Download - 2013 NSFOCUS Mid-Year DDoS Threat Report
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
1/20
NSFOCUS Mid-YearDDoS Threat Report
2013
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
2/20
- 1 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Abstract
For years, NSFOCUS has dedicated itself to assuring secure and smooth
operation of its customers businesses. Every day, NSFOCUS prevention
products and monitoring systems detect and mitigate thousands of distributed
denial-of-service (DDoS) attacks that could potentially harm customers security.
This report has been compiled by the NSFOCUS Cloud Response Center to
inform the broader IT industry about observations and trends regarding DDoS
attacks.
DDoS attacks were frequently in the spotlight during the first half of 2013. The
hacker collective Izz ad-Din al-Qassam Cyber Fighters continued to challenge
the U.S. by disrupting the online services of some top American banks. The
anti-spam organization Spamhaus suffered an astonishing DDoS attack of 300
Gbps that was described as the biggest cyber attack in history. Faced with
such a massive flood, it is easy to understand that no defense system is
absolutely impregnable.
Though it is often large enterprises and organizations in the headlines, small to
medium enterprises and businesses (SMEs and SMBs) were plagued by DDoS
threats as well. In the first half of 2013, more than 90 percent of DDoS attacks
lasted less than half an hour, more than 80 percent of the traffic recorded was
less than 50Mbps, and about two-thirds of the victims suffered more than one
attack. The repeated launching of low-and-slow DDoS attacks may be driven by
the growth of low-cost DDoS-for-hire services.
This report depicts the overview, targets and methods of DDoS threats during
the first half of 2013. The statistics in this report are sourced from 90 major news
reports and 168,459 attacks monitored by NSFOCUS. All of the data collected
through our active monitoring efforts has been anonymized to protect our
customers information.
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
3/20
- 2 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Contents
OVERVIEW OF DDOS ATTACKS ................................................................................................. 4
FINDING 1:DDOS ATTACK FREQUENCYONE MAJOR DDOS NEWS EVENT HAPPENED EVERY
TWO DAYS AND ONE COMMON DDOS ATTACK HAPPENED EVERY TWO MINUTES. ...................... 4
FINDING 2:DDOS MOTIVES -HACKTIVISM TOPS THE LIST. ...................................................... 5
TARGETS OF DDOSATTACKS ................................................................................................... 6
EVENT 1: OPERATIONABABIL.............................................................................................. 6
FINDING 3:DDOS VICTIMSMOST LIKELY TARGETS WERE BANKS, GOVERNMENTS AND
ENTERPRISES ....................................................................................................................... 9
FINDING 4:MORE THAN 68 PERCENT OF VICTIMS SUFFERED MULTIPLE ATTACKS ..................... 9
DDOSATTACK METHODS ....................................................................................................... 10
EVENT 2: THE BIGGEST DDOS ATTACK IN HISTORY ............................................................ 11
FINDING 5:TCPFLOOD AND HTTPFLOOD REMAIN THE MOST POPULAR ATTACK METHODS. . 13
FINDING 6:MOST DDOS ATTACKS ARE SHORT. .................................................................... 14
FINDING 7:MOST ATTACKS ARE NOT VERY BIG. .................................................................... 14
FINDING 8:HYBRID ATTACKS BECAME PREVALENT. .............................................................. 16
CONCLUSIONS........................................................................................................................ 17
CONTACTS ............................................................................................................................. 18
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
4/20
- 3 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Figures
FIGURE 1 MAJOR DDOS NEWS EVENTS ........................................................................ 5
FIGURE 2 DDOS ATTACKS MONITORED BY NSFOCUS ............................................... 5
FIGURE 3 CAUSES FOR MAJOR DDOS ATTACKS ......................................................... 6
FIGURE 4 TIMELINE OF 2013 OPERATION ABABIL ....................................................... 8
FIGURE 5 TARGETS OF MAJOR DDOS ATTACKS ......................................................... 9
FIGURE 6 FREQUENCY OF DDOS ATTACKS ............................................................... 10
FIGURE 7 DNS REFLECTION ATTACK .......................................................................... 12
FIGURE 8 DDOS ATTACK METHODS ............................................................................ 13
FIGURE 9 DURATIONS OF DDOS ATTACKS ................................................................. 14
FIGURE 10 DISTRIBUTION OF DDOS ATTACK TRAFFICBPS.............................. 15
FIGURE 11 DISTRIBUTION OF THE DDOS PACKET RATEPPS ........................... 15
FIGURE 12 HYBRID DDOS ATTACKS ............................................................................ 16
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
5/20
- 4 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Overview of DDoS attacks
The first half of 2013 witnessed frequent DDoS events and attacks. A major
DDoS event broke out every two days on average, and NSFOCUS detected one
DDoS attack every two minutes from NSFOCUS monitoring networks. The
frequency of DDoS attacks monitored by NSFOCUS and major DDoS events
reported by media peaked during April and May, respectively. Hacktivism was
the primary motive for major DDoS events, followed by business crimes and
cyber war between competing countries. Based on the 168,459 attacks that
NSFOCUS monitored, 91.3 percent of the attack targets were located in China,
followed by the U.S. at 5.8 percent, Hong Kong at 1 percent, Korea at 0.5
percent, Philippines at 0.2 percent and Germany at 0.1 percent.
Finding 1: DDoS attack frequency One major DDoS
news event happened every two days, and one common
DDoS attack happened every two minutes.
NSFOCUS traced 90 major DDoS events reported by the news media, with an
average of one major event every two days. Meanwhile, NSFOCUS monitored a
total of 168,459 DDoS attacks with 1.29 occurring every two minutes, on
average. Major DDoS events reported by media (Figure 1) and detected by
NSFOCUS (Figure 2) peaked in May and April, respectively.
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
6/20
- 5 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Figure 1 Major DDoS News Events
Figure 2 DDoS Attacks Monitored by NSFOCUS
Finding 2: DDoS motives - Hacktivism tops the list.
Among the 90 major DDoS events reported by the media and traced by
NSFOCUS, hacktivism was the primary motivator, followed by business crime,
0
5
10
15
20
25
30
Jan Feb Mar Apr May Jun
11
3
1920
30
7
DDoS Attack Frequency
0
5000
10000
15000
20000
25000
30000
35000
40000
Jan Feb Mar Apr May Jun
19812
29962
3380736266
2501623596
DDoS Attack Frequency
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
7/20
- 6 -
NSFOCUS Mid-Year DDoS Threat Report 2013
which mostly got involved in profit-driven competition or extortion, such as
competition in the online gaming industry and cyber war between countries.
Figure 3 Causes for Major DDoS Attacks
Targets of DDoS Attacks
DDoS attacks became a hot topic in the security sector during the first half of
2013, due mainly to Izz ad-din Al-Qassam Cyber Fighters Operation Ababil
activity, in which the U.S. banking industry became a major target, along with
some government departments and enterprises. Among the common DDoS
attacks monitored by NSFOCUS, two-thirds of the victims were attacked more
than once.
Event 1: Operation Ababil
The Operation Ababil campaign, launched by Izz ad-din Al-Qassam Cyber
Fighters (Cyber Fighters), has gone through three phrases between September
2012 and June 2013, with a fourth phase initiated in July 2013. In July 2012, atrailer for a movie about the Islam prophet Mohammed, produced and directed
91.1%
4.4%2.2%
2.2%
Hacktivism
Business Crime
Cyber War
Other
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
8/20
- 7 -
NSFOCUS Mid-Year DDoS Threat Report 2013
by American Sam Bacile, was posted on YouTube, sparking strong objections
and protests in the Muslim world. On September 18, 2012 Cyber Fighters
announced on Pastebin that it would attack U.S. banks and the New York Stock
Exchange with a series of DDoS attacks in retaliation for the video, declaring the
attacks would persist until the movie was removed from the website. Operation
Ababil was named after a story in the Koran, in which Allah dispatches a group
of swallows to knock out a group of elephants sent by the king of Yemen to
attack Mecca.
The first phase started on September 18, 2012 and lasted for five weeks, with
the second starting on December 10, 2012 and lasting for seven weeks. The
third phase continued for nine weeks from March 5, 2013 to May 6, 2013. The
fourth phase began July 23, 2013.
This campaign has affected the online banking services of massive American
financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S.
Bancorp, PNC Financial Services Group, Capital One, Fifth Third Bank, BB&T,
and HSBC. These DDoS attacks had severe impacts on business continuity and
the availability of banks websites, and they have brought incalculable losses to
these banks reputations. The U.S. government had several departments
working on the investigation of this event, including the Department of Homeland
Security (DHS), the Federal Bureau of Investigation (FBI) and financial
regulators.
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
9/20
- 8 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Figure 4 Timeline of 2013 Operation Ababil
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
10/20
- 9 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Finding 3: DDoS victims Most likely targets were
banks, governments and enterprises.
Of the 90 major DDoS attacks that occurred worldwide in the first half of 2013,
39 (43 percent) targeted banks, mainly resulting from the Operation Ababil
campaign. Government and enterprises were assaulted in 26 (29 percent) and
19 (21 percent) major DDoS events, respectively. Non-profit organizations
(NPOs) and Internet service providers (ISPs) also fell victim to these attacks.
Figure 5 Targets of Major DDoS Attacks
Finding 4: More than 68 percent of victims suffered
multiple attacks.
The first half of 2013 saw a rise in multiple attacks targeting the same target, with
more than two-thirds of victims being attacked more than once. Our findings
show that, so far, 31.3 percent of victims suffered a single DDoS attack in the
first half of this year, a decrease from 50.7 percent observed in 2012, while 6.2
percent suffered attacks more than 10 times in the first half of 2013, an increase
from 5.2 percent the year prior. The percentage of victims suffering multiple
attacks rose from nearly half (49.3 percent) in 2012 to more than two-thirds (68.7
43%
29%
21%
5%1%
1%
Bank
Government
Enterprise
NPO
ISP
Other
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
11/20
- 10 -
NSFOCUS Mid-Year DDoS Threat Report 2013
percent) in the first half of 2013. NSFOCUS expects the trend of cyber criminals
attacking the same target multiple times will continue to grow over the second
half of 2013. We postulate there are two factors contributing to this trend :
A: Cost DDoS-for-hire (botnet rental) has been growing over the past couple of
years, making repetitive attacks over short periods more effective and less
expensive.
B: Willingness to pay ransom After the media reported that some affected
websites lacking defense capabilities had reluctantly paid ransoms, such sites
became priority targets of other cyber criminals.
Figure 6 Frequency of DDoS Attacks
DDoS Attack Methods
In the first half of the year, the methods adopted by DDoS attackers have
become very diverse. On one hand, attackers continued to pursue larger attack
traffic, such as the 300Gbps Spamhaus attack in March, considered by experts
to be the biggest cyber attack in history. But events such as these are rare, as
attackers have widely adopted the application-consumption-based DDoS attackmethod (e.g., HTTP Flood). Although the latter produces only minor flow and
0%
10%
20%
30%
40%
50%
60%
70%
1 2 - 10 11 - 20 20+
31.3%
62.5%
4.4% 1.8%
DDoS Attack Times
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
12/20
- 11 -
NSFOCUS Mid-Year DDoS Threat Report 2013
packet rates, it can be just as destructive as a massive flood. This dichotomy
shows a level of sophistication; the attackers are scouting their targets and
applying the methods best suited to cause disruption. NSFOCUS has also noted
hybrid attacks become more prevalent, with ICMP+TCP+UDP Flood being the
most common combination.
Event 2: The biggest DDoS attack in history
Spamhaus is an anti-spam NGO based in London and Geneva, and it maintains
a colossal spam blacklist that is widely used by numerous universities, researchinstitutions, ISPs, militaries and commercial enterprises.
Beginning on March 18, 2013, Spamhaus suffered a DDoS attack in which
hackers exploited botnet and DNS reflection technologies. The attack traffic
continuously rose from 10Gbps to an astonishing 300Gbps on March 27,
recording it as the largest scale (traffic-wise) DDoS attack aimed at a single
target in history.
The attack utilized a DDoS reflection (DNS amplification) method. Even though
this style of attack has been around for quite some time, the technology has
become more popular, with the major component of large-scale DDoS attacks
aimed at Layer-3. This basic procedure sends DNS name lookup requests
containing the extension field OPT RR (pseudo resource record) to massive
open DNS resolvers with the source address spoofed to be the targets address.
After receiving the request, the open DNS servers will resolve and query the
request and return the response data to the attack target. Since the requested
data is much smaller than the response data, the attackers are able to employ
this technology to effectively amplify their bandwidth and attack traffic.
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
13/20
- 12 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Figure 7 DNS Reflection Attack
In this event, the attacker sent resolving requests of the domain name ripe.net
to more than 30,000 open DNS servers with the source IP address spoofed to be
the IP address of Spamhaus. The response traffic from those DNS servers
generated about 300Gbps in attack traffic. As a DNS request data with the size
of 36byte leads to a response data with the size of 3,000byte, DNS reflection
amplified the data about 100 times. Therefore, the attacker just needs to control
a botnet that can produce around 3Gbps request attack traffic to launch a larger
scale of (about 300Gbps) response attack traffic. In addition to DNS reflection
technology, the attacker also exploited ACK reflection and other technologies in
the attack.
On July 25, 2013, the Internet Systems Consortium (ISC) declared that the
response rate limiting (RRL) module was added to the latest version of BIND
software to defend against DNS reflection DDoS attacks, claiming it to be the
most efficient method to mitigate DNS reflection attacks. NSFOCUS believes
that all network administrators should deploy RRL and should closely follow
ISC's efforts to continue the enhancement of RRL.
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
14/20
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
15/20
- 14 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Finding 6: Most DDoS attacks are short.
The duration of most DDoS attacks is not very long. The vast majority of DDoS
attacks, 93.2 percent, were less than 30 minutes in duration, about the same as
what we observed in 2012.
Figure 9 Durations of DDoS Attacks
Finding 7: Most attacks are not very big.
Among the DDoS attacks monitored by NSFOCUS, 80.1 percent of the attacks
saw the traffic rate reach no higher than 50 Mbps, with only 0.9 percent of
attacks recorded above 2 Gbps. Layer 7 attacks, such as HTTP Flood attacks,have become more prevalent in recent years because of their effectiveness with
just a small amount of traffic. Thus, we are seeing the trend shift from volumetric
attacks during years past to more cost-effective application layer attacks.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0 - 30min 30min - 12h 12h - 24h 24h - 48h 48h+
93.2%
4.3%0.9% 0.3%
1.1%
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
16/20
- 15 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Figure 10 Distribution of DDoS Attack Trafficbps
According to our data, 69.1 percent of attacks were less than 0.2million packets
per second (Mpps). This data correlates to the smaller attack volume illustrated
in the previous chart, and further confirms application layer attacks are widely
adopted.
Figure 11 Distribution of the DDoS Packet Ratepps
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
1-50M 50M-2G 2G+
80.1%
13.0%
0.9%
(bps)
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
0-0.2M 0.2M-3.2M 3.2M+
69.1%
30.7%
0.2%
pps
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
17/20
- 16 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Finding 8: Hybrid attacks became prevalent.
NSFOCUS monitored a total of 6,956 hybrid DDoS attacks, which accounted for
4.1 percent of total attacks. Most of them were analyzed and categorized
according to the protocol types they used. Among these hybrid attacks,
ICMP+TCP+UDP was identified as the most common combination (50.6
percent). ICMP+TCP+UDP+DNS and ICMP+TCP ranked in second and third
place with 18.5 percent and 10.2 percent, respectively.
Figure 12 Hybrid DDoS Attacks
50.6%
18.5%
10.2%
9.8%
10.8%
The combination of Hybrid DDoS Attacks
ICMP+TCP+UDP
ICMP+TCP+UDP+DNS
ICMP+TCP
TCP HYBRIDOther
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
18/20
- 17 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Conclusions
According to our statistics, while the amount of DDoS attacks may fluctuate on a
monthly basis, the overall trend of attack incidents is on the rise year after year.
Although cyber war and hacktivism incidents are eye-catching and more widely
reported by the media, attacks driven by commercial competition and malicious
ransom are actually the majority. Profit-driven cybercriminals pay much closer
attention to hackernomics, using the least amount of resources to cause the
maximum damage or disruption to victims. This is why we should expect
application layer attacks to become the most prevalent attacks now and in the
future. A typical application layer attack like HTTP Flood is popular among
hackers because it specifically targets consumption of CPU/storage/database
resources, which can shut down a victims website without generating a large
amount of network traffic. That being said, the traditional TCP Flood and UDP
Flood will not disappear either, since they are still the most effective attacks
against victims that are not protected by dedicated anti-DDoS mitigation
equipment or service.
-
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
19/20
- 18 -
NSFOCUS Mid-Year DDoS Threat Report 2013
Contacts
If you have feedbacks or comments, please contact us:
Email :[email protected]
Tel : +1 408-907-6638
Address: 1793 Lafayette Street, Suite120, Santa Clara, CA95050
About NSFOCUS
Founded in 2000, NSFOCUS, Inc. (NSFOCUS) provides enterprise-level, carrier-grade
solutions and services for distributed denial of service (DDoS) mitigation, Web security and
enterprise-level network security. With more than 10 years of experience in DDoS research
and development and mitigation, NSFOCUS has helped customers around the world
maintain high levels of Internet security, website uptime and business operations to ensure
that their online systems remain available. The NSFOCUS Anti-DDoS System (ADS)
empowers customers to find and fend off a variety of incidents, from simple network layer
attacks to more sophisticated and potentially damaging application-layer attacks, all while
guaranteeing legitimate traffic gets through to networks and corporate-critical systems. For
more information, visitwww.nsfocus.com.
mailto:[email protected]:[email protected]:[email protected]://www.nsfocus.com/http://www.nsfocus.com/http://www.nsfocus.com/http://www.nsfocus.com/mailto:[email protected] -
7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report
20/20
- 1 -
NSFOCUS Mid-Year DDoS Threat Report 2013