DDOS Threats & TrendsGurdeep DhillonSenior Sales Engineer

About Verisign & Our Research•  Verisign manages, operates and

protects .COM/.NET•  One of the largest and most attack critical

infrastructures on the globe

•  Verisign has protected .COM/.NET without interruption for over 17 years

•  Verisign offers a cloud-based DDoS mitigation Services to the commercial market

•  These services are bolster by iDefense® security intelligence and are based upon the expertise and patented and proprietary mitigation platform—Athena—that enables .COM/.NET

Application-Layer Targeting•  Verisign mitigation data from the first quarter of 2014•  DDoS attacks against online businesses

and Web applications continue to increase in size and complexity

•  Approximately 30 percent of attacks targeting the application layers, and specifically the SSL layer

DDoS Volume Activity

CUSTOMER

Massive 300 GBPS DDoS Attack Thwarted

5

ZERO HOUR

0 5 10 15 20 25 30 35

The largest DDoS event Verisign observed and mitigated against a media and entertainment services customer

The attack was notable for it’s size and the multiple vectors employed

300 Gbps DDoS AttackQ2 2014

Following is a high-level timeline of the attack, including what the Verisign DDoS Protection Services Team saw and did to mitigate the attack.

Attacker begins sending SYN flood DDoS attack traffic

Zero Hour(Z+0 hrs.)

Victim begins receiving clean traffic and their network is stabilized

Verisign redirects victim’s IP space through its global network of mitigation centers, which begins receiving and filtering SYN flood DDoS attack traffic.

Attacker sends periodic SYN & TCP floods with invalid flag combinations. Attack averages 20-40 Gbps

The Second Wave(Z+3:30 hrs.)

For the first 3.5 hours, Verisign continues to mitigate attacks

Attack morphs to a UDP flood using large packets and switches between high packets per second TCP and high bits per second UDP packets

The Change-up(Z+4:00 hrs.)

Verisign adapts mitigation techniques to thwart the new attack vectors

Verisign continues to mitigate the attack using its diverse mitigation platforms, including Athena in conjunction with its global network and capacity

The UDP flood attack reaches 250+ Gbps

The Peak(Z+4:10 hrs.)

ATHENA iDefense

In parallel, Verisign DDoS experts and iDefense intelligence analysts collaborate to understand tactics, attack signatures and bots to refine ongoing mitigation of the attack

The attacker proves persistent over the next 24 hours with more than 30 200+ Gbps UDP flood and TCP floods in repeated waves

The Siege(Z+4:11-28:00 hrs.)

Verisign’s distributed network absorbs the attack while maintaining network availability The attacker’s UDP flood

spikes to 300 Gbps.

The Last Swing(Z+30:00 hrs.)

Verisign continues to monitor the customer network for several days to ensure the attack over After more than 30 hours,

the attacker finally gives up and the attack subsides

The End(Z+30:15 hrs.)

Thank You

© 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.