verisign distributed denial of service trends report€¦ · verisign distributed denial of service...

13
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied by

Upload: others

Post on 22-May-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 4, ISSUE 1 – 1ST QUARTER 2017

Complimentary report supplied by

Page 2: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

EXECUTIVE SUMMARY 3VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2017 4DDoS Attacks Remain Unpredictable and Persistent 4Multi-Vector DDoS Attacks are the Norm 6Largest Volumetric Attack and Highest Intensity Flood 8Attacks Against Financial Sector Increase 9

FEATURE ARTICLE The Best of Both Worlds: Combining Technology and the Human Element to Mitigate DDoS Attacks 11

VERISIGN DDoS TRENDS REPORT | Q1 2017 2

CONTENTS

Page 3: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from Jan. 1, 2017 through March 31, 2017 (Q1 2017). It represents a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q1 2017.

Verisign observed the following key trends in Q1 2017:

VERISIGN DDoS TRENDS REPORT | Q1 2017 3

23%decrease compared to Q4 2016

Number of Attacks

Volume

121 Gigabits per second (Gbps)

Peak Attack Size

90 Million packets per second (Mpps)

14.1 Gbps

Average Peak Attack Size

26%increase compared to Q4 2016

26%INCREASE

Speed

26% increase from Q4 2016

46%of attacks were User Datagram Protocol (UDP) floods

Most Common Attacks Mitigated

57%of attacks employed multiple attack types 23%

of attacks over 10 Gbps and

in average peak attack size compared to Q4 2016

Q1 2017 had a

36%of attacks over 5 Gbps

Page 4: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2017DDoS Attacks Remain Unpredictable and PersistentVerisign saw a 23 percent decrease in the number of attacks in Q1 2017; however, the average peak attack size increased 26 percent compared to the previous quarter. Attackers also launched sustained and repeated attacks against their targets. In fact, Verisign observed that almost 50 percent of customers who experienced DDoS attacks in Q1 2017 were targeted multiple times during the quarter.

In Q1 2017, Verisign observed that DDoS attacks remain unpredictable and persistent, and vary widely in terms of volume, speed and complexity. To combat these attacks, it is becoming increasingly important to constantly monitor attacks for changes in order to optimize the mitigation strategy.

Figure 1: Mitigation Peaks by Quarter from Q2 2015 to Q1 2017

2016-Q4 2017-Q12015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 2016-Q3

>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps

0

20

40

60

80

100

Perc

ent o

f Atta

cks

VERISIGN DDoS TRENDS REPORT | Q1 2017 4

59% peaked over 1 Gbps 36% peaked over

5 Gbps

Attack Size

Page 5: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN DDoS TRENDS REPORT | Q1 2017 5

Every quarter since the first quarter of 2016 has had average

attack peak sizes of over

Average Attack Peak Size

Figure 2: Average Attack Peak Size by Quarter from Q2 2015 to Q1 2017

6.95.5

7.0

2015-Q2 2015-Q3 2015-Q4

19.4

2016-Q1

17.4

2016-Q2

12.8

2016-Q3

11.2

2016-Q4

14.1

2017-Q10

2

4

6

8

10

12

14

16

18

20

Gbps

14.1 Gbps26%

increase in average peak attack size compared to Q4 2016

Overall, average peak attack sizes have been noticeably larger since Q1 2016. 10 GBPS

Page 6: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

57%of DDoS attacks in Q1

2017 utilized at least two different attack types.

Multi-Vector DDoS Attacks are the Norm Fifty-seven percent of DDoS attacks mitigated by Verisign in Q1 2017 employed multiple attack types. Verisign observed DDoS attacks targeting victim networks at multiple network layers and attack types changing over the course of DDoS events, thus requiring continuous monitoring to optimize the mitigation strategy.

Figure 3: Number of Attack Types per DDoS Event in Q1 2017

1 Attack Type2 Attack Types3 Attack Types4 Attack Types5+ Attack Types

26%

43%17%

8%6%

VERISIGN DDoS TRENDS REPORT | Q1 2017 6

Page 7: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN DDoS TRENDS REPORT | Q1 2017 7

4%

IP Fragment Attacks

Layer 7TCP Based

UDP Based

Other46%

33%

13%4%

Types of DDoS Attacks UDP flood attacks continue to lead in Q1 2017, making up 46 percent of total attacks in the quarter. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) and Simple Service Discovery Protocol (SSDP) reflection attacks.

While UDP-based attacks continued to dominate the types of attacks deployed, the number of TCP-based attacks increased. TCP floods, largely consisting of TCP SYN and TCP RST floods, were the second most common attack vector, making up 33 percent of attack types in the quarter.

46%of attacks were

UDP FLOODS

Figure 4: Types of DDoS Attacks in Q1 2017

Page 8: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

Largest Volumetric Attack and Highest Intensity FloodThe largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Mpps. This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack.

At approximately 90 Mpps, the speed of the attack was the fastest pps rate observed in Q1 2017. SYN flood attacks at such high pps rates can be disruptive and require a highly scalable cloud-based service that can quickly and effectively defend against such attacks.

VERISIGN DDoS TRENDS REPORT | Q1 2017 8

Page 9: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

22.5 Gbps

Average attack size:

31.9 Gbps

Average attack size:

32.6 Gbps

Average attack size:

VERISIGN DDoS TRENDS REPORT | Q1 2017 9

Mitigations on behalf of Verisign Customers by Industry for Q1 20171

58%of mitigations

IT Services/Cloud/SaaS

Public Sector

2%of mitigations

4%of mitigations

E-Commerce and Online Advertising

1 The attacks reported by industry in this document are solely a reflection of the Verisign DDoS Protection Services customer base.

.63 Gbps

Average attack size:

Media and Entertainment/Content

6%of mitigations

1.7 Gbps

Average attack size:

Financial

28%of mitigations

Attacks Against Financial Sector IncreaseThe financial sector continues to be a constant target for DDoS attacks. In Q1 2017, Verisign’s financial sector customers experienced the second highest number of DDoS attacks (28 percent) of any industry sector within Verisign’s customer base (a large increase from only 7 percent during the prior quarter). IT Services/Cloud remained the sector with the largest number of DDoS attacks in Q1 2017.

Telecommunications and Other

2%of mitigations

.51 Gbps

Average attack size:

Page 10: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN DDoS TRENDS REPORT | Q1 2017 10

Figure 5: Peak DDoS Attack Size by Industry from Q2 2016 to Q1 2017

Financial Media &Entertainment

E-Commerce/Online

IT Services/Cloud/SaaS

Q2 2016 Q3 2016 Q4 2016 Q1 2017

0

50

100

150

200

250

300

Gbps

Telecommunications& Other

Public Sector

Peak Attack Size by Industry (Q1 2017)

Page 11: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN DDoS TRENDS REPORT | Q1 2017 11

FEATURE ARTICLETHE BEST OF BOTH WORLDS: COMBINING TECHNOLOGY AND THE HUMAN ELEMENT TO MITIGATE DDoS ATTACKS In Q1 2017, Verisign observed that 57 percent of DDoS attacks against its customer base utilized multiple attack vectors. As DDoS attacks increase in complexity and size, combating them becomes more challenging. In response, organizations not only need the right technology capable of meeting this growing threat, but also the right human element. Technical staff with DDoS expertise working in tandem with technology is highly beneficial in keeping networks and infrastructures available during an attack.

The TechnologyVarious on-premise firewalls and dedicated DDoS appliances are intended to preemptively stop malicious traffic before it reaches your network. The appliances can be configured with countermeasures or rules to block traffic to certain ports or traffic in a non-compliant format. When configured properly, the associated malicious traffic will be effectively blocked and dropped before it reaches the intended servers. These appliances are adept at handling simple attacks such as SYN floods and UDP floods, allowing some of the processes including detection to mitigation to be automated. However, in order to fine tune attack countermeasures and respond to changing attack tactics, it is important to have the right people working behind the scenes to most effectively combat a wide variety of attacks.

The Human ElementAttackers are using multiple tactics and adapting them midstream to impact their designated target. For example, Verisign observed that many Layer 7 attacks are regularly mixed in with Layer 3/Layer 4 DDoS flooding attacks. Volumetric flood attacks are easier to defend against than Layer 7 DDoS attacks, which pose a different challenge because it is difficult to distinguish legitimate human traffic from bot traffic. In such cases, a highly trained DDoS team with years of experience and expertise is needed to continuously monitor and adapt a mitigation approach to effectively differentiate bot versus human traffic.

Page 12: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

VERISIGN DDoS TRENDS REPORT | Q1 2017 12

TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.

About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net top-level domains and two of the internet’s root servers, as well as performs the root zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com.

*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. All information in this Report is solely a reflection of the observations and insights derived from the DDoS attack mitigations enacted on behalf of, and in cooperation with, the customers of Verisign DDoS Protection Services.Verisign provides this Report for your use in “AS IS” condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.

In the event of a zero-day attack, the skills and knowledge of an experienced DDoS mitigation team can really prove its value. For example, zero-day DDoS attacks can use techniques like DNS qnames, HTTP header order, and varying packet sizes in their requests. The technical team is able to work in conjunction with any implemented technology to analyze packet size, bandwidth utilization and headers to determine if additional countermeasures are necessary. The countermeasures include generating, in near real time, attack signatures to neutralize the bad traffic and minimize downtime. In comparison, on-premise appliances may need a patch or upgrade to respond to attacks that are too complex or new.

The Best of Both WorldsMitigating DDoS attacks is an art. There needs to be a balance between the technology and the expertise (skillset, experience and knowledge) of a technical team. Therefore, to effectively prepare for and combat DDoS threats, many organizations are selecting DDoS solutions that strike the right balance between cutting-edge technology and a proven, experienced technical team with a track record of DDoS mitigation expertise. By combining technology with the human element, organizations are getting the best of both worlds to defend against the ever-evolving DDoS threats.

Page 13: VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT€¦ · VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 – 1ST QUARTER 2017 Complimentary report supplied

Verisign Public VRSN_DDoS_Axians_TR_Q1-17_201705

Verisign.com© 2017 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.