be very bothered by an attack (his or her personal blog, for example, is down), or a large part of the population (banking via internet does not work).

An attack in the winter on a computer system that controls heating elements in a Finnish flat shows that the consequences can even be life-threatening.

It is a fact that a targeted DDoS attack can cause financial damage. However, it is difficult to say exactly what this phenomenon means for the Dutch economy as a whole. In the meantime, the NBIP has started a study together with SIDN to measure the economic impact of the analysis conducted and described in this report.

Methods of DDoS mitigationVarious types of measures can be taken to prevent DDoS attacks. These range from extreme and rigorous to refined and subtle.

“Blackholing” or channelling of traffic is a rather extreme method of DDoS mitigation. In order to avert a DDoS attack, no more traffic is allowed. Because of this it is not possible for anyone to visit the website.

A somewhat more subtle form of mitigation is geographical IP blocking, where all traffic outside a certain geographical location is blocked in full. This is a reasonably effective way, but also rigorous. After all, many visitors are still excluded.

The concept of a “scrubbing center” is currently one of the most sophisticated and intelligent ways of mitigation. This involves malicious traffic passing through anti-DDoS equipment, after which the traffic is sent back ‘clean’ (scrubbing).

https://www.gartner.com/newsroom/id/3598917

https://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter


This chapter discusses the research method. Which data collection methods were used, which data were analysed, and why were certain research choices made?

Data collectionIn the previous chapter, the principle of a ‘scrubbing center’, as explained in the NaWas, was explained. NBIP has a recording system that stores all types of DDoS attacks that have occurred against NaWas participants. The registration of a type of DDoS attack in that recording system is procedurally documented within the operational team of the NaWas. Data was then selected from this registration system for reporting purposes.

The data originated from attacks on participants of the NaWas. It should be noted that not every participant had to deal with a DDoS attack. Due to security and privacy measures for these participants and NBIP’s contractual obligation towards its participants, it has not been disclosed how often a particular ISP has been attacked or even which ones have been attacked.

Data from participants in the NaWas were analysed for this study. At the end of 2016, the number of participants was 53. At the end of 2017, the data of 56 participants were analysed.

These participants consist largely of internet service providers (ISPs). In this study, ISP refers to a company or organisation that offers online services and/or access to the internet to its customers. In the case of the participants in the

NaWas, these are mainly companies that offer cloud and hosting services. There are about 1500 of such companies in the Netherlands (as researched by The METISfiles).

Of course, participants of the NaWas are not limited to ISPs. There are also a number of large organisations that participate, such as banks and insurers. Participants can be small as well as large. The number of investigated DDoS attacks on these participants will not be able to say anything directly about the entire Dutch sector. However, this research does provide necessary insight into the world of DDoS attacks. In the study that the NBIP is working on together with the SIDN to determine the economic impact of these attacks, for instance it is also investigated how many web servers exactly have been protected.

Accountability This study shows figures and results for the year 2017. In some cases, it was also decided to compare figures from the previous year in order to clearly show trends and developments.

For this study, it was decided to measure the size of the attacks in Gbps (gigabit per second).

An explanation of the terms and types of attacks is included in an appendix. This report is based on readers with some knowledge of the facts.

In a few graphs it was decided to create a top 10 instead of a complete overview, for the sake of clarification and to make the results as clear as possible for the reader.

Research method

Nationale Beheersorganisatie Internet Providers | DDoS data report 2017 10

Research results

First of all, the number, size and duration of DDoS attacks (2016/2017) have been analysed. Subsequently, the types of DDoS attacks that occurred in 2017 were analysed.

Number of DDoS attacksIn 2016, NBIP recorded 680 DDoS attacks - about 1.9 per day. In 2017, this number rose to 826 (approximately 2.3 attacks per day), an increase of 21.5%. This increase took place despite a modest growth of three new participants of the NaWas (to 56 participants in 2017).

Size of a DDoS attackThe size of a DDoS attack is measured in Gbps (gigabit per second).

In the months of February, July and August, the number of DDoS attacks was lower compared to the rest of the year. The most attacks took place in October. Whereas the decrease in July and August can be explained (to some extent) due to summer, no clear reason for the peak in October was found.

Most of the attacks (437) had a size of between 1 and 10 Gbps. There were 294 attacks of less than 1 Gbps and 95 (71+24) attacks of 10 Gbps or more.

month < 1 Gbps 1-10 Gbps 10-20 Gbps 20-40 Gbps >40 Gbps total

Jan-2017 12 53 4 1 0 70

Feb-2017 11 16 6 4 0 37

Mar-2017 34 37 9 3 0 83

Apr-2017 20 29 8 0 0 57

May-2017 22 58 7 2 0 89

Jun-2017 34 41 8 1 0 84

Jul-2017 17 17 2 0 0 36

Aug-2017 12 16 2 1 0 31

Sep-2017 14 33 6 1 0 54

Oct-2017 44 50 9 6 0 109

Nov-2017 34 31 5 4 0 74

Dec-2017 40 56 5 1 0 102

Total 294 437 71 24 0 826

Nationale Beheersorganisatie Internet Providers | DDoS data report 2017 11

The reason why attacks of 40 Gbps or more were measured for 2017, is that a number of large attacks took place in 2016. In 2016, NBIP detected a DDoS attack of 53 Gbps. In 2017, the largest DDoS attack was ‘only’ 36 Gbps. See the chart below.

What immediately stands out is that attacks in 2016 overall where bigger in size (more Gbps) than in 2017.

60

50

40

30

20

10

10987654321

2016-gbps 2017-gbps

0

2016 - 2017 top 10 Gbps

Since its start in 2013

NBIP has repelled

every DDoS attack.

There were more than

2150 of them.


Duration of a DDoS attackIn 2017, the majority of attacks lasted no longer than an hour.

month < 15 min 15-60 min 1-4 hours > 4 hours total

Jan-2017 29 29 7 5 70

Feb-2017 18 9 7 3 37

Mar-2017 34 23 21 5 83

Apr-2017 28 24 4 1 57

May-2017 46 28 14 1 89

Jun-2017 36 36 9 3 84

Jul-2017 12 14 8 2 36

Aug-2017 12 12 7 0 31

Sep-2017 15 31 8 0 54

Oct-2017 18 58 32 1 109

Nov-2017 18 34 17 5 74

Dec-2017 43 42 15 2 102

Total 309 340 149 28 826

Only 28 DDoS attacks lasted longer than 4 hours. A sharp contrast with 2016 - the top 10 of duration shows this in the graph below.

8000

6000

4000

2000

10987654321

2016-duration (min) 2017-duration (min)

0

2016 - 2017 top 10 duration (min)


DDoS type main groups

28%

14%

58%TCP flood

UDP flood

UDP amplification

The duration of the DDoS attacks in 2016 was significantly longer if we look at the top 10. In 2016, there were a number of attacks that lasted a number of days (almost 8000 minutes). In 2017, this kind of multi-day attack no longer occurred. The longest attack in that year lasted 23 hours.

Types of DDoS attacksIt may be easy to carry out a DDoS attack, but one must realise that there is not one type of DDoS attack. Even more so, there are dozens of types of DDoS attacks and ways in which a DDoS attack is created and/or causes disruption to the target.

Main groups Within the measured DDoS attacks, a distinction is made between three main groups: UDP amplification, TCP flood and UDP flood.

More than half of the attacks are so-called UDP amplifications. Nearly 30 percent of the attacks are TCP floods and the rest (14 percent) are UDP floods.

UDP amplification DDoS types

55%

16% 1%

12% 1%

7% 1%

4%

3%DNS

NTP RIPv1

LDAP RPC port

Chargen SNMP

Netbios

SSDP

Within UDP amplifications, there is a wide variety of attacks, as shown in the above graph.

DNS amplification is by far the leading type of UDP amplification, with a 55 percent share in 2017. DNS amplification is a relatively simple attack in which an unprotected or unupdated DNS (domain name system) server is abused.

NaWas is not even

at one fifth of its

Gbps capacity


DDoS type top 10Most occurring DDoS attack types of 2017:

DDoS type top 10

DNS amplification

TCP/ACK flood

Chargen amplification

NTP amplification

TCP/RST flood

UDP flood

ICMP

TCP/SYN/ACK

TCP/SYN flood

LDAP amplification

It is expected that DNS amplification will be the most common type of attack - it is and remains the simplest (and therefore the most popular) way to carry out DDoS attacks.

Next to that, this table shows that there are a lot of attacks in which several types of DDoS

are used. More than 23 percent of the attacks in the top 10 were multivector attacks. This is a big and ‘simple’ attack type in combination with a small, more advanced type of attack. In 2016, much less attacks of this kind have been noticed.

33,56%

11,46%

9,95%

9,88%

7,54%

7,16%

4,22%

2,34%

2,11%

1,73%

0% 10% 20% 30%


Conclusion

Based on the research results, NBIP sees two major trends. In addition, two recommendations are made, followed by two expectations for 2018.

Effective attacksFirst, in 2017 there were less DDoS attacks compared to the previous year. Not only less traffic (Gbps) was sent to servers, the attacks also took less time. From this we can conclude more effective attacks are on the rise: an attack just above the capacity of the server is more efficient than a very large DDoS attack. It is also more likely such smaller attacks will not be immediately noticed by an ISP.

This conclusion is almost at odds with what regularly appears in the media. They report that DDoS attacks are becoming more complex and larger. However, media seldom indicates what is meant by ‘more complex’ and ‘larger’ - and it seems as if these two indications have been combined just for the sake of convenience.

The results of this report show that attacks are actually decreasing in size. In addition, major attacks - between 20 and 60 Gbps - are often not complex at all, but very simple.

Complex attacks are often attacks that combine multiple attacks and become smaller over time. It is much more difficult to mitigate an attack of 100 Mbps with 10 different types than one attack of 100 Gbps. According to this definition, DDoS attacks have indeed become more complex in 2017.

The rise of multivector attacksThe second major trend is the rise of multivector attacks: these are attacks that are ‘cleverly’ put together. A small type of DDoS attack is

combined with a larger, simpler attack. This also proves the first trend of attacks being carried out more efficiently and professionally in 2017.

RecommendationsGiven the increase in complex and cunning attacks, a good mitigation solution is no easy task. However, an all-in-one integrated hardware solution is no longer sufficient. Good mitigation today is a combination of hardware, software and knowledge.

Based on the research results, NBIP first of all advises to invest in good detection and to combine it with a scrubbing center (such as the NaWas). This detection solution must be able to monitor traffic properly, categorise various types of DDoS attacks and report correctly. Detection in combination with an scrubbing center works many times better than having your own anti-DDoS hardware. For first-line protection with overflow to a scrubbing center, this may still be a suitable solution. However, good detection remains a must. Parties must be able to have sufficient capacity available to cope with exceptional attacks - both in terms of size and complexity.

In order to achieve such a system of DDoS detection and mitigation, cooperation is needed. The NaWas is an example of this. By working together, a unique solution becomes available, also for providers who are unable to invest in suitable measures themselves.

The next logical step is to share the knowledge that has been built up through this proposed cooperation. One of the ways in which this was achieved was by publishing this report.


The more information is built up, for example about DDoS patterns, the better the system is in detecting and mitigating attacks quickly. NBIP therefore believes in a specialized anti-DDoS party, rather than a party that does not see anti-DDoS as a core activity.

Expectations for 2018Despite fewer major attacks, the number of DDoS attacks did increase in 2017. NBIP also expects a record number of such attacks in 2018. This is due to the growing simplicity of buying malicious services from stressers and booters on the internet.

Also, the increase in the number of connected devices (Internet of Things) will feed the increase in DDoS attacks, as these devices are a popular infection target to serve as part of a botnet.

In addition, the NBIP expects to learn more about so-called memcached DDoS attacks, a relatively new type of amplification attack, in 2018. Until now, these have been small, disruptive attacks that last only for a short time. Small packets of data are greatly magnified - creating enormous traffic peaks and the server ultimately collapses. Some of these attacks were also observed by the NBIP in 2017.1

[1] At the time of publication of this report, the first memcached-attacks of 2018 had already occurred .


Appendix DDoS attack types

Main categoriesThere are two main categories in DDoS attacks: (UDP-based) amplification en flood.

Amplification (UDP-based)In case of a DDoS amplification attack, a (non-secured) server is abused. The message being sent is enlarged by a factor X. This allows an attacker with small and simple messages to provide a huge number of messages to a server. In the simple message the sender falsifies (spoofs) the return address to that of the target. The attacker sends a postcard to the post office, as it were, and the target receives back hundreds of bags full with mail.

FloodIn a so-called DDoS flood attack several computers are used at the same time that send packets to a server. Usually, ‘half’ messages are sent that cause the server to be disturbed. For example, a ‘start communication’ is sent, but then no follow-up message is sent when the target reacts with ‘ok, start the follow-up communication’.

AmplificationIn alphabetical order

CharGEN amplificationCharGEN is a very old protocol which can be exploited to execute amplified attacks. In such an attack, small packets carrying a spoofed IP are sent to a server, through internet enabled devices running CharGEN. Most internet-enabled printers and copiers have this protocol enabled by default. The server than faces a UDP flood. The server will eventually exhaust its resources and go offline or reboot.

DNS amplificationThe attacker sends a DNS look-up request using the spoofed IP address of the target to vulnerable DNS servers. Most commonly, these are DNS servers that support open recursive relay. The original request is often relayed through a botnet for a larger base of attack and further

concealment. The DNS request is sent using the EDNS0 extension to the DNS protocol allowing for large DNS messages. It may also use the DNS security extension (DNSSEC) cryptographic feature to add to the size of the message.

LDAP amplificationWith LDAP amplification, a specific weakness (the CLDAP protocol) of older, still in use LDAP servers is abused. Originally to see what services are available on an internal network server, some servers have the UDP port 389 open.

Netbios amplificationNetBIOS is a protocol used in computer software to allow applications to talk to each other via LAN networks. The main victims of Netbios amplification were targets in the gaming and Web hosting sector.


NTP amplificationNTP amplification is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted with User Datagram Protocol (UDP) traffic.

Network Time Protocol (NTP) is one of the oldest network protocols, and is used by Internet-connected machines to synchronize their clocks. In addition to clock synchronization, older versions of NTP support a monitoring service that enables administrators to query a given NTP server for a traffic count. This command, called “monlist,” sends the requester a list of the last 600 hosts that connected to the queried server. Since the return address has been spoofed, the target of the attack therefore receives an enormous amount of data to process.

RIPv1 amplificationThe Routing Information Protocol (RIP), helps small networks share network route information. It’s been around since 1988, but has been deprecated since 1996.

To leverage the behavior of RIPv1 for DDoS reflection, a malicious actor can craft the

same request query type as above, which is normally broadcast, and spoof the IP address source to match the intended attack target. The destination would match an IP from a list of known RIPv1 routers on the internet. Based on recent attacks, attackers prefer routers which seem to have a suspiciously large amount of routes in their RIPv1 routing table.

RPC Portmapper amplificationRPC Portmapper is an Open Network Computing Remote Procedure Call (ONC RPC) service designed to map RPC service numbers to network port numbers. When RPC clients want to make a call to the Internet, Portmapper tells them which TCP or UDP port to use.

When Portmapper is queried, the size of the response can be up to an amplification of 20, but varies depending on the RPC services present on the host. Malicious actors can use Portmapper requests for DDoS attacks because the service runs on TCP or UDP port 111.

SNMP amplificationA SNMP (Simple Network Management Protocol) amplification attack works like a CharGEN attack, but instead connected devices that run SNMP are abused. The big difference: with SNMP the amplification is many times larger.

Floods

TCP floodTCP/ACK, TCP/SYN, TCP/RST, TCP/SYN/ACK TCP SYN floods are one of the oldest yet still very popular Denial of Service (DoS) attacks. The most common attack involves sending numerous SYN packets to the victim. The attack in many cases will spoof the SRC IP meaning that the reply (SYN+ACK packet) will not come back to it.

The intention of this attack is overwhelm the session/connection tables of the targeted

server or one of the network entities on the way (typically the firewall). Servers need to open a state for each SYN packet that arrives and they store this state in tables that have limited size. As big as this table may be it is easy to send sufficient amount of SYN packets that will fill the table, and once this happens the server starts to drop a new request, including legitimate ones. Similar effects can happen on a firewall which also has to process and invest in each SYN packet.


Unlike other TCP or application level attacks the attacker does not have to use a real IP; this is perhaps the biggest strength of the attack.

UDP floodUDP flood is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams.

The receiving host checks for applications associated with these datagrams and - finding none - sends back a “Destination Unreachable” packet. As more and more UDP packets are received and answered, the system becomes overwhelmed and unresponsive to other clients.

ICMP floodInternet Control Message Protocol (ICMP) is a connectionless protocol. An ICMP Flood attack - the sending of an abnormally large

number of ICMP packets of any type (especially network latency testing “ping” packets) - can overwhelm a target server that attempts to process every incoming ICMP request.

DNS floodOne of the most well-known DDoS attacks, this version of UDP attack is specifically aimed at DNS servers to attack web servers, among others.It is also one of the toughest DDoS attacks to detect and prevent. To execute, an attacker sends a large amount of spoofed DNS request packets that look no different from real requests from a very large set of source IP. This makes it impossible for the target server to differentiate between legitimate DNS requests and DNS requests that appear to be legitimate. In trying to serve all the requests, the server exhausts its resources. The attack consumes all available bandwidth in the network until it is completely drained out.

About NBIPThe National Management Organization Internet Providers (NBIP) is a non-profit foundation that was founded more than ten years ago by a number of ISPs in order to comply with the Dutch Telecommunications Act. In 2013, the NBIP initiated the National DDoS scrubbing center (NaWas). In a short time the NaWas has become a household name in the Netherlands.

For more information:

www.nbip.nl

https://www.nbip.nl/

ddos data report 2017 - nbip€¦ · nationale beheersorganisatie internet providers | ddos data...

Documents