distributed denial of service (ddos) report q2... · q2 2018 threat report ddos activities 10...

Q2

201

8

Threat ReportDistributed Denial of Service (DDoS)

Metrics

Quarterly Focus - IoT Botnet-generated Attacks Skyrocket

DDoS Activities

Types of Attack Vectors

Top 3 Attack Vectors

Quantity of Attack Vectors

Top 5 Multi-vector Attacks

Attack Durations

Attack Size Distribution

Global Attack Source Distribution

APAC Attack Source Distribution

Reflective DDoS Attacks by Autonomous System Number (ASN)

Conclusions

Research & Methodology

ContentsQ2 2018 Threat Report

02

03

06

07

08

09

10

11

12

13

14

15

16

Metrics

vs. Q2 2017

vs. Q1 2018

Total DDoS Attacks

DDoS Attack YoY & QoQ Comparison

vs. Q2 2017 29.02%

vs. Q2 2017 463.58%

vs. Q1 2018 12.21%

vs. Q2 2017 543.17%

vs. Q1 2018 65.54%

vs. Q1 2018 25.14%

51.29%

40.44%

TCP SYN Attacks

66.28%

88.65%

UDP Attacks Application Attacks

78.97%

70.91%

Amplification Attacks

183.27%

60.05%

Q2 2018 Threat Report

Q2 2018 Overall

Maximum Size

359.00GbpsAverage Size

26.37Gbps

03 Quarterly Focus

The IoT botnets are back! And as evidenced by the skyrocketing size of attacks in Q2, perpetrators have

increasingly deployed them as powerful weapons. In the quarter we saw an increase in both the average

and maximum size of attacks over Q4 2017, and our insecure cyberworld became a target-rich battlefield:

The 2018 FIFA World Cup came under attack, while cryptocurrency-related businesses continued to be

targeted. DDoS attacks inflicted on Verge Network (XVG), for instance, caused a whopping loss of 35

million XVG tokens worth more than $1.7 million.

In addition, severe botnet epidemics like last year’s Satori continued to threaten cyberspace by exploiting

zero-day vulnerabilities. Since its high-profile attack on Huawei home routers in December 2017, Satori

has wreaked havoc over the past few months on various IoT devices, including: GPON-capable routers

manufactured by South Korea’s Dasan, D-Link’s DIR-620 routers, and XiongMau uc-httpd 1.0.0 IoT devices.

Additionally, the quarter saw the emergence of the Anarchy botnet, which exploited zero-day vulnerabilities

in a similar fashion as Satori. In all, the growing presence of IoT botnets is highly suspected to be behind

the skyrocketing growth in attack sizes seen in recent quarters. In YoY (Year-over-Year) and QoQ

(Quarter-over-Quarter) comparisons, we saw a drastic uptrend in both the maximum and average size of

attacks.

Table 1. QoQ and YoY Comparison of Attack Size Increases, Q2 2018

Attack Size Q2 2018 vs. Q1 2018 (QoQ) Increase Q2 2018 vs. Q2 2017 (YoY) Increase

Maximum

Average

12.21%

65.54%

463.58%

543.17%

Quarterly Focus - IoT Botnet-generated Attacks Skyrocket


04 Quarterly Focus

The average size of attacks rose gradually between Q2 and Q4 2017, and then escalated rapidly in the first

two quarters of 2018. As for the maximum size, Nexusguard observed a very steep upslope between Q3

and Q4 2017, and a steady one from Q4 2017 to Q2 2018. Attacks recorded between Q4 2017 and Q2 2018

owed their rapidly growing size to TCP SYN. (Maximum-sized attacks in Q4 2017 consisted of TCP RST

Flood, HTTP GET Flood, SYN ACK Flood, UDP Flood, and TCP SYN Flood, while those in Q1 2018 consisted

of TCP RST Flood and TCP SYN Flood.)


Figure 1. Average Attack Sizes, Q2 2017-Q2 2018 (YoY)

Figure 2. Maximum Attack Sizes, Q2 2017-Q2 2018 (YoY)

2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2

2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2

30

20

10

0

400

300

200

100

0

Aver

age

Size

of A

ttack

s (G

bps)

Max

. Siz

e of

Atta

cks

(Gbp

s)

05 Quarterly Focus

Table 2. Ratio of TCP SYN within Differently Sized Attacks, Q2 2018

Blended TCP SYN Pure TCP SYN

Attacks Larger than 100Gbps



96.30%

100.00%

100.00%

74.07%

92.31%

100.00%

Delving into the details of sizeable attacks in Q2, we saw an overwhelming ratio of pure and blended TCP

SYN attacks. As botnets can mass-generate large attacks without amplification, it’s clear to see that pure

or blended TCP SYN attacks played a crucial role in boosting attack sizes in the quarter.

As for packet sizes, our observations showed them to be abnormally large, ranging between 887 and 936

bytes. A SYN packet is supposed to be simple and small when sent as a first step in establishing a

Three-way Handshake connection. Since the rate of packets transmitted per second is subject to the

inherent limitations of a given IoT device, increasing the quantity of packets will not generate a sizeable

attack. However, perpetrators can orchestrate sizeable attacks by significantly increasing the size of

individual packets.

In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on

Communication Service Providers (CSP). Serving as a link between attack sources and victim servers and

infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or

destination. As such, Internet service is degraded.


06 Quarterly Focus


In the quarter, UDP (3,407 attacks/31.56% of total attacks), TCP SYN (1,997 attacks/18.50% of total

attacks), and ICMP (1,006 attacks/9.32% of total attacks) took first, second, and third place,

respectively. In terms of attack sizes, UDP ranged from 15.2Mbps to 290Gbps. With such widespread

coverage and heavy adoption, UDP was the most commonly used attack vector in Q2.

TCP SYN attacks increased 40.44% QoQ, with attacks mostly ranging between 14.8Mbps and 359Gbps.

And most of large-sized TCP SYN attacks were single vector. ICMP attacks ranged from 72.9Mbps to

137.9Gbps. QoQ, both HTTP Flood and HTTPS Flood fell significantly by 78.30% and 36.71%,

respectively.

DDoS Activities

Types of Attack Vectors

Figure 3. Distribution of DDoS Attack Vectors, Q2 2018

UDP Attack

TCP SYN Attack

ICMP Attack

NTP Amplification Attack

DNS Amplification Attack

TCP ACK Attack

IP Fragmentation Attack

UDP Fragmentation Attack

IP BOGONS

SSDP Amplification Attack

HTTP Flood

Memcached Attack

HTTPS Flood

TCP RST Attack

DNS Attack

CLDAP Reflection Attack

TCP Fragmentation Attack

CHARGEN Attack

SNMP Amplification Attack

SIP Flood

0.0% 10.0% 20.0% 30.0%


07 DDoS Activities

No.2 TCP SYN Attacks

TCP SYN (Transmission Control Protocol Synchronized Packet)

attacks take place when voluminous SYN requests with spoofed IP

addresses are sent out, triggering targeted servers to respond with

SYN-ACK. However, the messages can’t be sent back from the

targeted server to consummate the Three-way Handshake required to

complete the connection. Consequently, with no SYN-ACK or ACK

responses, the connection between the perpetrator and the available

ports on a targeted server remains half-open, causing the server to

malfunction.

18.50 %

1,997

No.3 ICMP Attacks

ICMP (Internet Control Mechanism Protocol) is a connectionless

protocol that generates error messages to source IPs and is exploited

by attackers to overwhelm targeted computers with ICMP echo

requests. Flooded by request packets from spoofed IP addresses,

targeted servers consume excessive amounts of bandwidth processing

and replying to request packets and thus become overloaded.

9.32 %

1,006

No.1 UDP Attacks

UDP (User Datagram Protocol) attacks can quickly overwhelm the

defenses of unsuspecting targets. Speed in detection and response is

key to thwarting attackers using this volumetric strategy. UDP

frequently serves as a smokescreen to mask other malicious activities

such as efforts to compromise personal identifiable information (PII)

or the execution of malware or remote codes. The attacks flood ports

with numerous UDP packets, causing the host to repeatedly check for

applications listening at that port. This process saps host resources

and can ultimately make them inaccessible.

31.56 %

3,407

Top 3 Attack Vectors


08 DDoS Activities

Multi-vector attacks accounted for 47.97% of the total observed in the quarter, while single vector attacks

accounted for 52.03%. Six vectors was the maximum.

Figure 4. Distribution of Attack Vectors, Q2 2018

Atta

ck V

ecto

rs

6

5

4

3

2

1

10.0% 20.0% 30.0% 40.0% 50.0%0.0%

Quantity of Attack Vectors

Multi-vector attacks

47.97 %Single-vector attacks

52.03 %


09 DDoS Activities

UDP was utilized as a vector in each of the quarter’s Top 5 blended, multi-vector attacks. Attacks

leveraging UDP use the connectionless protocol to enlarge the attack size and boost its volumetric

power by launching mass-generated botnets.

The top multi-vector attack consisted of NTP Amplification and UDP. An NTP (Network Time Protocol)

amplification factor of 556.9 (US-Cert) combined with the volumetric power of UDP enables very large

attacks.

Number two was comprised of ICMP and UDP. ICMP attacks misuse the Internet Control Message

Protocol, which is normally used for error reporting between devices. ICMP is commonly abused as a

weapon whose source IP and packet size can be spoofed and crafted in a similar way to UDP. ICMP/UDP

blended attacks are very effective at increasing the size of attacks.

The third multi-vector blended ICMP, NTP Amplification, and UDP. The three vectors combined their

attack characteristics and rolled them into one to deliver massively enlarged attacks.

Number four involved NTP Amplification and CLDAP Reflection. By abusing CLDAP (a connectionless

variant of Lightweight Directory Access Protocol that uses UDP for directory access), such attacks are

similar to UDP-based, volumetric multi-vectors. NTP Amplification/CLDAP Reflection attacks have an

amplification factor of 56 to 70, according to US-Cert.

In the fifth spot, TCP SYN and UDP combined to deliver a powerful, expansive punch. In our quarterly

research, TCP SYN/UDP multi-vectors were responsible for many of the most sizeable attacks,

particularly those larger than 100Gbps.

Table 3. Top 5 Multi-vector Attacks, Q2 2018

Rankings Attack Vector 1 Attack Vector 2 Attack Vector 3 Distribution of Multi-vectors

1

2

3

4

5

NTP Amplification

ICMP

ICMP

CLDAP Reflection

TCP SYN

UDP

UDP

UDP

UDP Fragmentation

UDP

N/A

N/A

NTP Amplification

N/A

N/A

17.06%

9.41%

6.47%

5.29%

4.71%

Top 5 Multi-vector Attacks


10 DDoS Activities

Attacks lasting less than 90 minutes occupied 55.28% of the total, while those lasting longer accounted

for 44.72%. 4.62% lasted longer than 1,200 minutes. The average duration was 318.10 minutes, while the

longest attack lasted 6 days, 5 hours, and 22 minutes. Cyber perpetrators typically focus on the peak

operation hours of their targets to maximize the impact of their attacks and seek to complete their

attacks within 90 minutes.

Figure 5. Distribution of Attack Durations, Q2 2018

<90 minutes

55.28 %

Attack Duration (Minutes)

90 90-240 240-420 420-720 720-1200 1200+

60.0%

40.0%

20.0%

0.0%

Attack Durations


11 DDoS Activities

Of total attacks, 64.13% were smaller than 10Gbps (35.87% were larger). The average size was 26.37Gbps

and the maximum 359.00Gbps. Attacks smaller than 1Gbps made up 19.84%, while those ranging

between 1Gbps and 10Gbps accounted for 44.29%.

A surge in attack sizes greater than 10Gbps significantly increased the average attack size in Q2 2018 —

both QoQ and YoY. As the quarter’s primary culprit, single-vector TCP SYN attacks were mostly

responsible for boosting attack sizes in the quarter.

Table 4. Comparison of Maximum and Average Attack Sizes, Q2 2018

Q2 2017

Maximum

Average

Q2 2018Attack Size in Gbps

359.00

26.37

Q1 2018

319.95

15.93

63.70

4.10

Attack Size Distribution

Figure 6. Distribution of Attack Sizes, Q2 2018

The largest attack in the quarter

359.00 Gbps

Attack SIze (Gbps)

50.0%

40.0%

30.0%

20.0%

10.0%

0.0%<1G >=10G and

< 100G>=100G and

< 200G>=1G and

< 10G>=200G and

< 300G>=300G


12 DDoS Activities

With more than one billion Internet users between them (nearly one-third of the worldwide total), the US

and China were the top two global attack source regions. France followed in the third spot, with Germany

and Russia rounding out the top five.

Global Attack Source Distribution

Table 5. Top 10 Global Attack Sources, Q2 2018

Regions Percentage

United States of America

China

France

Germany

Russian Federation

Brazil

Vietnam

United Kingdom

South Korea

Italy

Others (137 regions)

20.00%

16.27%

7.25%

4.16%

4.15%

4.04%

3.57%

3.00%

2.95%

2.58%

32.03%


13 DDoS Activities

China again led the way, while Vietnam — ranked seventh in the global attack source distribution —

followed in the second spot for APAC.

APAC Attack Source Distribution

Table 6. Top 10 Sources for APAC Attacks, Q2 2018

Regions Percentage

China

Vietnam

India

Thailand

Indonesia

Taiwan

Singapore

Japan

Hong Kong

Malaysia

Others (13 regions)

54.56%

11.96%

7.74%

4.58%

4.29%

3.42%

2.87%

2.40%

1.82%

1.56%

4.80 %


14 DDoS Activities

The US, China, and France occupied the top three spots for ASNs by country of origin, closely mirroring

the global attack source distribution.

Reflective DDoS Attacks by Autonomous System Number (ASN)

Table 7. Top 10 ASN Attack Rankings, Q2 2018

ASN Percentage

16276

14061

45090

4134

16509

45899

4766

14618

4837

4808

Others

Network Name

OVH, FR

DIGITALOCEAN-ASN - DigitalOcean, LLC, US

CNNIC-TENCENT-NET - AP Shenzhen Tencent Computer Systems Company Limited, CN

CHINANET-BACKBONE No.31,Jin-rong Street, CN

AMAZON-02 - Amazon.com, Inc., US

VNPT-AS-VN - VNPT Corp, VN

KIXS-AS-KR - Korea Telecom, KR

AMAZON-AES - Amazon.com, Inc., US

CHINA169-BACKBONE CHINA UNICOM - China169 Backbone, CN

CHINA169-BJ - China Unicom Beijing Province Network, CN

1973 ASNs

5.87%

5.70%

3.90%

3.15%

3.14%

2.35%

1.53%

1.43%

1.35%

1.34%

70.24%


15 DDoS Activities

Nexusguard research data from Q2 2018 strongly supports the view that IoT botnets were largely

responsible for the expansive DDoS attacks against networks and mission-critical services during the

quarter. The dramatic rise in IoT botnet activity coincided with Satori malware exploits. Satori, a variant

of the notorious Mirai malware, is designed to generate network-layer DDoS attacks — such as junk UDP,

TCP SYN, and TCP ACK packets — by exploiting zero-day vulnerabilities in certain types of home routers.

While such attacks can be launched from spoofed IP addresses that make it difficult to track down the

attacker, our findings reinforce our belief that IoT botnets were the major driving force behind the surge

in attack sizes in the second quarter.

YoY, the maximum size of DDoS attacks captured by our mitigation platform soared by more than

four-fold, while the average attack size rose by a factor of more than five times. The five-fold increase in

average attack size was fuelled by a dramatic rise of jumbo-sized TCP SYN floods.

Attackers remained largely focused on hit-and-run tactics, launching carefully timed attacks to strike

during peak hours critical to their targets’ revenue-generating objectives. More than half of attacks

lasted less than 90 minutes, the longest spanned more than six days.

In light of today’s rampant growth of large-scale DDoS attacks, Communications Service Providers

should take steps to enhance their preparedness to protect bandwidth, especially if their infrastructures

are not built for full redundancy and failover.

Conclusions


16 Conclusions

As a global leader in Distributed Denial of Service (DDoS) attack mitigation, Nexusguard observes and

collects real-time data on threats facing enterprise and service-provider networks worldwide. Threat

intelligence is gathered via attack data, research, publically available information, Honeypots, ISPs, and

logs recording traffic between attackers and their targets. The analysis conducted by our research team

identifies vulnerabilities and measures attack trends worldwide to provide a comprehensive view of

DDoS threats.

Attacks and hacking activities have a major impact on cybersecurity. Because of the comprehensive,

global nature of our data sets and observations, Nexusguard is able to evaluate DDoS events in a

manner that is not biased by any single set of customers or industries. Many zero-day threats are first

seen on our global research network. These threats, among others, are summarized in the quarterly

Threat Reports produced by Nexusguard’s research team:

• Tony Miu, Research Direction & Security Data Analysis

• Ricky Yeung, Data Mining & Analysis

• Dominic Li, Data Analysis & Content Development

Research & Methodology

About Nexusguard

Founded in 2008, Nexusguard is a leading cloud-based distributed denial of

service (DDoS) security solution provider fighting malicious internet attacks.

Nexusguard ensures uninterrupted internet service, visibility, optimization and

performance. Nexusguard is focused on developing and providing the best

cybersecurity solution for every client across a range of industries with specific

business and technical requirements. Nexusguard also enables communication

service providers to deliver DDoS protection solution as a service. Nexusguard

delivers on its promise to provide you with peace of mind by countering threats

and ensuring maximum uptime.

www.nexusguard.com

20180906-EN-A4

Copyright 2018 Nexusguard Limited. All rights reserved.

distributed denial of service (ddos) report q2... · q2 2018 threat report ddos activities 10...

Documents