2015 DDoS Attack Trends and 2016 Outlook

Transcription

1 CDNetworks 2015 DDoS Attack Trends and 2016 Outlook 2016, January CDNetworks Security Service Team

2 Table of Contents 1. Introduction Outline DDoS attack trends DDoS attack outlook for DDoS defense technology outlook for Conclusion <Public> 2 CopyrightcCDNetworks. All Rights Reserved.

3 1. Introduction CDNetworks, a global CDN service provider offering content delivery network (CDN) services and Cloud Security services including DDoS defense and web application firewall. This report analyzes DDoS attack types and trends collected by the CDNetworks Security Service Team in the course of providing DDoS defense services to customers and uses the analysis to predict and prepare for DDoS trends in The number of parameters may be small as the report addresses customers of CDNetworks' security service, but it draws on CDNetworks' experience of providing services to global customers including from the U.S., Europe, Singapore and Japan. As such, it is expected to be useful for understanding and forecasting DDoS attack trends. 2. Outline The number of DDoS attacks increased more than 200% compared to last year and the amount of DDoS attack traffic rose as well. The use of DNS (Domain Name System) and NTP (Network Time Protocol) Amplification mostly used between 2013 and 2014 was decreased but the frequency of SSDP (Simple Service Discovery Protocol) Amplification multiplied. Moreover, DDoS attacks turning servers into becoming zombies and DDoS attacks targeting vulnerabilities in Linux servers, increased in number. In 2014, DDoS attacks mainly targeted gaming companies but in 2015, the scope widened to threaten public institutions and financial companies as well. In particular, a European hacking group, DD4BC (DDoS for Bitcoin), attacked websites and services of local banks and large brokerages between June and July and there were a number of hacktivist attacks targeting government websites in different countries. <Public> 3 CopyrightcCDNetworks. All Rights Reserved.

4 3. DDoS attack trends 3.1 Annual DDoS attacks <Figure 1> Annual DDoS attacks The number of DDoS attacks increased by 29% from 2013 to 2014, and up by 118% from 2014 to The reasons behind the increasing number of DDoS attacks are due to diverse target groups coupled with the growing number of online service users and ease of launching attacks at low cost. 3.2 Monthly DDoS attacks Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov. Dec <Figure 2> Monthly DDoS attacks <Public> 4 CopyrightcCDNetworks. All Rights Reserved.

5 70% of DDoS attacks during 2015 took place in the second quarter (23.3%) and the third quarter (47.6%). In particular, 113 DDoS attacks (25%) occurred in June when DD4BC was active in Korea and the number of attacks drastically decreased from September. This was due to a large number of DDoS proxy service platforms and C&C (Command & Control) servers which were blocked and removed by China's special regulations on Internet threats that came into effect on August Analysis of DDoS traffic size Under 1G 1G to 5G 5G to 10G 10G to 20G Over 20G % 30.4% 6.8% 11.2% 3.7% % 28.4% 14.4% 11.5% 5.8% % 33.6% 18.8% 10.6% 10.6% <Figure 3> Analysis of DDoS traffic size As shown by the analysis of DDoS traffic size, small attacks of less than 1G most frequently occurred between 2013 and 2014, but attacks in the 1G to 5G range occurred the most in Also, the average traffic size increased from previous years to the extent that attacks of 10G or above accounted for 20% of the total DDoS attacks. This trend is attributable to an increase in DDoS attacks using the UDP (User Datagram Protocol) and amplification attacks. <Public> 5 CopyrightcCDNetworks. All Rights Reserved.

6 3.4 Analysis of DDoS types HTTP 18.1% 16.4% 28.6% Amplification 0.4% 21.1% 31.7% UDP 36.3% 32.9% 39.3% SYN 10.1% 19.4% 16.4% ICMP 5.2% 3.6% 0.4% ETC 2.1% 10.1% 7.9% 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% <Figure 4> Analysis of DDoS types The analysis shows that UDP flooding and amplification attacks increased while TCP dropped somewhat. Plus, there were only few ICMP attacks. 3.5 Frequency of amplification attacks SSDP NTP DNS Chargen % 34.4% 31.3% 1.6% % 19.1% 12.9% 3.4% <Figure 5> Frequency of amplification attacks In 2014, DNS, NTP and SSDP accounted for 30% respectively but in 2015, SSDP <Public> 6 CopyrightcCDNetworks. All Rights Reserved.

7 had the highest frequency, taking up to 64% of the total amplification attacks. There were also frequent attacks combining DNS, NTP and SSDP to generate a large amount of traffic as the number of exploitable reflectors decreased with DNS and NTP server patches. Moreover, this combined attack is a growing trend because of a DDoS proxy service Booter which makes it easy to generate all three types of attacks. 6.5% 37.3% Under 1G 30.7% 1G to 5G 5G to 10G Over 10G 25.5% <Figure 6> Distribution of traffic from amplification attacks in 2015 Attacks with traffic less than 1G occupied the smallest share of 6.5% and attacks of over 10G had the largest share of 37%. The average amount of traffic from amplification attacks in 2015 was 10.7 Gbp. <Public> 7 CopyrightcCDNetworks. All Rights Reserved.

8 4. DDoS attack outlook for Increase in average DDoS attack traffic (Unit: Mbps) <Figure 7> Annual average DDoS attack traffic The average amount of attack traffic is increasing with the growing number of amplification attacks and UDP-based attacks. In 2016, like last year, DDoS attacks between 10G and 50G are expected to increase in number. 4.2 Amplification attack trends Above all, NTP / DNS amplification attacks are expected to subside while combined attacks rather than single-type attacks increase. (For example, SSDP amplification + DNS amplification) The reasons are that many systems are being patched at the moment and the amount of traffic exploitable for attacks is decreasing. In order to generate highbandwidth traffic, there is no alternative but to launch combined attacks. SSDP amplification attacks that were most common in 2015 are expected to occupy a large share in 2016 as well. The number of devices connected to networks is increasing with the wide use of IoT (Internet of Things, and as IoT devices are often out of an administrator's reach, it is highly likely to be exploited for DDoS attacks. According to Gartner, the number of IoT devices was a mere 0.9 billion but is projected to escalate up to 26 billion by the year DDoS attacks using devices are therefore expected to continue for some time. <Public> 8 CopyrightcCDNetworks. All Rights Reserved.

9 Furthermore, SNMP (Simple Network Management Protocol), CharGen (Character Generator), QOTD (Quote Of The Day) and RIP (Routing Information Protocol) amplification attacks will continue to increase in number. 4.3 Increase in attacks using Booter Booter, also known as a DDoS attack proxy service or IP stresser, is spreading rapidly. It is a kind of DDoS as a Service, providing tools and zombies for attack at a low cost. This Booter became known to the world after DD4BC used it to attack the financial world between June and July of Attackers used to distribute malicious programs through many different channels, such as P2P and Torrent, infect PCs and use them to make an attack but with Booter, they can now launch a massive attack at small cost up to few tends of thousand KRW, Plus, attackers use Booter because it accepts bitcoin and it ensures that they can maintain anonymity. Booter enables a variety of attacks including amplification attacks, GET, SYN, XML-RPC and Slowloris. <Figure 8> A type of attack provided by booter.xyz 4.4 Increase in GET Flooding using cloud computing services The wide use of cloud computing services led to attacks using VM (Virtual Machine). <Public> 9 CopyrightcCDNetworks. All Rights Reserved.

10 As mentioned in the 2014 DDoS Attack Trends and Outlook for 2015 published in February 2015, DDoS attacks exploiting cloud computing services will continue for some time. DDoS attackers need to enable a large number of zombie PCs and botnets for effective attack, but it is not easy to infect many PCs and, furthermore, zombies become useless when users turn off PCs or install a vaccine. Attacks using the cloud have two advantages: 1 Easy to generate zombies In a cloud service, it is easy to use a range of IP addresses and as many VMs as they want within seconds upon the making of payments. It means that they do not need to go through the troublesome procedure of infecting the client using malicious code to create zombies. 2 Use zombies optimized for attack Attackers can efficiently generate a great deal of low-spec VMs optimized for attack at low cost. They can also choose the location that is ideal for their attack using cloud providers distributed around the world. Every type of attack with high performance and high-bandwidth resources is available, but GET or POST Flooding is expected to be the choice of attackers because, in general, cloud services make a charge based on the amount of VM, bandwidth and resources used. <Figure 9> Example of defense against DDoS attack using the cloud - dashboard <Public> 10 CopyrightcCDNetworks. All Rights Reserved.

11 The figure above is a dashboard that shows how CDNetworks Cloud Security Service addressed a cloud-based GET Flooding attack using WAF (Web Application Firewall) Javascript on December 11, As shown in the figure, most of the attacks were generated from Hosting Service (Cloud Service) IPs in a specific region. 5. DDoS defense technology outlook for Advancement of slow attack mitigation technology Slow attack is a type of attack that depletes system resources by sending GET or POST requests at a very slow rate. In the past, up to 100 GET requests were sent per minute but the number of requests per minute reduced down to three and over 100,000 attacker IP addresses make it impossible to tell the difference between normal connections and abnormal connections. In other words, it is unable to deal with this attack using the conventional threshold method. In order to deal with such a slow attack, companies use Set Cookie. <Figure 10> Defense mechanism using Set Cookie <Public> 11 CopyrightcCDNetworks. All Rights Reserved.

12 Set Cookie is a technology that allows a server to issue cookie for client requests to help identify bots and browsers. But as more and more bots recognize cookies, a technology using advanced Javascript is required to distinguish between bots and browsers. <Figure 11> Capabilities of DDoS Bots, Source: Incapsula According to the security service provider, Incapsula, about 30% of bots can recognize cookies and 0.8% can execute Javascript, meaning that the use of cookies can block 70 IP addresses and with Javascript, up to 99.2 IP addresses can be blocked in case of an attack using 100 zombies. As such, solutions using Javascript to block DDoS attacks as well as bots, and web firewall solutions combining Javascript and WAF signatures set a new trend in the security solution market. <Figure 12> CDNetworks Cloud Security WAF defense architecture <Public> 12 CopyrightcCDNetworks. All Rights Reserved.

13 5.2 Cloud based DDoS defense center The growing power of DDoS attack leads to the growth of DDoS defense center. CDNetworks is building a global DDoS defense center to ensure prompt service when facing an attack. <Figure 13> CDNetworks global DDoS defense center The following are required in responding to recent high-bandwidth amplification attacks: Inbound traffic control Handling of over 50G inbound traffic Eliminating the exposure of the origin IP Global DDoS defense center not only ensures the above, but also provides many benefits: Hide the origin IP to maintain security High-bandwidth service is capable of handling amplification attacks GSLB not only distributes attacks, but also relocates users to the nearest cache server to ensure rapid communication <Public> 13 CopyrightcCDNetworks. All Rights Reserved.

14 6. Conclusion DD4BC has swept the world and the attack that it launched in Korea was an SSDP amplification attack with traffic as small as 15G. However, the attack brought down numerous services and companies could not cope with it until it stopped. That is because their service structure was not flexible enough. Most companies have a network line with the bandwidth of 1G or 10G due to the high cost of traffic and use adequate inline network equipment, but no matter how advanced their equipment, they cannot deliver services in case of an attack with traffic higher than their network bandwidth. <Figure 14> DDoS defense mechanism using the cloud Moreover, DNS and web servers are always exposed to the public and it means that a level of scalability enough to migrate into a bigger network is required in order to secure services against the recent DDoS attacks. <Public> 14 CopyrightcCDNetworks. All Rights Reserved.

15 About CDNetworks CDNetworks is a global content delivery network (CDN) with fully integrated Cloud Security DDoS protection and web application firewall. Our mission is to transform the Internet into a secure, reliable, scalable, and high-performing Application Delivery Network. CDNetworks accelerates more than 40,000 websites and cloud services over a network of 200 global PoPs in established and emerging markets including China and Russia. We have been serving enterprise customers for 15 years across industries such as gaming, finance, ecommerce, high tech, manufacturing, and media. CDNetworks offices are located in the U.S., UK, South Korea, China, Japan, and Singapore. For more information, please visit: Website: Copyright Statement Copyright CDNetworks. All Rights Reserved. Copyright in this document is owned by CDNetworks, and you may not reproduce or distribute this document without the prior permission of CDNetworks. Information in this document is subject to change without notice. Global Offices US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA EMEA 85 Gresham Street, London EC2V 7NQ Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul Japan Nittochi Nishi-shinjuku Building, 8th Floor, Nishishinjuku, Shinjuku-ku, Tokyo China F15-05 Tower B, Greenland Center, Science and Technology Business Area, Wangjing, Chaoyang District, Beijing, China, Tower A, High-Tech Bldg.900 Yishan Rd. Xuhui District, Shanghai, China Singapore 51 Cuppage Road, #06-07, Singapore <Public> 15 CopyrightcCDNetworks. All Rights Reserved.