VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 4, ISSUE 3 – 3RD QUARTER 2017

Complimentary report supplied by

EXECUTIVE SUMMARY 3

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017 4DDoS Attacks Decrease in Volume But Remain Unpredictable 4Multi-Vector DDoS Attacks Remain the Norm 6Largest Volumetric Attack and Highest Intensity Flood Attack 8

FEATURE ARTICLEComprehensive Network Protection – Inbound and Outbound 10

VERISIGN DDoS TRENDS REPORT | Q3 2017 2

CONTENTS

EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during the third quarter of 2017 from July 1, 2017 through September 30, 2017 (“Q3 2017”). This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends during Q3 2017.*

Verisign observed the following key trends in Q3 2017:

VERISIGN DDoS TRENDS REPORT | Q3 2017 3

17%decrease compared to the second quarter of 2017 from April 1, 2017 through June 30, 2017 (“Q2 2017”)

Number of Attacks

Volume

2.5 Gigabits per second (Gbps)

Attack Peak Size

2.3 Million packets per second (Mpps)

<1 Gbps

Average Attack Peak Size

30%of attacks over 1 Gbps

29%

Speed

70% decrease compared to Q2 2017

56%of attacks were User Datagram Protocol (UDP) floods

Most Common Attack Type Mitigated

88%of attacks employed multiple attack types

of attacks employed five or more attack types

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017DDoS Attacks Decrease in Volume But Remain Unpredictable When comparing Q3 2017 to Q2 2017, Verisign saw a 17 percent decrease in the number of attacks, and a 70 percent decrease in the peak size of the average attack. Attackers continue to launch repeated attacks against their targets. In fact, Verisign observed that 45 percent of customers who experienced DDoS attacks in Q3 2017 were targeted multiple times during the quarter. DDoS attacks remain unpredictable and vary widely in terms of speed and complexity.

Figure 1: Mitigation Peaks by Quarter from Q4 2015 to Q3 2017

2016-Q4 2017-Q1 2017-Q2 2017-Q32015-Q4 2016-Q1 2016-Q2 2016-Q3

>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps

0

20

40

60

80

100

Perc

ent o

f Atta

cks

VERISIGN DDoS TRENDS REPORT | Q3 2017 4

30% peaked over 1 Gbps

Attack Size

VERISIGN DDoS TRENDS REPORT | Q3 2017 5

decrease in average peak attack size

compared to Q2 2017

Average Attack Peak Size

Figure 2: Average Peak Attack Size by Quarter from Q4 2015 to Q3 2017

6.9

2015-Q4

19.4

2016-Q1

17.4

2016-Q2

12.8

2016-Q3

11.2

2016-Q4

14.1

2017-Q1

2.7

2017-Q2

0.8

2017-Q30

2

4

6

8

10

12

14

16

18

20

Gbps

0.8 Gbps70%

decrease in average peak attack size compared to Q2 2017 70%

88%of DDoS attacks in Q3

2017 utilized at least two different attack types.

Multi-Vector DDoS Attacks Remain the Norm Eighty-eight percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multiple- attack types. Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Today’s DDoS attacks require continuous monitoring to more efficiently tailor mitigation strategies.

Figure 3: Number of Attack Types per DDoS Event in Q3 2017

1 Attack Type2 Attack Types3 Attack Types4 Attack Types5+ Attack Types

35%

12%

18%

6%

29%

VERISIGN DDoS TRENDS REPORT | Q3 2017 6

VERISIGN DDoS TRENDS REPORT | Q3 2017 7

IP Fragment AttacksTCP Based

UDP Based

27%

17%

56%

Types of DDoS Attacks UDP flood attacks dominated in Q3 2017, accounting for 56 percent of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), Character Generator Protocol (CHARGEN) and Simple Network Management Protocol (SNMP) reflective amplification attacks.

56%of attacks were

UDP FLOODS

Figure 4: Types of DDoS Attacks in Q3 2017

Largest Volumetric Attack and Highest Intensity Flood AttackThe largest volumetric DDoS attack observed by Verisign in Q3 2017 was a multi-vector attack that peaked at approximately 2.5 Gbps and around 1 Mpps for one hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods; DNS, ICMP and Chargen Amplification attacks, and invalid packets. The different attack vectors required continuous monitoring and changing of countermeasures to effectively mitigate.

The highest intensity packet flood in the quarter, consisting of a TCP SYN and UDP floods mixed with invalid packets, peaked at approximately 2.3 Mpps and around 1 Gbps. That attack lasted approximately two and a half hours.

VERISIGN DDoS TRENDS REPORT | Q3 2017 8

.76 Gbps

Average attack size:

1.38 Gbps

Average attack size:

VERISIGN DDoS TRENDS REPORT | Q3 2017 9

Mitigations on Behalf of Verisign Customers by Industry for Q3 2017**

45%of mitigations

IT Services/Cloud/SaaS

15%of mitigations

Media and Entertainment/Content

.52 Gbps

Average attack size:

Energy

15%of mitigations

.63 Gbps

Average attack size:

Financial

20%of mitigations

Figure 5: Peak DDoS Attack Size by Industry from Q4 2016 to Q3 2017

Financial Media &Entertainment

E-Commerce/Online

IT Services/Cloud/SaaS

Q3 2017Q4 2016 Q1 2017 Q2 2017

0

50

100

150

Gbps

Telecommunications& Other

Public Sector

Peak DDoS Attack Size by Industry (Q3 2017)

Average attack size:

5%of mitigations

E-Commerce and Online Advertising

.61 Gbps

VERISIGN DDoS TRENDS REPORT | Q3 2017 10

1 2016 Ponemon Institute Cost of a Data Breach Study, https://securityintelligence.com/media/2016-cost-data-breach-study/, retrieved Oct. 2, 2017

FEATURE ARTICLECOMPREHENSIVE NETWORK PROTECTION – INBOUND AND OUTBOUND Verisign DDoS Trends Reports throughout 2017 have reported a decline in the size and number of DDoS attacks. This trend does not necessarily mean, however, that DDoS attacks are going away or that companies should be complacent. Now is a good time for organizations to review all aspects of their network and application security solutions to protect themselves against DDoS attacks or future security threats.

According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average consolidated cost of a data breach is $4 million.1 Organizations usually have a strategy in place to deal with DDoS attacks hitting their network and applications, but what happens if an internal user on their own network pulls in malware via an inadvertent outbound request?

Today’s One-Way View – Inbound Only

Cloud-based DDoS protection services focus on monitoring inbound internet traffic to a customer’s critical IP network. The technology typically uses signature analysis, misuse detection and dynamic profiling. Signature analysis and misuse detection look for deviations that may indicate a DDoS attack. Dynamic profiling establishes normal traffic patterns and identifies deviations, which then trigger alerts for further investigation. For example, traffic levels reaching or exceeding predefined thresholds could indicate a DDoS attack. So, when a wave of volumetric or malformed traffic hits the customer’s network, an alert is raised for investigation.

DDoS monitoring solutions only provide visibility into the inbound traffic. What about outbound traffic sent from your network? While variations in outbound traffic patterns can happen for many reasons, they can also indicate that compromised endpoints are participating in a botnet, exfiltrating data or being used for other malicious purpose. How do organizations know if an internal user is participating in a botnet or communicating with a command-and-control server or other malware? How do they know if data is being exfiltrated? Monitoring outbound DNS traffic can help.

VERISIGN DDoS TRENDS REPORT | Q3 2017 11

How to Monitor Outbound Traffic

Gaining visibility into outbound DNS requests can be challenging. Firewall administrators tend to not look at DNS request logs due to the volume, but knowing what is sent out on your network is the first step to preventing communication with malicious end points.

Deploying security technology such as DNS firewall, email filtering and other security solutions, and keeping them up to date, is a good place to start. No technology offers 100 percent network protection; organizations need to implement a layered approach to security that includes both technology and user education.

As attackers grow increasingly adept at creating “smarter” malware to circumvent individual protections, it becomes more important to layer these and other security controls, including measures at the DNS level. For more information, read our white paper, Framework for Resilient DNS Security.

Verisign’s Security Services offer cloud-based DDoS protection and DNS solutions to protect your organization’s online services from today’s security threats. To learn more about Verisign Security Services, visit https://www.verisign.com/en_US/security-services/index.xhtml.

TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.

About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net top-level domains and two of the internet’s root servers, as well as performs the root zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com.

*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in “AS IS” condition. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.

** The attaks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Service customer base.

Verisign Public VRSN_DDoS_TR_Q3-17_Axians_201712

Verisign.com© 2017 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.